Skip to main content

Events created through the API with Use Message-match

  • May 26, 2026
  • 4 replies
  • 29 views
jamesramsden
Forum|alt.badge.img+1

I am sending events to the SL API to create an Event with ‘Use Message-match’ enabled. 

Sometimes the source will send events to the API which would just have a issue ID changed, but relating to the same event. 

 

For example. 

First post: Issue: broken ID: 39393

Second post: Issue: broken ID: 53291

 

I want SL to group the events based on the issue, at the moment it would create a new event. 

 

This is my regex

partner=(.*?),sndinterface=(.*?),resourcetype=(.*?),rcvid=(.*?),rcvinterface=(.*?),status=(.*?),glbID=(.*?)

 

In essence, i want SL to ignore the last field (glbID) when it tries to match the events. 

 

Is this possible?

 

Thanks

 

 

4 replies

B
Forum|alt.badge.img
  • BryanHarding
  • Community Manager
  • May 27, 2026

The Message Match event policy setting with API alerts determines if Skylar One will generate a new event or update an existing event record based on whether the resulting event message contains the same text; if set to enabled a new event record will be created unless the event message matches exactly. 

In your example, if the event policy is configured with %M (meaning the alert message is included in the resulting event message) you have two different alert messages resulting in two different event messages (“Issue: broken ID: 39393” vs. “Issue: broken ID: 53291”) thus resulting in two separate event records.

If you disabled Message Match for the event policy in this scenario, the single event would have the count incremented and the existing event record’s event message would be updated to reflect that latest event message generation.

jamesramsden
Forum|alt.badge.img+1
  • jamesramsden
  • Author
  • Contributor II
  • May 28, 2026

Thanks

The reason i have enabled message match is because it will post various issues which i don’t want to be created as one event. I guess the easiest way to explain is i want Message Match enabled for some fields and not one.

jamesramsden
Forum|alt.badge.img+1
  • jamesramsden
  • Author
  • Contributor II
  • June 1, 2026

I was wondering could i use identifier Pattern? 

For example, i could use %1-%2-%3-%4 so ignores the final field?

B
Forum|alt.badge.img
  • BryanHarding
  • Community Manager
  • June 1, 2026

I was wondering could i use identifier Pattern? 

For example, i could use %1-%2-%3-%4 so ignores the final field?

In short, no, as that’s not how the Identifier Pattern and Identifier Format fields work.

Identifier Pattern is utilized to extract data from the source alert message for the purposes of setting the sub-entity and setting variable values that may be used within Identifier Format. Regardless of whether the Identifier Format value is referenced in the Event Message, it does set the sub-entity value for the resulting event record. For an event record to increment occurrence rather than create a new event record, regardless of the Message Match setting, the record has to match on the following criteria:

  • Entity (ex. device)
  • Alert source type (and alert ID if Internal or Dynamic Application sourced)
  • Sub-entity
    • Sub-entity Name
    • Sub-entity ID
    • Sub-entity Type

In the instance of using Identifier Pattern and Identifier Format you’re setting the sub-entity to be what you’re extracting from the source alert; if that varies then that’ll be seen as an alert for a different sub-entity even if both event records align to the same device.

    Terms & ConditionsAccessibility statement