Skip to main content

Content Based Grouping on Empty Fields

  • February 22, 2023
  • 3 replies
  • 18 views
V

Hi,

We are planning to implement Content Based Grouping using two fields.
Upon review, one of the fields is empty for most of the events. How grouping will work based on this scenario?

  1. Will it group considering only one field? or
  2. Will it ignore grouping since one of the fields is null?

Thanks

    3 replies

    P

    Hi Vignesh. It will depend if you have selected “Any” or “All” for the match type.

    If you want the alerts to be grouped if one of the fields is null, use “Any”. If you’d like to exclude the alerts with null values, the “All” match will be more strict.

    There’s more on those choices in the knowledge base:

    V
    • Vignesh S
    • Author
    • February 23, 2023

    Thank you Mandi.

    In our scenario, We are using two fields for grouping

    1. Source
    2. Component

    Alert1: Source: Host A, Component as NULL
    Alert2: Source Host A, Component as NULL

    Will this get grouped as one Incident? or Separate Incident?

    Thanks

    A
    • Anonymous
    • March 3, 2023

    Hi Vignesh. It definitely should. I tried it out with nulls and it does group those alerts based on the host, using the ANY setting!

    Terms & ConditionsCookie settingsAccessibility statement