Event Aggregation

info

Event Aggregation can be enabled through Templates, Field Values or savedsearches.conf settings.

How Event Aggregation works

When the Append Alert flag is enabled, AME will add new Alerts to existing events. The following criteria must be fulfilled:

• The Alert must match the Append keys criteria.
• The Event must be of type New or In Progress, not in a Donestate.

Append Keys

Three append keys are available by default:

• ame.event_title: The title defined in the Alert Action.
• ame.search_name: The name of the search as defined in savedsearches.conf.
• ame.template_name: The name of the template the Alert uses.

All AME internal fields are prefixed with ame. Fields from Alert Results can be used as well for aggregation.

note

The append key list should include at leat one of the following fields: event_title, search_name or template

Append Mode

The Append mode defines what action to take if an alert matches multiple existing events.

Following modes are available

• Append to latest event
• Append to most recent event
• Append to all
• Create new event

Append Strict

If the append strict flag is enabled, all field values have to match.

Example 1:

Strict Mode: Disabled Append Keys: ame.template_name, host, process Event contains: host Result: Event will be appended

Example 2:

Strict Mode: Enabled Append Keys: ame.template_name, host, process Event contains: host Result: Event will not be appended, a new event will be created

Updates when appending an alert

If the criteria are fulfilled, AME will append the new alert to the existing event with the following consequences:

• The first seen time will not change
• The count will be increased by one
• The event results will be added to the data tab with their new alert time
• The notable events tab will be updated with the latest event results