Alert de-duplication can help you reduce alert noise by organising and grouping relevant alerts. This also provides easy access to similar alerts when needed.

For each service, you can define your rule for de-duplication.

You can set this up by going to app.squadcast.com.

• Go to the relevant service
• Click on the options dropdown
• Choose De-duplication rules

You can add your de-duplication rule expression in the field "Deduplication rule", select a time window for which the rule holds true. You could also choose to select the option of the maximum time window allowable, which is 48 hours.

The rules will be checked against all the incidents based on the time window set in place.

You can add as many rules by selecting the "Add rule" button below. The deduplication will be true for the first rule that matches in the list of rules added by you.

The count of events deduplicated against an incident will be shown in the incident dashboard and the incident details page.

The rule engine supports expressions with parameters, arithmetic, logical, and string operations.

• Basic expression: 10 > 0, 1+2, 100/3
• Parameterized expression: past.metric == current.metric
  The available parameters are past, current, event_count
  • past : This parameter contains the JSON payload of the previous incident which the current event is compared with.
  • current : This parameter contains the JSON payload of the incoming event which will be compared with the past incidents' JSON payload.
  • event_count : This denotes the number of deduplicated events for a given incident
• Regular expression: re(past.metric, "disk.*")
  This can be used to check if a particular JSON payload field matches a regular expression.
  • Parsing JSON content: jsonPath(payload.message, "a.b.c")
    This can be used to parse JSON formatted strings and get the jsonPath from the resulting JSON object

For a sample content shown in the right panel of the configuration space

{
    "event_count" : 5,
    "past" : {
        "metric" : "disk usage",
        "value" : 34,
        "host" : "sq-172-16-12-11",
        "alerting" : true,
        "tags" :  "{\"state\":\"alerting\", \"context\": {\"value\":\"disk_monitor\", \"metric\":34}}"
    }
}

Use Case
For any incoming alert, if

• The metric matches the regular expression ^disk.*
• The past incident metric and the current event metric are the same
• The past incident host and the current event host are the same
• The current disk usage value is less than 60%
• The context value tag is same

Rule
(past.metric == current.metric) && re(current.metric, "^disk.*") && (past.host == current.host) && (current.value < 60) && jsonPath(past.tags, "context.value") == jsonPath(current.tags, "context.value")