Understanding pattern identifiers

  • Release version: Australia
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Understanding Pattern Identifiers

    A pattern identifier is crucial for grouping similar alerts based on specific criteria, such as alert type and affected systems. This capability enables teams to quickly identify recurring issues, facilitating timely responses and resolutions.

    Show full answer Show less

    Key Features

    • Alert Grouping: Alerts are grouped using a combination of Metric Name and Configuration Item (CI). For instance, alerts for high CPU usage on the same server are grouped together, highlighting potential recurring issues.
    • Configuration Steps: Effective pattern identifiers are configured by creating event rules, managing relevant alert fields, and selecting appropriate identifiers to ensure meaningful grouping.
    • Pattern Discovery: Alerts matching the same fields are identified as "Learned Patterns," which can be reviewed in the Learned Patterns report under Event Management.
    • Active Management: Only one set of pattern identifier attributes can be active at a time, with the new set replacing the previous one upon deployment.

    Key Outcomes

    Implementing pattern identifiers allows for the identification of issues within the last 30 days and enhances alert management by enabling better grouping and analysis. Users can adjust pattern identifiers to either maintain default settings or customize them for specific needs, improving operational efficiency and response times.

    A pattern identifier is a set of criteria or attributes (such as alert type, affected system, etc.) used to group similar alerts. It helps to identify recurring issues, making it easier for teams to respond and address ongoing problems.

    How pattern identifiers group alerts

    Consider a network monitoring system that generates alerts for various issues, such as high CPU usage, memory leaks, or connection timeouts.

    Pattern Identifier: Metric Name and CI
    • Alert 1: High CPU usage on Server A at 10:00 AM
    • Alert 2: High CPU usage on Server A at 10:05 AM
    • Alert 3: Memory leak on Server B at 10:10 AM
    • Alert 4: High CPU usage on Server A at 10:15 AM
    In this case, the pattern identifier could be set to the Metric Name (e.g., high CPU usage) combined with the Configuration Item (CI) (e.g., Server A). Alerts 1, 2, and 4 would be grouped together because they share the same metric (high CPU usage) and the same CI (Server A), indicating a recurring issue that may need further investigation. Alert 3, however, would not be included in this group because it has a different metric (memory leak) and CI (Server B).
    Note:
    The set of alert fields used for the pattern identifier is also referred to as Feature Identifier Attributes or simply attributes.

    How to configure effective pattern identifiers

    To configure effective pattern identifiers for alert grouping, follow these three key steps to ensure accurate and meaningful analysis of alerts.

    Step Action Description
    Create an event rule Define an event rule.

    To know how to create an event rule, see Create or edit an event rule.

    		 Set up an event rule to populate the relevant alert fields for the pattern identifier.
    Manage pattern identifier Add relevant alert field to the pattern identifier.

    To know how to add fields to the pattern identifier, see Specify and manage pattern identifier attributes for alert grouping.

    		 After adding the relevant alert fields, select Deploy to activate the pattern identifier.
    Choose relevant identifiers Select alert fields that clearly identify the problem.

    For example, if the issue is that a service is offline or there’s no connection to the database, look for specific values in the alert that indicate this. Add these types of fields to the pattern identifier. By default, we provide the Metric Name field as a pattern identifier.
    • Avoid overly unique fields (e.g., date) that make pattern identification difficult.
    • Avoid overly common fields that result in too many alerts being grouped together, making patterns indistinguishable.

    Alert grouping and Learned Patterns

    Learn how alert patterns are discovered, grouped, and displayed in the system.
    Concept Description
    Pattern discovery When a set of alert fields matches, the alerts are grouped into a "Learned Pattern." For example, alerts with the same Priority Group and Resource are grouped into a pattern.
    Pattern reporting These patterns are displayed on the Learned Patterns report found under Event Management > Administration > Learned Patterns.

    Managing Pattern Attributes and Time Frame

    Learn the process of managing pattern identifier attributes, deployment of new sets, and how the system identifies issues.
    Concept Description
    Active pattern identifier attributes Only one set of attributes can be active at a time.
    Note:
    The new set replaces the current one after deployment.
    Purpose and time frame Pattern grouping identifies issues within the last 30 days, controlled by the sa_analytics.agg.learner_period_days property.
    Issue identification

    To identify an issue, the system utilizes a combination of Configuration Items (CIs) and Pattern Identifiers (sometimes referred to as Feature Identifiers).

    By default, a Pattern Identifier is defined as the Metric Name, but this can be modified. Two alerts are considered similar if they share the same CI and Pattern Identifier, although fields such as Source, Severity, Description, and others may differ.

    For more information, see Specify and manage pattern identifier attributes for alert grouping.
    Note:
    The Alert Aggregation Learner also identifies patterns of alerts within manual alert groups.

    In some cases, you can create patterns from alerts where the CIs share the same value in a specified field. For example, to build patterns from alerts with the same CI Location field, enter location in the sa_analytics.agg.learner_group_by_property property. For more information, Configure scheduled job-based alert grouping.

    When working with CI-based groups, ensure that the pattern identifier includes both the node and the metric name. For details on configuring the Feature Identifier, see Learned patterns report.

    Note:
    Alerts that lack a CI can still be grouped together as Text-based or CI-based alert groups, treating a node as a CI. To enable this functionality, set the sa_analytics.enable_no_ci_grouping property to true.