Two Incident for One Group alert
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-29-2025 06:54 AM
1.When are two incidents created for a group (primary) alert?
In one case, for a group alert, there were two alert executions and two incidents were created. The alert was reopened 10 times. One of the incidents is correctly attached to the primary alert and was closed when the alert was closed. However, the second incident is still in progress and is not linked to the primary alert. Additionally, the work notes do not mention which alert this second incident is correlated with.
2.This is the second issue: there is a tag-based alert group that is supposed to group all alerts created within a 10-minute window. In one case, two alerts were sent first and were grouped together, but another alert was sent 5 minutes later and was not grouped with the first two. What could be the reason?”
Could you please help me understand the reason for this behavior?”
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2025 07:20 AM
Hi Hanumesh
Do you do Incident creation as part of an Alert Execution (Rule+subflow) or are you using the Global sys properties to achieve this? Also, I guess that's what you mean, but for accuracy, it's the Alerts that are attached to the Incidents, not vice versa unless you built something custom? Just to understand you flow better.
For the second issue, Tag-Based Alert Group, the simple explanation would be that it is not matching the filter you have configured in the Tag definition. Or perhaps the timeline you referred to (10 minutes) is correctly configured. It's not being added to another group is it? Or closed really quickly (short lived)?
