Hi,

I'm trying to reduce the incidents in our environment as a part of which trying to group the events if they have similar fields and error messages. As a part of which I have below

itsi_entity=xxx (hostname)

itsi_correlation_key=alertname."~".fingerprint (finger print is a unique for each alert)

Now in my environment, have multiple hosts which may generate same alert

My search is working well when it comes to single host where it is giving correlation key like below

itsi_entity- xxx

itsi-correlation-key-spacealert ~6089797
itsi_message : Nodes affected: xxx description:space alert

If an itsi_entity is having multiple hosts which are impacted then it looks below

itsi-entity- abc,xvz,def

itsi-correction-key - null (does not display anything)

itsi-message: Nodes affected abc,xvz,def description:high Cpu alert

I need some help here to display the correlation key if the entity has multiple values.