I'm using a webhook connector (created in Stack Management) in Kibana Observability to create a case whenever an alert is triggered. However, each time a new alert is generated by the rule, a new case is also created. I would like to group all alerts generated by this rule into a single case instead of creating multiple cases for each alert. The goal is to have all related alerts under one case for better tracking and management, but currently, the case is not consolidating them as expected.
Hi @Danyal_Danish,
Can you share which URL you are sending to in your webhook to create the case?
1 Like
This is the URL and method I have given in the Webhook connector settings:
https://{{kibana-host-url}}:{{kibana-host-port}}/api/cases
Method: POST
This is the request body I'm giving in the Actions settings for the connector:
{
"description": "demo-case",
"title": "demo",
"tags": ["demo-case"],
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"settings": {
"syncAlerts": true
},
"owner": "observability"
}
Thanks for sharing. The POST request will create a new case, meaning that since you're calling POST /api/cases for each alert it will create a new case for each alert. Looking at the API documentation it doesn't look like it groups alerts as far as I can see.
Which version of Kibana are you using? I wonder if using the Case connector as an alternative will give you the option to group by alerts? It's not something I've played with, and it is in tech preview, but it might be worth a try.
Hope that helps!