Aggregation & Correlation • Room 3

Event Splitting & Filtering

Aggregation policies support splitting rules that determine how events are grouped. You can split by entity, by service, by custom field, or by time window. Splitting by entity gives each server its own Notable Event stream.

The filtering step determines which events enter the policy. You can filter by severity, service name, entity type, or custom field values. Combining smart filtering with appropriate splitting rules is the key to effective noise reduction.

Always test aggregation policies in "preview" mode before enabling them. A misconfigured split rule can hide real issues or create noise.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Drag items to their correct zone (or tap item then tap zone on mobile)

Filter incoming events by severity or service

Split events into groups (by entity, service, etc.)

Aggregate groups into Notable Events

Execute actions (create ticket, send email)

Step 1

Step 2

Step 3

Step 4