Correlate Events or alerts based on their metric name

George18 · ‎12-17-2024

Hi,

In order to reduce noise, I would like to do the following if possible.

Event 1 comes in with a Metric name of: Issue with Disk space

Event 2 comes in with a Metric name of: Low Memory

Event 3 comes in with a Metric name of: Issue with Disk space

Event 4 comes in with a Metric name of: Low Memory

Event 1 and Event 3 should be grouped together and only open 1 incident.

Event 2 and Event 4 should be grouped together and only open 1 incident.

Since their name is the same. Event if their CI is different.

OOTB I haven't been able to find a solution to accomplish this.

Thank you

AndersBGS · ‎12-17-2024

Hi @George18 ,

There is an OOTB solution for event correlation based on the message key / unique identifier - Have you looked into this (Alert correlation rules)?

If my answer has helped with your question, please mark my answer as accepted solution and give a thumb up.

Best regards

Anders

If my answer has helped with your question, please mark my answer as the accepted solution and give a thumbs up.

Best regards
Anders

Rising star 2024
MVP 2025
linkedIn: https://www.linkedin.com/in/andersskovbjerg/

George18 · ‎12-17-2024

Hi Anders,

thank you for your reply.

In my sue case the message key is different.

Thus, I would like to correlate based on the same Metric Name

Thank you

Krishna18 · ‎06-16-2025

Hello George,

This is possible through Tag based alert clustering.

Navigate to All > Alert Clustering definitions.

Click new and Give it a name. Check active field to true.

If you have any conditions add like (Metric name is not empty). Add clustering time frame in minutes.

Add alert clustering tag, in your case you have OOB tag (Exact match on Alert field "metric_name"). You can create custom Alert clustering tags as per your needs on different field on Event or Alert table.

If my answer has helped with your question, please mark my answer as accepted solution and give a thumb up.