Skip to main content
Version: 3.2.0

Event Aggregation

info

Event Aggregation can be enabled through Templates, Field Values or savedsearches.conf settings.

info

A support subscription is required to aggregate by other criterias than title

How Event Aggregation works

When the Append Alert flag is enabled, AME will add new Alerts to existing events. The following criteria must be fulfilled:

  • The Alert must match the Append keys criteria.
  • The Event must be of type New or In Progress, not in a Donestate.

Append Keys

Three append keys are available by default:

  • ame.event_title: The title defined in the Alert Action.
  • ame.search_name: The name of the search as defined in savedsearches.conf.
  • ame.template_name: The name of the template the Alert uses.

All AME internal fields are prefixed with ame. Fields from Alert Results can be used as well for aggregation.

note

The append key list should include at leat one of the following fields: event_title, search_name or template

Append Mode

The Append mode defines what action to take if an alert matches multiple existing events.

Following modes are available

  • Append to oldest event
  • Append to most recent event
  • Append to all
  • Create new event

Append Strict

If the append strict flag is enabled, all field values have to match.

Example 1:

  • Strict Mode: Disabled
  • Append Keys: ame.template_name, host, process
  • Event contains: host
  • Result: Event will be appended

Example 2:

  • Strict Mode: Enabled
  • Append Keys: ame.template_name, host, process
  • Event contains: host
  • Result: Event will not be appended, a new event will be created

Updates when appending an alert

If the criteria are fulfilled, AME will append the new alert to the existing event with the following consequences:

  • The first seen time will not change
  • The count will be increased by one
  • The event results will be added to the data tab with their new alert time
  • The notable events tab will be updated with the latest event results

Alert Data Lookup Days

The time range to look back for existing events to append to. This setting is only used, when fields from the results are used and does not apply to ame.* fields.

info

For performance reasons it is highly recommended that existing events to be appended to are in warm buckets.