The Incident Rule Details view enables you to create and edit incident rules for creating incidents from alerts. This topic describes the information required when creating or editing a new rule.
What do you want to do?
To access the Incident Rule Details view, do one of the following:
To create a rule, go to CONFIGURE > Incident Rules and click Create Rule.
To edit a rule, go to CONFIGURE > Incident Rules and click the link in the Name column for the rule that you want to update.
The Incident Rule Details view is displayed. The following figure shows the Incident Rule Details view in Rule Builder query mode.
The following table describes the options available when creating or editing incident rules.
Group By Meta Key Mappings
When alerts are grouped on an alert field, all matching alerts containing the same meta key value for that field are grouped together in the same incident. For example, if you select the Group By field value Destination Host, it uses the mapped meta key alert.groupby_host_dst. All alerts with the same meta key value for alert.groupby_host_dst are grouped together in the same incident.
The following table shows the mapped meta keys for the Group By field selections.