Alert Deduplication Rules
Reduce alert noise by grouping similar alerts together
Last updated
Was this helpful?
Reduce alert noise by grouping similar alerts together
Last updated
Was this helpful?
Alert Deduplication can help you reduce alert noise by organizing and grouping alerts. This also provides easy access to similar alerts when needed.
This can be achieved by defining Deduplication Rules for each Service in Squadcast. When these rules evaluate true for an incoming incident, alerts will get deduplicated.
The User Role associated with the user in the Team must have required permissions to manage Services (ability to manage Deduplication Rules).
Integrate with an Alert Source and ensure that the Alert Source has started sending alerts to Squadcast before setting up Deduplication Rules.
Important:
Deduplication Rules work only on incidents in either the Triggered or Acknowledged states.
Automation rule CRUD operations have a 5-minute caching delay before changes take effect.
To create a Deduplication Rule:
Navigate to Services -> Service Overview -> select or search for your desired service.
In the extreme right, expand the accordion -> In Automation section, View All
In the Automation Rules section, Add Deduplication Rules
Select an Alert Source from the drop down -> Add New Rule
Deduplication Rules can be added in two ways:
On the right, you can view the payload of the latest alert for the chosen Alert Source
The drop-downs in the Rule Builder contain values from the payload on the right. You can use them to easily create your Deduplication Rules
You can create Deduplication Rules using the following conditions:
==
if the payload value is equal to the given value
!=
if the payload value is not equal to the given value
matches/contains
if the payload value matches (or contains) the given value
does not contain
if the payload value does not contain the given value
Note: All these operators are case-sensitive. If you want to make the rules case insensitive, then you have to do it with the regular expression method.
3. You can add more than 1 condition for a rule by selecting Add Condition (a logical AND is performed between all the conditions -> the entire Deduplication Rule will evaluate to True
only if all the conditions evaluate to True
)
Next, choose the Deduplication Time Window. You can deduplicate incidents for a maximum of 48 hours.
4. Click on Save
Important
Once you opt for the Raw String method, you cannot revert to the UI-based Rule Builder method for that rule.
On the right, you can view the payload of the latest alert for the chosen Alert Source
Click on Edit to enable the Raw String method
3. Write your custom Deduplication Rule expression. Below are some examples to help you get started:
The rule engine supports expressions with parameters, arithmetic, logical, and string operations.
The available parameters are past
, current
and event_count
+ past
: This parameter contains the JSON payload of the previous incident which the current event is compared with + current
: This parameter contains the JSON payload of the incoming event which will be compared with the past incidents’ JSON payload + event_count
: This denotes the number of deduplicated events for a given incident
This can be used to check if a particular JSON payload field matches a regular expression.
jsonPath
jsonPath(<the JSON string that should be parsed for JSON content>, <"the parameter that needs to be picked from the parsed JSON object">)
Example
Below is an example payload:
This will pick out the value AlarmName
from the Message object in the payload, based on which, you can de-duplicate incidents.
Example
Below is an example payload for demonstration:
To deduplicate any incoming alert when:
The metric
matches the regular expression ^disk.*
The past
incident metric
and the current
event metric
are the same
The past
incident host
and the current
event host
are the same
The current
disk usage value
is less than 60%
The context
value tag is same
The number indicates how many alerts were deduplicated against this incident.
Number of deduplicated events
Time when they reached Squadcast
Message and Payload of the event
Clicking on any of the deduplicated events will display will all the information that is sent for that alert from the monitoring tool, including the Deduplication Reason (which Deduplication Rule got executed).
1. Will I get notified of the duplicate alerts that come in for an incident in a Triggered state?
No, nobody is notified of the duplicate alerts that come in for an incident in the Triggered
or Acknowledged
state.
2. Will I get notified of the duplicate alerts that come in for an incident in the Resolved state?
Yes, Incident Deduplication will not take place for an incident when it is in the Resolved
state. Squadcast triggers a fresh incident for such an alert and notifies the right people.
3. Why can’t I deduplicate incidents for more than 48 hours?
Most organizations across the world follow the best practice of resolving critical incidents within 48 hours of their creation. This is also the reason why Squadcast allows you to deduplicate incidents for a maximum of 48 hours.
4. Can I create OR rules?
Yes, you can. The evaluation between different Deduplication Rules is OR
.
5. What kind of regex can be used to write custom rules?
6. Do the Deduplication Rules have priority?
Yes, you can specify Execution Rule Priority for the rules defined by moving them Up
or Down
the list of rules.
7. While adding a Deduplication Rule, is the search string in the rule case sensitive?
Yes, that is correct. For example, if your search string is “ALERT” and your payload does not contain “ALERT” but contains “Alert”, this will not be matched. Your search string should be “Alert”.
8. I have configured multiple rules for a particular Service. Can I search through the configured rules to find the rule I am looking for?
Yes, that is doable. You will notice a Search option on the left-top of the rules modal. You can type in a word you recall from the rule description or the rule itself. Any matching results will yield the narrowed-down set of rules.
From the page, you can view which incidents have deduplicated events when there is a +<number> next to the Incident ID like in the screenshot below.
Clicking on such an incident will take you to its page where, by clicking on Deduped Events, you will be able to see the following:
The rule engine supports expressions with parameters, arithmetic, logical, and string operations. You can also check out to get an idea of all the expression types accepted in Squadcast. Please do your regex against Golang
flavor as shown in the screenshot below and then, set them up in Squadcast:
Have any questions? .