Event Aggregation
Enable event aggregation via Templates, Field Value Overrides, or savedsearches.conf Attributes.
A support subscription is required to aggregate by criteria other than title.
How Event Aggregation Works
When the Append Alert flag is enabled, Alert Manager Enterprise (AME) appends new alerts to existing events if these conditions are met:
- The alert matches the
Append Keyscriteria. - The event’s status is
NeworIn Progress(notDone).
Append Keys
Default append keys include:
ame.event_title: The title set in the Alert Action.ame.search_name: The search name fromsavedsearches.conf.ame.template_name: The template name used by the alert.
All AME internal fields are prefixed with ame. You can also use fields from alert results for aggregation.
Include at least one of event_title, search_name, or template_name in the append key list.
Append Mode
The Append Mode determines the action when an alert matches multiple existing events. Available modes are:
- Append to oldest event
- Append to most recent event
- Append to all matching events
- Create new event
Append Strict
When Append Strict is enabled, all field values in the append keys must match exactly.
Example 1: Strict Mode Disabled
- Append Keys:
ame.template_name,host,process - Event Contains:
host - Result: Alert is appended (partial match allowed).
Example 2: Strict Mode Enabled
- Append Keys:
ame.template_name,host,process - Event Contains:
host - Result: Alert creates a new event (full match required).
Updates When Appending an Alert
If the criteria are met, AME appends the alert to the existing event, resulting in:
First Seentime remains unchanged.Countincreases by 1.- New alert results are added to the
Datatab with theirAlert Time. Notable Eventstab updates with the latest results.
Alert Data Lookup Days
This setting defines the time range (in days) to search for existing events when appending, applicable only to fields from alert results (not ame.* fields).
For optimal performance, ensure existing events are in warm buckets.