Skip to main content

Hi folks, for the sake of learning, I want to understand how the alert overflow mechanism works. In the documentation, it states that the alerts must have same environment, product and rule and should be ingested in a short time period.

I have created a connector that generates 2-5 alerts every second. This does fulfill the criteria of 50 alerts within 10 minutes. However, I do not see any overflow case being created.

As seen in the code above, I have used the is_overflowed method to test if the alert is an overflow or not. However, I do not see any overflow alert ingested.

Finally, the connector execution logs show "No data found for property key: overflow_settings". Does this log justify the behaviour ? Also, how should I set this overflow settings key ?

Thanks.

Hi preet_mehta,


Your code looks correct based on the screenshot you provided.  The log you mentioned should not justify the behavior you are seeing.  I see the same log in my quick test and I am seeing the correct overflow behavior.  Here is a screenshot of my code for reference (which looks very similar to yours)




Here are a few things to check:



  • Verify that the environment, product, and rule generator are the same for all of the alerts that are ingested

  • Add a logger statement after the 'if is_overflowed' condition to ensure it is hitting the condition 

  • Ensure the alerts are not test alerts


Please let me know if you have any other questions. 


Thanks!


 

OOTB (i.e. unless you changed Alert Grouping in settings), Alert grouping requires 2 things:
- The new Alert is within 2 hours of the existing Alert (which you should be ok with)
- And there is a matched Entity across both Alerts

Open each Case, and check the entities, did they find something in common?



 

Hi preet_mehta,


Your code looks correct based on the screenshot you provided.  The log you mentioned should not justify the behavior you are seeing.  I see the same log in my quick test and I am seeing the correct overflow behavior.  Here is a screenshot of my code for reference (which looks very similar to yours)




Here are a few things to check:



  • Verify that the environment, product, and rule generator are the same for all of the alerts that are ingested

  • Add a logger statement after the 'if is_overflowed' condition to ensure it is hitting the condition 

  • Ensure the alerts are not test alerts


Please let me know if you have any other questions. 


Thanks!


 


Hi,
I just tried again with keeping your points in mind. I can see the Overflow case generated as per expectations !
However, I also noticed that the alerts added in the Overflow case do have a separate Case as well, but with only that alert in it. Ex: If the Overflow case has 5 alerts, I see 5 separate cases for these alerts.

I guess, this is what confused me, but now, I see the Overflow Case which solves my purpose.

Thanks !

OOTB (i.e. unless you changed Alert Grouping in settings), Alert grouping requires 2 things:
- The new Alert is within 2 hours of the existing Alert (which you should be ok with)
- And there is a matched Entity across both Alerts

Open each Case, and check the entities, did they find something in common?



 


Hi, 
Thanks for the suggestions.
Yes, I did have entities in common, and the alerts were ingested in every 5 second interval.
After careful observation, and retrying the flow, I can now see the Overflow case generated.

Thanks.

Hi preet_mehta,


Your code looks correct based on the screenshot you provided.  The log you mentioned should not justify the behavior you are seeing.  I see the same log in my quick test and I am seeing the correct overflow behavior.  Here is a screenshot of my code for reference (which looks very similar to yours)




Here are a few things to check:



  • Verify that the environment, product, and rule generator are the same for all of the alerts that are ingested

  • Add a logger statement after the 'if is_overflowed' condition to ensure it is hitting the condition 

  • Ensure the alerts are not test alerts


Please let me know if you have any other questions. 


Thanks!


 


Hi Kyle, i have few question 

from the screen shot , why its shows time not mapped in overflow cases

Hi Kyle, i have few question 

from the screen shot , why its shows time not mapped in overflow cases


Hi vanitharaj1208,


Great question.  When the overflow condition is met, the alert will skip Ontology mapping where the time is mapped.  You will also notice that entities and other event information will not populate.  This is to protect system resources and allow other alerts that are not in overflow be processed by the system.  

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.