# Alert Deduplication Rules {% embed url="" %} Alert Deduplication can help you reduce alert noise by organizing and grouping alerts. This also provides easy access to similar alerts when needed. This can be achieved by defining Deduplication Rules for each Service in Squadcast. When these rules evaluate *true* for an incoming incident, alerts will get deduplicated. ## Prerequisites * The User Role associated with the user in the Team must have required permissions to manage Services (ability to manage Deduplication Rules). * Integrate with an Alert Source and ensure that the Alert Source has started sending alerts to Squadcast before setting up Deduplication Rules. {% hint style="info" %} **Note:** The Key-Based Deduplication (Dedupe Keys) feature is available across all subscription plans. Regarding Deduplication Rules Feature: **For Existing Accounts:** * No changes will be applied, and the current settings will remain in effect. **For New Sign-ups (Post Deduplication Keys Release - Aug 21, 2023):** * Deduplication Rules will only be accessible for enterprise accounts. Other subscription plans will not have access to Deduplication Rules. \ This clarification aims to ensure a better understanding of the deduplication framework and its application across different account scenarios. {% endhint %} {% hint style="warning" %} **Important:** * Deduplication Rules work only on incidents in either the **Triggered** or **Acknowledged** states. * Automation rule CRUD operations have a 5-minute caching delay before changes take effect. {% endhint %} ## **Create a Deduplication Rule** To create a Deduplication Rule: 1. Navigate to **Services** -> **Service Overview** -> select or search for your desired service. 2. In the extreme right, expand the accordion -> In **Automation** section, **View All** 3. In the **Automation Rules** section, **Add Deduplication Rules** 4. Select an **Alert Source** from the drop down -> **Add New Rule** 5. Deduplication Rules can be added in two ways: ### A. UI-based Rule Builder (Beginner-friendly) 1. On the right, you can view the *payload of the **latest** alert* for the chosen Alert Source 2. The drop-downs in the Rule Builder contain values from the payload on the right. You can use them to easily create your Deduplication Rules You can create Deduplication Rules using the following conditions: | Operators | Condition | | ---------------- | ---------------------------------------------------------------- | | == | if the payload value is equal to the given value | | != | if the payload value is not equal to the given value | | matches/contains | if the payload value matches (***or** contains*) the given value | | does not contain | if the payload value does not contain the given value | {% hint style="warning" %} **Note**: All these operators are case-sensitive.\ \ If you want to make the rules *case insensitive*, then you have to do it with the regular expression method. {% endhint %}
Alert Deduplication based on time in Squadcast
3\. You can add more than 1 condition for a rule by selecting **Add Condition** (a logical AND is performed between all the conditions -> the entire Deduplication Rule will evaluate to `True` only if all the conditions evaluate to `True`) Next, choose the **Deduplication Time Window**. You can deduplicate incidents for a **maximum of 48 hours**. {% hint style="info" %} **Time Window** During the set time window, incidents that occur are compared against all incidents that come in during that time period, and will then get deduplicated against the first incident that it matches with. {% endhint %} 4\. Click on **Save**
Add alert deduplication based on time in Squadcast
{% hint style="info" %} **Note**: The search option under payload is not a free search, we have to search by JSON format, for example, type in payload.annotations to get annotations. \ We also have an option for click-to search, wherein you can click on the keys in the payload to get their required values. {% endhint %} ### B. Raw String Method {% hint style="warning" %} **Important** Once you opt for the **Raw String method**, you cannot revert to the **UI-based Rule Builder** method for that rule. {% endhint %} 1. On the right, you can view the payload of the latest alert for the chosen Alert Source 2. Click on **Edit** to enable the Raw String method
deduplication rule in Squadcast using raw string method
3\. Write your custom Deduplication Rule expression. Below are some examples to help you get started: {% hint style="info" %} **How to make rules *****case-insensitive*****?**\\ 1. Click **Edit** -> **Proceed** 2. You will see the rule in the regular expression. Now you need to add the command lc (lower\_case) before the individual parameters **Here is an example**: `re(payload["subscription"]["type"], "Subscription")` The rule says if the payload\["subscription"]\["type"]contains the string "Subscription" in it then do some actions. If you want to make the above rule case insensitive, you have to add the command lc before the individual parameters. The case insensitive rule would look like this, `re(lc(payload["subscription"]["type"]), lc("Subscription")) or` `re(lc(payload["subscription"]["type"]), "subscription")` {% endhint %} #### **Supported Rules** The rule engine supports expressions with parameters, arithmetic, logical, and string operations. #### **Basic Expressions** $$ 10 > 0, 1+2, 100/3 $$ #### **Parameterized Expressions** $$ past.metric == current.metric $$ The available parameters are `past`, `current` and `event_count` + `past`: This parameter contains the JSON payload of the previous incident which the current event is compared with + `current`: This parameter contains the JSON payload of the incoming event which will be compared with the past incidents’ JSON payload + `event_count`: This denotes the number of deduplicated events for a given incident {% hint style="info" %} **Use-case for event\_count:** This can be used in scenarios where you do not want to deduplicate more than `n` number of alerts to a particular incident. {% endhint %} #### **Regular Expressions** This can be used to check if a particular JSON payload field matches a regular expression. $$ re(payload.metric, "disk.\*") $$ #### **Parse JSON content within the payload using `jsonPath`** #### **General Format** `jsonPath(, <"the parameter that needs to be picked from the parsed JSON object">)` **Example** Below is an example payload: ``` { "payload": { "Type": "Notification", "MessageId": "5966c484-5b37-58df", "TopicArn": "arn:aws:sns:us-east-1:51:Test", "Message": "{\"AlarmName\":\"Squadcast Testing - Ignore\",\"AlarmDescription\":\"Created from EC2 Console\"}" } } ``` ``` jsonPath(payload.Message, "AlarmName"); ``` This will pick out the value `AlarmName` from the Message object in the payload, based on which, you can de-duplicate incidents. {% hint style="info" %} **Multiple Alert Sources** We can see alert payloads of past events from different alert sources for the Service by selecting the respective alert source from the dropdown in the right-half side. \ Since the payload format is fixed for a given alert source, it is usually preferable to have Deduplication Rules on a per-alert source basis. This can be done by making use of the `source` field which lets you know the alert source that triggered the incoming event.\ \ For example, if you want to have a Deduplication Rule for a Service, only for alerts coming for `grafana` alert source, then the corresponding rule would look something like: `source == 'grafana' && ()` {% endhint %} **Example** Below is an example payload for demonstration: ``` { "event_count": 5, "past": { "issue_description": "bug - 2", "issue_id": "10029", "issue_key": "HYD-30", "issue_labels": [], "issue_link": "http://13.233.254.18:8080/browse/HYD/issues/HYD-30", "issue_priority": "Medium", "issue_summary": "bug - 2", "issue_type": "Bug", "project_id": "10000", "project_key": "HYD", "project_name": "hydra" }, "source": "grafana" } ``` To deduplicate any incoming alert when: * The `metric` matches the regular expression `^disk.*` * The `past` incident `metric` and the `current` event `metric` are the same * The `past` incident `host` and the `current` event `host` are the same * The `current` disk usage `value` is less than 60% * The `context` value tag is same #### **Deduplication Rule:** ``` past.metric == current.metric && re(current.metric, "^disk.*") && past.host == current.host && current.value < 60 && jsonPath(past.tags, "context.value") == jsonPath(current.tags, "context.value"); ``` ## Viewing Deduplicated Incidents From the [Incidents](/incident-list/incident-list-view.md) page, you can view which incidents have deduplicated events when there is a **+\** next to the Incident ID like in the screenshot below. The **number** indicates how many alerts were deduplicated against this incident.
Viewing deduplicated incidents in Squadcast
Clicking on such an incident will take you to its [Incident Details](/incidents-page/incidents-details.md) page where, by clicking on **Deduped Events**, you will be able to see the following: * Number of deduplicated events * Time when they reached Squadcast * **Message** and **Payload** of the event
deduplicated events in Squadcast
Clicking on any of the deduplicated events will display will all the information that is sent for that alert from the monitoring tool, including the **Deduplication Reason** (which Deduplication Rule got executed). ![deduplication reason in Squadcast](/files/DBsxVPnO6Y9FibxglBpq) ## FAQs 1\. Will I get notified of the duplicate alerts that come in for an incident in a Triggered state? No, nobody is notified of the duplicate alerts that come in for an incident in the `Triggered` or `Acknowledged` state. 2\. Will I get notified of the duplicate alerts that come in for an incident in the Resolved state? Yes, Incident Deduplication will not take place for an incident when it is in the `Resolved` state. Squadcast triggers a fresh incident for such an alert and notifies the right people. 3\. Why can’t I deduplicate incidents for more than 48 hours? Most organizations across the world follow the best practice of resolving critical incidents within 48 hours of their creation. This is also the reason why Squadcast allows you to deduplicate incidents for a maximum of 48 hours. 4\. Can I create OR rules? Yes, you can. The evaluation between different Deduplication Rules is `OR`. 5\. What kind of regex can be used to write custom rules? The rule engine supports expressions with parameters, arithmetic, logical, and string operations. You can also check [this](https://regex101.com/) out to get an idea of all the expression types accepted in Squadcast. Please do your regex [here](https://regex101.com/) against `Golang` flavor as shown in the screenshot below and then, set them up in Squadcast: ![Regex used to write custom rules in Squadcast](/files/z0Rt2yQUxRs6wpvmlLLa) 6\. Do the Deduplication Rules have priority? Yes, you can specify Execution Rule Priority for the rules defined by moving them `Up` or `Down` the list of rules. 7\. While adding a Deduplication Rule, is the *search string* in the rule case sensitive? Yes, that is correct. For example, if your search string is “ALERT” and your payload does not contain “ALERT” but contains “Alert”, this will not be matched. Your search string should be “Alert”. 8\. I have configured multiple rules for a particular Service. Can I search through the configured rules to find the rule I am looking for? Yes, that is doable. You will notice a **Search** option on the left-top of the rules modal. You can type in a word you recall from the rule description or the rule itself. Any matching results will yield the narrowed-down set of rules.
Search rules configured in Squadcast
*Have any questions?* [*Ask the community*](https://community.squadcast.com/view/home)*.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://support.squadcast.com/services/alert-deduplication-rules/alert-deduplication-rules.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.