Hi,
We are planning to implement Content Based Grouping using two fields.
Upon review, one of the fields is empty for most of the events. How grouping will work based on this scenario?
Thanks
Hi Vignesh. It will depend if you have selected “Any” or “All” for the match type.
If you want the alerts to be grouped if one of the fields is null, use “Any”. If you’d like to exclude the alerts with null values, the “All” match will be more strict.
There’s more on those choices in the knowledge base:
Thank you Mandi.
In our scenario, We are using "Alerts are grouped into the most recent open incident that is an exact match on All of the following fields: source, component "
Alert1: Source: Host A, Component as NULL
Alert2: Source Host A, Component as NULL
Will this get grouped as one Incident? or Separate Incident?
Thanks
Hi Vignesh. It definitely should. I tried it out with nulls and it does group those alerts based on the host, using the ANY setting!