Events V2 is not creating multiple alerts

geoff.keyes · January 27, 2022, 5:46pm

I have read through the Event V2 API documentation and what I am seeing actually occur is not following what I am reading,

My understanding is that if I send 2 calls into the API with the same “dedup_key”, I should get a single incident created but with 2 alerts beneath the incident. Instead, I only see a single alert within the incident. If a send another trigger call into the API with the same dedup_key but with a different summary I am seeing the original alert’s summary updated, but I would expect to see a new alert within the incident with a different summary, and the original alert still living within the incident.

Am I misunderstanding the purpose of alerts vs incidents?

dmcclure · January 27, 2022, 6:27pm

You should see deduplication results by drilling into the “Alert” associated with the incident. If you were using Alert Grouping where each alert has a unique dedupe key, you’d see multiple unique alerts displayed on the incident, and deduplication for each of those by drilling into the “Alert” detail.

Here’s an example of sending in the same alert trigger and dedupe key and where deduplication shows up.

geoff.keyes · January 27, 2022, 8:38pm

Ok, I do see the Alert De-Duplication when I drill in, that is very helpful. So the dedup key in the API is for the “alert” and not for the “incident”.
Am I correct that there is no way to get multiple alerts with different dedupe keys into the the same incident using the API alone? Instead I need to configure “Alert Grouping” through the UI, and set it up to group them into the same incident by some field, i.e. “group” field?

Thanks again!

dmcclure · January 27, 2022, 8:48pm

Correct, the service’s setting controls the alert and incident behavior for all things arriving via the Event API or REST API and where the Alert Grouping features come into play. Time-Based, Content-Based, and Intelligent Alert Grouping are your options, based on your subscription level.

The Content-Based Alert Grouping (CBAG) method allows you to pick one or more fields in your alerts (eg application, service, location, chassis, etc) and group all incoming alerts into an active incident.