The Group Alerts page appears. In the Suggested Grouping Automations section, review the suggested automations. If you want to proceed with one, select Create on the corresponding automation tile.

If you want to see all suggested automations—including previously suggested and ignored ones—select View all in the Suggested Grouping Automations section.

1. From the Assignment group field menu, select the assignment group to determine which team’s alerts will trigger the automation.

   The Assignment group represents a specific team responsible for handling certain alerts. By selecting an assignment group, you ensure that only the alerts assigned to that particular team will trigger the automation. This way, the automation is targeted and only activates for relevant alerts associated with the selected team.

   Note:

   • If you’re logged in to the instance with an administrator role (evt_mgmt_admin), all of the assignment groups are available. Additionally, you can select All groups to enable generating alerts for any of the available groups.
   • If you’re an operator, only the group you’re a part of is available.
   • Only members of the selected group or administrators can update or delete the automation.
2. Set up the conditions by selecting the field, operator, and field value. Then, add more conditions using OR or AND operators. You must add at least one more filter besides the assignment group.
   Tip:

   Select a more specific filter to enhance performance.

   To add another set of conditions, select + New condition set. You can also manually add an additional info field if you don’t see it in the drop-down list.

   Note:

   Select Load past events to view previous events when creating the automation.

1. In the Grouping timeframe field, specify the duration (in minutes) when alerts must be collected and grouped together.
2. In the Criteria type menu, select how you want to group the alerts.
   Currently, there are two options:

   • Similar fields & tags: Group alerts based on similar fields and tags.
   • Related CIs: Group alerts based on CI (Configuration Item) relationships—child, parent, or sibling—along with containment and applicative flows.
   • Impacted service instances: Groups alerts affecting the same service instances. You can choose either All Service Instances or a Specific Service Instance. For Specific Service Instance, use the Service Instance field to select the services you want.
   • Related logs properties: Groups alerts generated from logs using the Health Log Analytics grouping algorithm. The Related logs properties option appears only when you install the Health Log Analytics plugin.
3. In the Source field menu, select the source from which you want the alerts to be grouped.
   Note:

   You can manually add a field name and select the type of the field. The available options include additional info field, alert tag, and CI tag. This flexibility allows you to customize the information being captured according to your specific needs.
4. In the Match method for grouping field, select one of the following options: group alerts based on an exact match, fuzzy match, or pattern match.

   When you select a value for the fuzzy match method in the grouping field, the Similarity threshold (percentage) field becomes visible. Alerts are grouped when their similarity is greater than or equal to the specified percentage based on edit distance.

   For example, if you have alerts from USA, CA, and USA, NY, and you want to group the alerts by country, you would set the Source field to USA. If the Match Method for Grouping is a fuzzy match and the Similarity threshold (percentage) is 50%, then alerts will be grouped if they are at least 50% similar, meaning they share the country "USA" as a common attribute.

5. When you select a value for the pattern match method in the grouping field, the Pattern matching field becomes visible. Alerts are grouped when the specified pattern matches. For more information, see Pattern matching.

   Use asterisks (*) in the search string to match any number of characters or a question mark (?) to match any single character. Everything else in the search string matches itself. For example, use "HTTP Error 5??" to match all HTTP 500 errors.

   To include additional fields for grouping, select + Add criteria.

• Set the minimum number of alerts to form a group: Defines the least number of alerts required to create a group.

  Example: During a flash sale, you may want to group alerts only if at least 5 similar errors occur to avoid noise from single occurrences.

• Form group only if at least one alert meets specific conditions you define: When enabled, the system groups alerts only if at least one alert satisfies your defined criteria that you have mentioned in the Then, group alerts by the following criteria section.

  Example: Useful for critical services where you want to group alerts only if a high-severity alert is present, ignoring low-priority alerts.

  When this option is enabled, additional fields appear:

  • Select field: The alert property to check, e.g., Severity, Host Name, Service Name, Metric Value, Region, or Status.
  • Select operator: The comparison logic for the selected field, e.g., is, is not, contains, starts with, greater than, less than.
  • Enter value: The specific data the alert's field must match or be compared against, e.g., Critical, prod-web-01, US-East-1, or 100.
  • Operators:
    • or: Combines multiple conditions; the result is true if at least one condition is true.
    • and: Combines multiple conditions; all conditions must be true for the result to be true.
  • Add condition set: Adds a new, independent set of conditions.

1. In the Order field, enter the automation order.
   Note:

   Alerts are grouped based on the first match, executed in order from the lowest to the highest number. The Automation is managed by field displays the team or assignment group who owns, edits, and can delete this automation. The assignment group is the same as the one defined in the If these conditions are met section.
2. In the Automation description field, enter a brief description of the automation.

You can also modify any alert grouping conditions or field values and initiate the process again by selecting Re-run test.

The Test Automation section displays key columns: Alerts, Description, Grouped by, Node, and Time. The Description column outlines the alert group details. Preceding the Description column, a number indicates the total alerts contained within that group. Grouped by specifies the category of grouping, such as Group alerts with the same Node and CMDB. You can sort the Grouped by column which is by default in the descending order. The value for other automation group displays the name of the corresponding automation group and includes a link to it. For a single alert, the value is displayed as –. The Time column shows when the test was conducted.