Alert Suppression

Avoid alert fatigue by setting up suppression rules

Alert suppression can help you avoid alert fatigue by suppressing notifications for non-actionable alerts.

Squadcast will suppress the incidents that match any Suppression rules you create. These incidents will go into Suppressed state and you won’t get any notifications for them.

These are useful in situations where you’d like to view your all your informational alerts in Squadcast but don’t want to be notified for them.

Creating a Suppression rule

For each service, you can define your suppression rules.

You can set this up by going to your Squadcast account

  • Go to the relevant service
  • Click on the options dropdown
  • Choose “Suppression Rules”

  • Choose Alert Source from the Dropdown

  • Click on Add new rule to start configuring a rule

By default, when a new rule is being created, a user is prompted to use the drop-down blocks for convenience. As you build the expression from these drop-downs, you can also see the corresponding suppression expression raw string being auto-added for the same.

The drop-down blocks are beginner friendly for sure, but they aren’t as flexible as raw string method. If you want more flexibility while building your expressions, you may opt anytime to switch to use the raw string mode by clicking the edit button as shown.

You can add as many Suppression Rules as you want for a service.

Syntax for Writing Rules (For Raw String method)

The rule engine supports expressions with parameters, arithmetic, logical, and string operations. You can also check out this link to get an idea of all the expression types accepted in Squadcast.

  • Basic expression: 10 > 0, 1+2, 100/3
  • Parameterized expression: payload.metric == "disk" The available parameters are payload, incident_details, source
    • payload : This parameter contains the JSON payload of an incident which will be the same as the JSON payload format for the future events for a particular alert source.
    • incident_details: This contains the content of message and description of the incoming event.
    • source: This denotes the associated alert source for the current / incoming event.
  • Regular expression: re(payload.metric, "disk.*")
  • Parsing JSON content: jsonPath(payload.message, "a.b.c") This can be used to parse JSON formatted strings and get the jsonPath from the resulting JSON object.

Example

For a sample content shown in the right panel of the configuration space

{
  "payload": {
    "issue_description": "bug - 2",
    "issue_id": "10029",
    "issue_key": "HYD-30",
    "issue_labels": [],
    "issue_link": "http://13.233.254.18:8080/browse/HYD/issues/HYD-30",
    "issue_priority": "Medium",
    "issue_summary": "bug - 2",
    "issue_type": "Bug",
    "project_id": "10000",
    "project_key": "HYD",
    "project_name": "hydra"
  },
  "incident_details": {
    "message": "[Bug] bug - 2"
    "description": "+ Project: HYDRA \n+Issue Type: Bug ..."
  },
  "source": "jira-plugin"
}

Suppress any incoming alert if,

  • The incident message contains: [Bug]
  • The alert source is jira-plugin Rule re(payload.incident_details.message, "[Bug]") && source == "jira-plugin"

Viewing Suppressed Alerts

You can view Suppressed incidents on the Incident List page by clicking on All Incidents and choosing Suppressed as highlighted in the screenshot below.