Cloudera Docs » 1.5.0 » User Guide
User Guide
Also available as:
PDF

Grouping Alerts

You can group alerts so you can apply filters, status, etc. to multiple alerts at a time.

The Alerts UI currently provides five group types you can use:

  • source.type

  • ip_dst_addr

  • host

  • enrichments:geo_dst_addr:country

  • ip_src_addr

To apply a group to your alerts, complete the following steps:

  1. Click one of the groups listed by Group By.

    The Alerts table view changes to a tree view listing the values of the groups.

    In the following example, the group is source.type and the values are Snort and Bro.

    [Note]Note

    The icon to the left of the value provides the cumulative severity score for all the alerts in the value. If the score exceeds 999, then the value displays as 999+.

  2. Click one of the values to list the alerts for that value.

  3. You can click an alert to add it to the Searches field.

    [Note]Note

    Searches will search through all the groups, not just the group containing the alert.

  4. All features that are available for the Alerts table are available for the tree view.

    For example, if you apply an action, such as Escalate, to an alert, it will apply to all alerts within the group. Similarly, if you search for a parameter, it will search all alerts within the group.

  5. You can continue to refine your alerts by applying additional groups.

    You can change the order in which the groups are applied to the alerts by clicking and dragging the groups on the Groups By line.

  6. To ungroup your alerts and return to the Alerts window, click Ungroup which is located on the far right of the list of groups.

© 2012–2020, Cloudera, Inc.
Document licensed under the Creative Commons Attribution ShareAlike 4.0 License.
Cloudera.com | Documentation | Support | Community