Hi,
We are planning to implement Content Based Grouping using two fields.
Upon review, one of the fields is empty for most of the events. How grouping will work based on this scenario?
Thanks
Hi Vignesh. It will depend if you have selected “Any” or “All” for the match type.
If you want the alerts to be grouped if one of the fields is null, use “Any”. If you’d like to exclude the alerts with null values, the “All” match will be more strict.
There’s more on those choices in the knowledge base:
Thank you Mandi.
In our scenario, We are using two fields for grouping
Alert1: Source: Host A, Component as NULL
Alert2: Source Host A, Component as NULL
Will this get grouped as one Incident? or Separate Incident?
Thanks
Hi Vignesh. It definitely should. I tried it out with nulls and it does group those alerts based on the host, using the ANY setting!
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
