I have three filters for my handler: is_incident, not_silenced, occurrences_3
However, I also want to receive alerts for resolution events, so I added an OR condition to is_incident: is_incident || is_resolution
After adding that, I’m getting alerts for all events including ‘ok’ events, which makes me believe events are not getting filtered by the is_incident filter anymore. How should I add the OR condition?
The is_incident filter will allow is_resolution events to pass through. That is documented here. I think your occurrences_3 filter may be causing your issue.
Might I suggest the fatigue check filter? It should allow what you are wanting to work, with the side benefit of being tunable per-check and entity based on annotations.
Thanks for your reply. My occurrences filter is indeed the ‘problem’. Should I be using occurrences_watermark to achieve the following?
Here’s what I would do to achieve those specific objectives.
One filter for the email, this covers bullet points 1 & 3:
---
type: EventFilter
api_version: core/v2
metadata:
name: filter_for_email
namespace: default
spec:
action: allow
expressions:
- event.check.occurrences == 2 || event.is_resolution
Combined with the following defined for the email handler:
filters:
- is_incident
- not_silenced
- filter_for_email
And for the pushover handler covering bullet point 2:
---
type: EventFilter
api_version: core/v2
metadata:
name: filter_for_pushover
namespace: default
spec:
action: allow
expressions:
- event.check.occurrences == 3
With the following defined for the pushover handler:
filters:
- is_incident
- not_silenced
- filter_for_pushover