LogoLogo
API DocsDeveloper PortalSystem StatusTry for Free
  • Quickstart Guide
    • Introduction
    • Get started as an Account Owner
    • Get started as a User
    • Glossary
    • FAQs
  • Manage Users
    • Types of Users
    • Add and Delete Users
    • Import Users
    • User Permissions - Access Controls
    • Manage Your Profile
    • Notification Rules
    • On-Call Reminder Rules
    • Change Account Owner
  • Manage Teams
    • Understanding Teams
    • Role Based Access Control
    • Owner Based Access Control
    • Create and Delete Teams
    • Add and Remove Team Members
    • Squads
    • Stakeholder Groups
  • Services
    • Adding a Service
    • Service Overview
    • Service Graph
    • Maintenance Mode
    • Alert Deduplication Rules
      • Alert Deduplication Rules
      • Incident Status Based Deduplication
      • Service Dependency Based Deduplication
      • Key Based Deduplication
    • Event Tagging
    • Alert Routing
    • Alert Suppression
    • Custom Content Templates
    • Intelligent Alert Grouping (IAG)
    • Auto Pause Transient Alerts (APTA)
    • Delayed Notifications
  • Schedules
    • Schedules (New)
      • Adding a Schedule
      • Schedules Overview
      • Who is On-Call?
      • My On-Call Shifts
      • Overrides
      • Videos: How to set up common use cases?
  • Escalation Policies
    • Create and Manage Escalation Policy
    • Round Robin & Advanced Escalations
    • Reassign an Incident
  • Notifications
    • Understanding Incident Notifications
  • Dashboards
    • Incident Management Dashboard
    • Dashboard Metrics
    • Take Bulk Actions
    • Squadcast Search
  • Incident List
    • Incident List View
    • Incident Priorities
    • Filter Incidents
    • Save Filter View
    • Merge Incidents
    • Snooze Incidents
  • Incidents Page
    • Incidents Details
    • Incident Activity Timeline
    • Communication Channels
    • Create Incident Manually
    • Incident Notes
    • Incident Watchers
    • Past Incidents
    • Additional Responders
    • Incident Summaries
    • Incident Suggestions
  • Runbooks
    • Runbooks
  • Postmortems
    • Postmortem Templates
    • Create Postmortems
    • Accessing Postmortem
  • Status Page
    • Status Page
    • Status Page Overview
    • Components and Groups
    • Issues
    • Subscribers
    • Maintenance
  • SLO Tracker
    • SLO Basics
    • Configure and Monitor your SLOs
  • Webforms
    • Webforms
  • Global Event Rulesets
    • Global Event Rulesets
  • Workflows
    • Workflows
    • Workflows Overview
    • Actions
  • Live Call Routing
    • Live Call Routing
  • Analytics
    • Analytics (New)
    • Organization Level Analytics
    • On Call Hours Per User
    • Weekly Reports
  • Integrations
    • Incident Webhook (Incident Webhook/API)
    • Outgoing Webhooks
    • ServiceNow Extension
    • Extensions
      • Jira Cloud Integration
      • Jira DC (Data Center)
      • CircleCI
      • Google Chat
      • Freshdesk
      • Freshservice
      • Asana
      • ClickUp
      • Trello
      • Zendesk
      • Hubspot
    • Alert Source Integrations (Native)
      • Admin Labs
      • Airbrake
      • Amazon EventBridge
      • Amazon GuardDuty
      • Amazon Opensearch
      • APImetrics
      • AppDynamics
      • AppSignal
      • Auvik
      • AWS CloudTrail Logs
      • AWS CloudTrail via CloudWatch
      • Amazon Cloudwatch (AWS) Integration
      • AWS CloudWatch Event Rules
      • AWS Elastic Beanstalk via CloudWatch
      • Amazon RDS (AWS)
      • Amazon SNS (AWS)
      • Azure Monitor
      • Better Uptime
      • Bitbucket
      • Bitrix 24
      • Blue Matador
      • Bugsnag
      • Buildkite
      • Checkly
      • Checkmk
      • CircleCI Integration
      • Cisco DNAC
      • Cisco Meraki
      • ClickUp Integration
      • CloudAMQP
      • Cloudflare
      • Conviva
      • CopperEgg
      • Coralogix
      • Cronitor
      • Crowdstrike Falcon
      • Datadog
      • Databricks
      • Dead Man's Snitch
      • Domotz
      • Dotcom Monitor
      • Dynatrace
      • ElastAlert
      • Elastic
      • Elecard Boro
      • Email Integration
      • Endtest
      • Errorception
      • Freshdesk Integration
      • Freshping
      • Freshservice
      • Ghost Inspector
      • GitHub Integration
      • GitLab
      • Grafana 8
      • Grafana
      • Graylog v4
      • Graylog
      • HaloPSA
      • Healthchecks
      • Heroku
      • HetrixTools
      • Honeybadger
      • Honeycomb
      • Humio
      • Hund
      • Hydrozen
      • Hyperping
      • Icinga2
      • InsightOps (LogEntries)
      • Instana
      • Intercom
      • Jenkins Integration
      • Jira Cloud Alert Source
      • Jira Server Alert Source
      • Kapacitor
      • Kentik
      • Komodor
      • Kibana
      • LibreNMS
      • Linear
      • Loggly
      • Logstash
      • Logz.io
      • ManageEngine Application Manager
      • ManageEngine Opmanager
      • Mezmo (formerly LogDNA)
      • MongoDB Atlas / Cloud Manager
      • Nagios
      • New Relic
      • Nixstats
      • NodePing
      • Observium
      • Oh Dear
      • Oracle Cloud Infrastructure
      • OSNexus QuantaStor
      • OverOps
      • Papertrail
      • Pingdom
      • Plesk 360
      • Postman
      • Postmark
      • Powercode
      • Progress WhatsUp Gold
      • Prometheus
      • PRTG Network Monitor
      • Rapid7 InsightIDR
      • RapidSpike
      • Redash
      • Redgate SQL Monitor
      • Rollbar
      • Rundeck
      • Runscope
      • Salesforce Cloud
      • Scout APM
      • Sematext
      • Sensu Go
      • Sensu
      • Sentry.io
      • Server Density
      • ServerGuard24
      • ServiceNow Integration
      • Shortcut (Clubhouse)
      • SignalFx
      • SigNoz
      • Site24x7
      • Slack
      • SolarWinds AppOptics
      • SolarWinds Observability SaaS (SWO)
      • SolarWinds Observability Self Hosted
      • Sonar
      • Splunk
      • Sqreen
      • Stackdriver
      • Stackify Retrace
      • StatHat
      • StatusCake
      • ServiceDesk Plus OD
      • Sumo Logic
      • Sysdig Monitor
      • Threat Stack
      • Trello
      • Twilio
      • Uptime
      • Uptime Robot
      • Uptrends
      • Wavefront
      • Zabbix 5.0
      • Zabbix 6.2
      • Zabbix
      • Zendesk Integration
      • Zoho Desk
      • Zoho Desk via Zoho Flow
      • LogicMonitor
  • ChatOps
    • Google Chat
    • Microsoft Teams
    • Slack for Incident Management
      • Using the Integration
  • Single Sign-On (SSO)
    • AWS SSO
    • Azure Active Directory SSO
    • Google SSO
    • Microsoft ADFS SSO
    • Okta SSO Integration
    • SAML 2.0 based SSO
  • Mobile App
    • Using the Mobile App
  • Terraform & API Documentation
    • Terraform Provider
    • Public API - Refresh Token
    • API Documentation
    • Getting Started with Squadcast GraphQL
      • Schedules
        • Create Schedule
        • Update Schedule
        • Delete Schedule
        • Pause Schedule
        • Get Schedules
        • Get Schedule by ID
        • Resume Schedule
        • Clone Schedule
        • Get Gaps
      • Rotations
        • Create Rotation
        • Update Rotation
        • Delete Rotation
        • Get Rotation by ID
        • Get Rotation Events by ID
      • Overrides
        • Create Override
        • Update Override
        • Delete Override
        • Get Override by ID
      • Calendar URLs
      • Who is On-Call
    • Developer Portal
    • Incident Rate Limiting
  • Managing your Squadcast Account
    • Audit Logs
    • Organizations
    • Billing FAQs
    • Deactivate your Squadcast Account
    • Delete your Squadcast Account
Powered by GitBook
On this page
  • Prerequisites
  • Create Alert Suppression Rules
  • A. UI-based Rule Builder (Beginner-friendly)
  • B. Raw String Method
  • Supported Rules
  • Discarding suppressed incidents
  • Example
  • Viewing Suppressed Incidents
  • FAQs

Was this helpful?

  1. Services

Alert Suppression

Fight alert fatigue with Alert Suppression - Learn how to optimize incident management by effectively suppressing non-actionable notifications. Take control today!

PreviousAlert RoutingNextCustom Content Templates

Last updated 1 year ago

Was this helpful?

Alert Suppression can help you avoid alert fatigue by suppressing notifications for non-actionable alerts.

Squadcast will suppress the incidents that match any of the Suppression Rules you create for your Services. These incidents will go into the Suppressed state and you will not get any notifications for them.

These are useful in situations where you would like to view your all your informational alerts in Squadcast but do not want to get notified for them.

Prerequisites

  • The User Role associated with the user in the Team must have required permissions to manage Services (ability to manage Suppression Rules).

  • Integrate with an Alert Source and ensure that the Alert Source has started sending alerts to Squadcast before setting up Suppression Rules.

Important: Automation rule CRUD operations have a 5-minute caching delay before changes take effect.

Create Alert Suppression Rules

  1. Navigate to Services -> Service Overview -> select or search for your desired service.

  2. In the extreme right, expand the accordion -> In Automation section, View All.

  3. In the Suppression Rules section, Add Suppression Rules.

  4. Select an Alert Source from the drop down -> Add New Rule.

5. Suppression Rules can be added in two different ways:

A. UI-based Rule Builder (Beginner-friendly)

1. On the right, you can view the payload of the latest alert for the chosen Alert Source

2. The drop-downs in the Rule Builder contain values from the payload on the right. You can use them to easily create your Suppression Rules. As you build the expression from these drop-downs, you can also see the corresponding raw string being auto-populated for the same under String Expression.

You can create Suppression Rules using the following conditions:

Operators
Condition

==

if the payload value is equal to the given value

!=

if the payload value is not equal to the given value

matches/contains

if the payload value matches (or contains) the given value

does not contain

if the payload value does not contain the given value

Note: All these operators are case-sensitive. If you want to make the rules case insensitive, then you have to do it with the regular expression method.

3. You can add more than 1 condition for a rule by selecting Add Condition (a logical AND is performed between all the conditions -> the entire Suppression Rule will evaluate to True only if all the conditions evaluate to True)

Note:

The drop-down blocks only support the logical AND operator between 2 expressions. If you want to have a logical OR operation between 2 expressions, then you would have to create a new Suppression Rule.

Comparison Operators within Suppression Rules

You can also leverage comparison operators such as ==, <, <=, >, >= within your rules using the drop-down blocks, when the parameter you are evaluating against, is a numerical value from the payload to reduce alert noise.

4. You can suppress incidents based on time as well. To do so, check to Suppress by time. Add details for your suppression time slots like Timezone, Duration and Repetition.

Under Duration, you can specify Start and End Dates and choose Start and End Time as well or simply run it for the entire day.

You can add Repetition for your slot, to do so, you can choose from the drop-down list, while specifying the end for this repetition, as a particular date/time or never.

Note: You can add multiple suppression time slots for a single Suppression Rule.

Note: Users can select a timezone as per which the time slot needs to be active.

Note: The search option under payload is not a free search, we have to search by JSON format, for example, type in payload.annotations to get annotations.

We also have an option for click-to search, wherein you can click on the keys in the payload to get their required values.

B. Raw String Method

Important

Once you opt for the Raw String method, you cannot revert to the UI-based Rule Builder method.

(a) On the right, you can view the payload of the latest alert for the chosen Alert Source

(b) Click on Edit to enable the Raw String method

(c) Write your custom Suppression Rule expression

How to make rules case-insensitive?

  1. Click Edit -> Proceed

  2. You will see the rule in the regular expression. Now you need to add the command lc (lower_case) before the individual parameters

Here is an example:

re(payload["subscription"]["type"], "Subscription")

The rule says if the payload["subscription"]["type"]contains the string "Subscription" in it then do some actions.

If you want to make the above rule case insensitive, you have to add the command lc before the individual parameters.

The case insensitive rule would look like this,

re(lc(payload["subscription"]["type"]), lc("Subscription")) or

re(lc(payload["subscription"]["type"]), "subscription")

(d) You can suppress incidents based on time as well. To do so, check to Suppress by time. Add details for your suppression time slots like Timezone, Duration and Repetition.

Under Duration, you can specify Start and End Dates and choose Start and End Time as well or simply run it for the entire day.

You can add Repetition for your slot, to do so, you can choose from the drop-down list, while specifying the end for this repetition, as a particular date/time or never.

Note: You can add multiple suppression time slots for a single Suppression Rule.

Note: Users can select a timezone as per which the time slot needs to be active.

Supported Rules

Basic Expressions

10 > 0, 1+2, 100/3

Parameterized Expressions

payload.metric == "disk" The available parameters are payload: This parameter contains the JSON payload of an incident which will be the same as the JSON payload format for the future events for a particular alert source payload: This parameter contains the JSON payload of an incident which will be the same as the JSON payload format for the future events for a particular alert source payload: This parameter contains the JSON payload of an incident which will be the same as the JSON payload format for the future events for a particular alert source incident_details: This contains the content of the message and description of the incoming event source: This denotes the associated alert source for the current/incoming event

Regular Expressions

re(payload.metric, "disk.*")

Parse JSON content within the payload using jsonPath to add a tag

General Format jsonPath(<the JSON string that should be parsed for JSON content>, <"the parameter that needs to be picked from the parsed JSON object">)

Example

Below is an example payload:

{
	"payload": {
   "payload": {
	"payload": {
		"Type": "Notification",
		"MessageId": "5966c484-5b37-58df",
		"TopicArn": "arn:aws:sns:us-east-1:51:Test",
		"Message": "{\"AlarmName\":\"Squadcast Testing - Ignore\",\"AlarmDescription\":\"Created from EC2 Console\"}"
	}
}
jsonPath(payload.Message, "AlarmName");

This will pick out the value AlarmName from the Message object in the payload based on which, you can suppress the incident.

Example

Multiple Alert Sources

We can see alert payloads of past events from different alert sources for the service by selecting the respective alert source from the dropdown on the right-half side.

Since the payload format is fixed for a given alert source, it is usually preferable to have suppression rules on a per-alert source basis. This can be done by making use of the source field which lets you know the alert source that triggered the incoming event.

For example, if you want to have a suppression rule for a service, only for alerts coming from grafana alert source, then the corresponding rule would look something like this:

source == 'grafana' && (<your_suppression_rule>)

Below is an example payload for demonstration:

{
	"payload": {
		"issue_description": "bug - 2",
		"issue_id": "10029",
		"issue_key": "HYD-30",
		"issue_labels": [],
		"issue_link": "http://13.233.254.18:8080/browse/HYD/issues/HYD-30",
		"issue_priority": "Medium",
		"issue_summary": "bug - 2",
		"issue_type": "Bug",
		"project_id": "10000",
		"project_key": "HYD",
		"project_name": "hydra"
	},
	"incident_details": {
		"message": "[Bug] bug - 2",
		"description": "+ Project: HYDRA \n+Issue Type: Bug ..."
	},
	"source": "grafana"
}

To suppress any incoming alert when:

  • The alert message contains: [Bug]

  • The alert source is grafana

Suppression Rule:

re(payload.incident_details.message, "[Bug]") && source == "grafana";

Discarding suppressed incidents

To discard incoming alerts and stop them from being triggered as incidents in Squadcast, use the discard() function in conjunction with Suppression Rules.

Example

Suppression Rule:

source == "grafana" && re(payload["message"], "Notification Message");

Suppression Rule with discard():

source == grafana &&
	re(payload["message"], "Notification Message") &&
	discard();

Avoid hitting Rate Limits

Viewing Suppressed Incidents

Note

  • Suppressed and Resolved are the final states for incidents in Squadcast. You will not be able to take any action on incidents that are in these states.

  • Incident information will be available on the Squadcast platform even if they are suppressed.

FAQs

1. What kind of regex can be used to write custom rules?

2. Can I create OR rules?

Yes, you can. The evaluation between different Suppression Rules is OR. Add multiple Suppression Rules to enable OR evaluation.

3. While adding a Suppression Rule, is the search string in the rule case sensitive?

Yes, that is correct. For example, if your search string is “ALERT” and your payload does not contain “ALERT” but contains “Alert”, this will not be matched. Your search string should be “Alert”.

4. How do I know if an incident gets suppressed due to a Suppression Rule?

In the Incident’s Activity Timeline, the reason for suppression is displayed.

5. I have configured multiple rules for a particular Service. Can I search through the configured rules to find the rule I am looking for?

Yes, that is doable. You will notice a Search option on the left top of the rules modal. You can type in a word you recall from the rule description or the rule itself. Any matching results will yield a narrowed-down set of rules.

The rule engine supports expressions with parameters, arithmetic, logical, and string operations. You can also check out this to get an idea of all the expression types accepted in Squadcast.

The discard() function can be used to avoid hitting the as Suppressed events that are discarded don’t get counted against the allowed rate limits.

You can view suppressed incidents on the page by clicking on All Incidents and choosing Suppressed as highlighted in the screenshot below.

The rule engine supports expressions with parameters, arithmetic, logical, and string operations. You can also check out to get an idea of all the expression types accepted in Squadcast. Please do your regex against Golang flavour as shown in the screenshot below and then, set them up in Squadcast:

Have any questions? .

link
Incident Rate Limits
Incidents
this
here
Ask the community
how to create alert suppression rules in Squadcast
create your Alert Suppression Rules via UI-based Rule Builder in Squadcast
Adding more than one condition for Alert Suppression in Squadcast
Set Alert Suppression based on time in Squadcast
Edit Alert Suppression Rules in Squadcast
custom Alert Suppression Rule expression raw string method in Squadcast
how to view Suppressed Incidents in Squadcast
Alert Suppression notification in the Incident Activity Timeline
Search through configured Alert Suppression Rules