1. From the Assignment group field menu, select the assignment group to determine which team’s alerts will trigger the automation.

   The Assignment group represents a specific team responsible for handling certain alerts. By selecting an assignment group, you ensure that only the alerts assigned to that particular team will trigger the automation. This way, the automation is targeted and only activates for relevant alerts associated with the selected team.

   Remarque :

   • If you’re logged in to the instance with an administrator role (evt_mgmt_admin), all of the assignment groups are available. Additionally, you can select All groups to enable generating alerts for any of the available groups.
   • If you’re an operator, only the group you’re a part of is available.
   • Only members of the selected group or administrators can update or delete the automation.
2. Set up the conditions by selecting the field, operator, and field value. Then, add more conditions using OR or AND operators. You must add at least one more filter besides the assignment group.
   Conseil :

   Select a more specific filter to enhance performance.

   To add another set of conditions, select + New condition set. You can also manually add an additional info field if you don’t see it in the drop-down list.

1. In the Grouping timeframe field, specify the duration (in minutes) when alerts must be collected and grouped together.
2. In the Criteria type menu, select how you want to group the alerts.
   Available options are:

   • Similar fields & tags: Groups alerts that share common fields or tags.
     • In the Source field menu, select the source from which you want the alerts to be grouped.
       Remarque :

       You can manually add a field name and select the type of the field. The available options include additional info field, alert tag, and CI tag. This flexibility allows you to customize the information being captured according to your specific needs.
     • In the Match method for grouping field, select one of the following options: group alerts based on an exact match, fuzzy match, or pattern match.

       When you select a value for the fuzzy match method in the grouping field, the Similarity threshold (percentage) field becomes visible. Alerts are grouped when their similarity is greater than or equal to the specified percentage based on edit distance.

       For example, if you have alerts from USA, CA, and USA, NY, and you want to group the alerts by country, you would set the Source field to the location. If the Match Method for Grouping is a fuzzy match and the Similarity threshold (percentage) is 50%, then alerts will be grouped if they are at least 50% similar, meaning they share the country "USA" as a common attribute.

     • When you select a value for the pattern match method in the grouping field, the Pattern matching field becomes visible. Alerts are grouped when the specified pattern matches. For more information, see Pattern matching.

       Use asterisks (*) in the search string to match any number of characters or a question mark (?) to match any single character. Everything else in the search string matches itself. For example, use "HTTP Error 5??" to match all HTTP 500 errors.

   • Related CIs: Group alerts according to CI (Configuration Item) relationships—such as parent/child (VM > host), sibling relationships (for example, multiple VMs on the same host), containment (process > application > server), and applicative flows that describe how components interact within an application. In simple terms, these alerts are connected because the underlying infrastructure components are connected.
   • Related log properties: Health Log Analytics (HLA) alerts are grouped together because their underlying logs look related based on patterns detected by the HLA algorithms.

     You can create an alert group based on related log properties on HLA alerts combined with alert tags or CMDB logic. When you choose to use related log properties, only log analytics alerts will be considered for grouping. Run the related log properties rule later in the rule order so that other rules—such as CMDB- or service-based grouping—can evaluate and group log analytics alerts first.

   • Impacted service instances: Alerts are grouped because they affect the same service instance, regardless of topological distance (hops) between the alert CIs.

     You can control which service instance must be considered by specifying relevant impacted service instance. When you select Impacted service instances, two options are available: Any service instance and Specific service instance. If you choose Specific service instance, you can select one or more service instances from the list, or select the search icon () to open the Select impacted service instances pop-up and choose the required service instances.

     By default, the Impacted service instances grouping criterion is based on the impacted service. It can also be configured to use service associations from the [svc_ci_assoc] table. You can control whether to use impacted services or service associations using the sa_analytics.use_impacted_services_for_mixed_grouping system property. If the property value is true, alerts are grouped by impacted services and if the property value is false, the alerts are grouped by service associations.

3. To include additional fields for grouping, select + Add criteria.

• Enable the toggle switch to set the minimum number of alerts required to form a group. When you enable it, the Minimum number of alerts in the group field appears, allowing you to enter the number. The default value is 2, which means grouping occurs only when there are two or more alerts.
• Enable the toggle switch to form group only if at least one alert meets specific conditions you define.
  Remarque :

  The threshold and required alert act as prerequisites for forming an alert group. The threshold defines the minimum number of alerts required to create a group. The required alert condition ensures that at least one specific, meaningful alert is present before grouping starts. If that alert is not present, the group is not created — even if there are multiple other alerts. In other words, a group is created only when both conditions are satisfied.

  Example: Imagine a network switch with multiple ports, where alerts can occur either on individual ports or on the switch itself. You want a group to be created only when the switch is affected, not when there is just a port-level issue. In this setup, if alerts occur only on one or more ports, no group is created. A group is created only when an alert occurs on the switch along with one or more alerts on its ports. This ensures that grouping happens only for larger, meaningful issues involving the switch, and not for minor or isolated port problems. This is useful because it prevents unnecessary alert groups from being created, helps you focus on more important and meaningful issues, and reduces noise caused by minor or isolated alerts.

1. In the Order field, enter the automation order.
   Remarque :

   Alerts are grouped based on the first match, executed in order from the lowest to the highest number. The Automation is managed by field displays the team or assignment group who owns, edits, and can delete this automation. The assignment group is the same as the one defined in the If these conditions are met section.
2. In the Automation description field, enter a brief description of the automation.

During the simulation, it shows both the grouped alerts and the ungrouped alerts for the specified timeframe. If any alerts are grouped, you are shown the number of alerts that are grouped. You can select this number to view the grouped alerts. Additionally, selecting an individual alert displays the details of that specific alert. You can also modify any alert grouping conditions or field values and initiate the process again by selecting Re-run test.

The Test Automation section displays three key columns: Description, Type, and Time. The Description column outlines the alert group details. Preceding the Description column, a number indicates the total alerts contained within that group. Type specifies the category of grouping, such as This grouping automation, Other grouping automation, CMDB group, or Single alert, among others. Selecting Other grouping automation directs you to the corresponding automation page that generated the group. Additionally, the Time column shows when the test was conducted.