Create and configure an action policy
Rules define what counts as a problem. Action policies define what happens when a problem is detected. They determine which episodes generate notifications, how they're grouped and throttled, and where they're routed.
Because policies are separate from rules and global within a space, you can update notification behavior across many rules at once without touching detection logic, and you can route the same alerts differently depending on severity or source. You create and manage policies from the Action policies page, not from the rule form.
For matcher fields, grouping modes, throttle strategies, frequency options, and dispatch outcomes, refer to Action policy reference.
An optional KQL expression that filters which episodes this policy applies to. An empty matcher matches every episode in the space.
Use matchers to route different episodes to different policies, for example, one policy for data.severity: "critical" episodes routed to PagerDuty and another for warnings routed to Slack. For available fields and examples, refer to Matcher fields.
Dispatch per controls how episodes batch into notifications. Frequency controls how often the policy can notify for each batch.
| Dispatch per | What it does | Available Frequency options |
|---|---|---|
| Episode | One notification per episode. | - On status change - On status change + repeat at interval - Every evaluation |
| Group | Bundle episodes that share a field value. Specify Group by (for example data.service.name or data.host.name). |
- At most once every… - Every evaluation |
| Digest | One notification for all matching episodes combined. | Every evaluation |
For detailed descriptions, frequency options, and examples for each mode, refer to Dispatch per options.
Throttling limits how often the policy can fire for a given group. The interval resets from the last time the policy fired, so successive notifications stay at least interval apart. Set a duration such as 1h or 30m. For available throttle strategies, refer to Throttle strategies.
One or more workflows to invoke when the policy matches. Use the search field to find and attach workflows.
An optional time window during which the policy doesn't dispatch. Useful for planned maintenance or quiet periods without disabling the policy entirely.