Event Aggregation
Event Aggregation can be enabled through Templates, Field Values or savedsearches.conf settings.
A support subscription is required to aggregate by other criterias than title
How Event Aggregation works
When the Append Alert flag is enabled, AME will add new Alerts to existing events. The following criteria must be fulfilled:
- The Alert must match the
Append keyscriteria. - The Event must be of type
NeworIn Progress, not in aDonestate.
Append Keys
Three append keys are available by default:
- ame.event_title: The title defined in the Alert Action.
- ame.search_name: The name of the search as defined in
savedsearches.conf. - ame.template_name: The name of the template the Alert uses.
All AME internal fields are prefixed with ame. Fields from Alert Results can be used as well for aggregation.
The append key list should include at leat one of the following fields: event_title, search_name or template
Append Mode
The Append mode defines what action to take if an alert matches multiple existing events.
Following modes are available
- Append to oldest event
- Append to most recent event
- Append to all
- Create new event
Append Strict
If the append strict flag is enabled, all field values have to match.
Example 1:
- Strict Mode: Disabled
- Append Keys: ame.template_name, host, process
- Event contains: host
- Result: Event will be appended
Example 2:
- Strict Mode: Enabled
- Append Keys: ame.template_name, host, process
- Event contains: host
- Result: Event will not be appended, a new event will be created
Updates when appending an alert
If the criteria are fulfilled, AME will append the new alert to the existing event with the following consequences:
- The
first seentime will not change - The
countwill be increased by one - The event results will be added to the
datatab with their newalert time - The
notable eventstab will be updated with the latest event results