Alerts with same dedup_key are not grouped into one incident


(Dmitriy Vinogradov) #1


I am trying to tune integration with our monitoring service (ElastAlert) using Events v2 API.
I have set up a rule to send ‘trigger’ alerts when some log message are discovered.
Also I would like consecutive alerts to be grouped into one incident based on some fields of the log messages, and set up a dedup_key as a combination of these fields.
But to my surprise alert fired with the same value of dedup_key are not grouped into one incident.

For example for and, I had specified the same value ‘Kong Error: POST /ai/text/translate - 400, for client clientX_integration’, but there were two distinct incidents created for each of them (26 and 27).

Can you please clarify - is it possible to create alerts in the existing incident?

(Malcolm Konner) #2

Hi Dmitriy,

An alert will only de-dupe if there is an event currently open with the same dedup_key. If the alert with the same key is resolved, a new alert will trigger.

We don’t like to go into detail about objects in our customer’s accounts here but if you have any other questions about why each of these alerts triggered, please feel free to reach out to our Support team via email.

(Simon Fiddaman) #3

Hi @DmitriyVinogradov,

We use the dedup_key explicitly for some of our alerting integrations, although usually this is explicitly to match trigger and resolve actions, not to push unrelated alerts together.

I’d suggest using unique-per-alert dedup_key and turning on one of the Intelligent or time-based alert grouping methods to corral different alerts into a single Incident.

If you were to re-use the dedup_key field on alerts triggered from a given source, they’ll show as entries in the Alert Log. I’d only do this if it was categorically a continuation of the exact same initial issue.

Hope that helps,

(system) #4