Kibana alerting v2 notification grouping
Notification policy grouping batches related alerts into a single notification, reducing the number of messages sent without losing context.
When a notification policy has group_by fields configured, the dispatcher groups matched episodes by those field values before dispatching. Instead of sending one notification per alert, it sends one notification per group containing all the alerts in that group.
For example, if you group by host.name and three rules are alerting for host-a, you receive one notification containing all three alerts instead of three separate notifications.
Grouping is configured on notification policies:
group_by: [host.name]
For multi-field grouping:
group_by: [host.name, severity]
- Per-rule scope: episodes from different rules are never grouped together, even if they share the same grouping field values.
- Empty
group_by: if no grouping fields are set, each episode produces its own notification. - Missing fields: if a grouping field is missing from an episode, it falls into a
nullbucket.
There are two types of grouping in Kibana alerting v2:
| Type | Where configured | What it does |
|---|---|---|
| Rule grouping | On the rule (grouping.fields) |
Splits alert events into separate series per entity |
| Notification policy grouping | On the policy (group_by) |
Batches alerts into fewer notifications |
Rule grouping determines how many alert series exist. Policy grouping determines how many notifications are sent. They work at different stages and can use different fields.
- Infrastructure monitoring: group by
host.nameto get one notification per host with all its alerts. - Service monitoring: group by
service.nameto batch all alerts for a service. - Severity-based routing: group by
severityto batch alerts of the same priority level.