LinkedIn
Twitter
Hi folks, for the sake of learning, I want to understand how the alert overflow mechanism works. In the documentation, it states that the alerts must have same environment, product and rule and should be ingested in a short time period.
I have created a connector that generates 2-5 alerts every second. This does fulfill the criteria of 50 alerts within 10 minutes. However, I do not see any overflow case being created.
As seen in the code above, I have used the is_overflowed method to test if the alert is an overflow or not. However, I do not see any overflow alert ingested.
Finally, the connector execution logs show "No data found for property key: overflow_settings". Does this log justify the behaviour ? Also, how should I set this overflow settings key ?
Thanks.
Solved
2 ACCEPTED SOLUTIONS
Hi preet_mehta,
Your code looks correct based on the screenshot you provided. The log you mentioned should not justify the behavior you are seeing. I see the same log in my quick test and I am seeing the correct overflow behavior. Here is a screenshot of my code for reference (which looks very similar to yours)
Here are a few things to check:
- Verify that the environment, product, and rule generator are the same for all of the alerts that are ingested
- Add a logger statement after the 'if is_overflowed' condition to ensure it is hitting the condition
- Ensure the alerts are not test alerts
Please let me know if you have any other questions.
Thanks!
OOTB (i.e. unless you changed Alert Grouping in settings), Alert grouping requires 2 things:
- The new Alert is within 2 hours of the existing Alert (which you should be ok with)
- And there is a matched Entity across both Alerts
Open each Case, and check the entities, did they find something in common?
