I would like to know how the option by alarm works. What are the criteria used?
The "group these alarms by ..." options can be used to create several buckets out of the active alarm trees matched by the correlation rule alarm filter. The rule conditions then apply to every separate of these buckets.
In the "group these alarms by alarm" case, there will be a bucket created per individual alarm update (not per tree), causing the buckets to only contain one event each.
It's more or less the same as checking the "Trigger on single events" checkbox without applying grouping.
My previous claim was incorrect: No multiple active buckets/groups will be created for the same alarm tree while the tree updates.
If an update in an alarm tree is assigned to different buckets compared to the previous alarm in the tree, the alarm tree is removed from the buckets that it is no longer in. This makes sense for grouping by e.g. “property”, where you want to move the tree to another group if the property value changes over time.
For the “group by alarm” case, this means that whenever an update of the tree occurs, the tree moves to a new bucket, clearing the actions that were open on the old bucket. e.g. If the rule is “group by alarm and create correlated alarm as action”, a correlated alarm will appear for the initial alarm in a tree, and each update will clear the previous correlated alarm and generate a new one.
All in all, there’s little to no use for the “group by alarm” use case.
Hey Wouter. Do you have an example of this as I can’t seem to get it to work that way.