*Version: 1.0 | Last Updated: 2025-05-12* ## Overview - **Feature Name:** GROUP BY - **Audience:** Administrators, Support team - **Prerequisites:** Understanding of MoovingON AI --- ## Table of Contents 1. [[#Introduction]] 2. [[#Getting Started]] 3. [[#Usage Instructions]] 4. [[#Usage Examples]] 5. [[#Related Links]] --- ## Introduction The "**Group By**" option for incidents allows users to receive a new incident for each service or host whenever conditions match the defined rules. By default, the "**Group By**" function is set to "**None**," meaning it is disabled. - **What is this feature?** - **Incident Creation Based on Grouping**. - How Incidents are Triggered: - When alerts meet the rule conditions and the required threshold, incidents will be created. - The system generates separate incidents for each host or service, depending on the chosen “**Group By**” option. Example: If grouping is set to Host, each unique host that meets the criteria will trigger a separate incident. - **Handle incidents**. - Manage Separate Incidents: - Each generated incident is handled individually. - Users must review and resolve each incident separately based on its specific details and alerts. --- ## Getting Started  - **Why is it useful?** - **Incident Rules**: - Incident rules define the conditions under which an incident is triggered. - These rules evaluate incoming alerts based on predefined criteria. - The system checks if an alert matches the specified conditions and whether it meets the required threshold before creating an incident. - **Logic Inside Rules**: - Check, Condition and String will define the alerts added to the incident. - "**Threshold**" in the top right corner determines the number of alerts that will trigger the incident - The "**plus**" symbol in the top left corner will add a condition to the rule.  Additionally, the incident rules can be configured using these filters:  In the "**Check**" value, we select the criteria that determine whether alerts are included in this manual incident. If the chosen "**Check**" value contains the inserted value, it will be assigned to the incident. Explanation regarding each option: - **Host**: Alert's host - **Service**: Alert's service - **Group**: To which group does the alert relate - **Template**: The template used to parse the alert. - **Flapping**: Indicates that the alert was triggered and recovered repeatedly within a short period of time. - **Alert Age**: The lifespan of the alert. - **Value**: Alert's value - **Custom Tag**: All custom fields that were added through the templates. - **Logic Between Rules**: - The rules operate using logical conditions (AND/OR) to determine if an alert qualifies for an incident. - If multiple conditions exist, they must be met by the rule’s logic settings.  - **Group By**: This feature identifies the grouping of the created incident/s. The options we have, is for the incident to be grouped by: **Host**, **Service** or **None** (Not defined) - Configure the "**Group By**" Option. - Select a Field for Grouping: - Choose a field to group incidents by using the “**Group By**” option. - Available options: Service or Host. - Selecting None disables grouping, meaning all matching alerts will be handled under a single incident.  - **Incident Recovery Settings**: The handling of incidents can be configured with the following options: **Related Alert Recovery** or **Manual Close (no recovery)**. - **Automatic (Recover Incident)**: The incident is automatically recovered when the related alert is resolved. - **Manual (Close Incident Manually)**: The incident must be closed manually, regardless of the status of related alerts. **** - **Incident Settings**: Incident General settings for the incident: - **Host**: The host value used in the incident - **Service**: The service value used in the incident - **Guidelines**: - **Warning Guideline**: Runbook assigned in case of **Warning** status - **Critical Guideline**: Runbook assigned in case of **Critical** status - **Planned downtime Guideline**: Runbook assigned in case of **Planned downtime** - **Dashboards**: The dashboard which the incident relates to **** - **Override Runbook**: Turning this option **ON**, disables the initial runbook of the alert, and runs through the designated runbook of the incident **** --- ## Usage Instructions **How to Use the Feature:** 1. First Option: To create or update, follow these steps: 1. Navigate to the relevant section Operations → Incidents→ Configuration.  2. Click on the "+"  3. Fill in or modify the necessary details. 4. Save or submit the changes once you're done. 2. Second Option: **Manual Incident** 1. Begin by filtering your search to locate the desired host  2. After clicking on  ensure that you provide the correct information  3. Create an incident: We will receive all alerts related to the host app under the manual incident.  The incident will appear as follows:  --- ## Usage Examples 1. Group by Service: In this scenario, all hosts containing the desired string will be grouped by the Service as seen in the screenshot Incident settings:  Alerts related to the incident:  Triggered Incidents:  We can see which service the Incident triggered in the details:  2. Group by **host**:  Alerts that related to the Incident:  2 hosts meet the Incident’s conditions and the “Group by host” option was chosen, so 2 Incidents will be created:  --- ## Related Links - **Internal Links:** [[02.04 Filtering]]