Squadcast Support

De-duplication Rules

Reduce alert noise by grouping similar alerts together

Alert de-duplication can help you reduce alert noise by organising and grouping relevant alerts. This also provides easy access to similar alerts when needed.

For each service, you can define your rule for de-duplication.

You can set this up by going to app.squadcast.com.

  • Go to the relevant service
  • Click on the options dropdown
  • Choose De-duplication rules

You can add your de-duplication rule expression in the field "Deduplication rule", select a time window for which the rule holds true. You could also choose to select the option of the maximum time window allowable, which is 48 hours.

The rules will be checked against all the incidents based on the time window set in place.

You can add as many rules by selecting the "Add rule" button below. The deduplication will be true for the first rule that matches in the list of rules added by you.

The count of events deduplicated against an incident will be shown in the incident dashboard and the incident details page.

Syntax for Writing Rules

The rule engine supports expressions with parameters, arithmetic, logical, and string operations.

  • Basic expression: 10 > 0, 1+2, 100/3
  • Parameterized expression: past.metric == current.metric
    The available parameters are past, current, event_count
    • past : This parameter contains the JSON payload of the previous incident which the current event is compared with.
    • current : This parameter contains the JSON payload of the incoming event which will be compared with the past incidents' JSON payload.
    • event_count : This denotes the number of deduplicated events for a given incident
  • Regular expression: re(past.metric, "disk.*")
    This can be used to check if a particular JSON payload field matches a regular expression.
    • Parsing JSON content: jsonPath(payload.message, "a.b.c")
      This can be used to parse JSON formatted strings and get the jsonPath from the resulting JSON object

Use Case for event_count

This can be used in scenarios where you don't want to deduplicate more than n number of events to a particular incident.



Assuming that the JSON payload format for the current incident and the past incident is the same, then the users can write a rule based on the reference past payload shown in the configuration involved.

For a sample content shown in the right panel of the configuration space

    "event_count" : 5,
    "past" : {
        "metric" : "disk usage",
        "value" : 34,
        "host" : "sq-172-16-12-11",
        "alerting" : true,
        "tags" :  "{\"state\":\"alerting\", \"context\": {\"value\":\"disk_monitor\", \"metric\":34}}"

Use Case
For any incoming alert, if

  • The metric matches the regular expression ^disk.*
  • The past incident metric and the current event metric are the same
  • The past incident host and the current event host are the same
  • The current disk usage value is less than 60%
  • The context value tag is same

(past.metric == current.metric) && re(current.metric, "^disk.*") && (past.host == current.host) && (current.value < 60) && jsonPath(past.tags, "context.value") == jsonPath(current.tags, "context.value")

Updated 3 months ago

De-duplication Rules

Reduce alert noise by grouping similar alerts together

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.