You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Sep 2, 2025. It is now read-only.
Copy file name to clipboardExpand all lines: sp-oncall/alerts/rules-engine/rules-engine-matching-conditions.rst
+16-7Lines changed: 16 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,20 +13,13 @@ Matching conditions for the Rule Engine
13
13
14
14
Matching conditions determine when a rule is applied. You can choose any field that exists within the payload of an alert and match on a specific value for that field using a direct match, wildcard matching, or by using a regular expression.
15
15
16
-
By default, the Rules Engine only uses wildcard matching. If you want to turn on regular expressions, contact Splunk On-Call support.
17
-
18
16
Requirements
19
17
==================
20
18
21
19
This integration is compatible with the following versions of Splunk On-Call:
22
20
23
21
- Enterprise
24
22
25
-
All users have the ability to reach out to Splunk On-Call support at any time with questions.
26
-
27
-
Live Chat: If you are logged into your Splunk On-Call instance, you will have the ability to Live Chat with the Splunk On-Call Support team.
In addition to Wildcard and Regular expression matching, you can explicitly define routing key matching via the :guilabel:`Associated routing key` selector. This provides AND logic to the matching parameters specified in your Wildcard or RegEx matching section.
116
+
117
+
.. note:: Routing Key matching via the :guilabel:`Associated routing key` selector is unable to match on other routing keys via the top-bar Wildcard or RegEx matching criteria or manipulate routing keys via the :guilabel:`Transform these alert fields` section. It only provides an AND matching condition, specifically for a routing key, for use alongside your other matching and transformation parameters.
118
+
119
119
Boolean logic
120
120
===================================
121
121
@@ -139,3 +139,12 @@ The matching condition for the second rule, which you must position below the fi
139
139
.. image:: /_images/spoc/matching4.png
140
140
:width:100%
141
141
:alt:VictorOps Alert Rules Engine, when new_matching_field matches *stage-db-26* set message_type to INFO
142
+
143
+
Rule processing order
144
+
===================================
145
+
Alert Rules consider three criteria for the order in which they'll be processed.
146
+
1. Top-to-bottom order of the alert rules
147
+
2. The optional :guilabel:`Stop after this rule has been applied` setting on each rule
148
+
3. Rules with Routing Key matching via the :guilabel:`Associated routing key` selector
149
+
150
+
For each alert that is ingested, all rules without an :guilabel:`Associated routing key` match will first process in top-to-bottom order. If a rule matches with the :guilabel:`Stop after this rule has been applied` setting, it will stop the application of alert rules for that alert. Lastly, rules with a specific routing key match via the :guilabel:`Associated routing key` selector will apply. Having these types of rules apply last allows them to match on the final routing key of an alert in case this value is changed by a different alert rule.
0 commit comments