AIOps Tag-Based Alert Clustering – Alerts closing quickly not getting grouped

Hi everyone,

I’m working on AIOps alert grouping using Tag-Based Clustering and running into something I’m not fully clear on.

In my setup, clustering is enabled with a 30-minute timeframe, and I’m grouping alerts based on Type (Database / TradingSystem). The configuration looks fine, and I do see grouping happening for some alerts.

The issue is with a specific set of alerts:

• These alerts are getting created and then automatically closed within a few seconds (around 5–30 sec)
• They have similar attributes (same type, similar descriptions, close timestamps)
• Ideally, they look like good candidates to be grouped

But in reality:

• They are not getting grouped at all
• Group field is empty
• No parent/child relationship is formed

What I’ve noticed is:

• Alerts that stay open longer do get grouped
• Alerts that close very quickly consistently don’t

From the clustering definition, I see the note saying:

“Clustering will run only for new alerts”

So I’m trying to understand how this actually works in practice.

My questions are:

• Does tag-based clustering only evaluate alerts at the time they are created?
• If an alert gets closed very quickly, does it miss the chance to be grouped?
• Is clustering re-evaluated later within the timeframe, or is it strictly one-time at creation?

Just trying to figure out if this is expected behavior or if I’m missing something in the configuration.

Appreciate any inputs or if someone has seen similar behavior.

Thanks!