The Incident Rule Details view enables you to create and edit incident rules for creating incidents from alerts. This topic describes the information required when creating or editing a new rule.
What do you want to do?
Incident Rule Details View
To access the Incident Rule Details view, do one of the following:
To create a rule, go to CONFIGURE > Incident Rules and click Create Rule.
To edit a rule, go to CONFIGURE > Incident Rules and click the link in the Name column for the rule that you want to update.
The Incident Rule Details view is displayed. The following figure shows the Incident Rule Details view in Rule Builder query mode.
The following table describes the options available when creating or editing incident rules.
Group By Meta Key Mappings
The following table shows the mapped meta keys for the available Group By field selections. For example, if you select the Group By field value Destination Host, it uses the mapped meta key alert.groupby_host_dst. All alerts with the same meta key value for alert.groupby_host_dst are grouped together in the same incident.