Aggregator Node

Group the results from the preceding runbookClosed An automated workflow that executes a series of steps or tasks in response to a triggered event, such as the detection of anomalous behavior generating an incident, a lifecycle event, or a manually executed runbook. nodeClosed Individual components that make up a runbook automation, each performing a specific function such as data queries, transformations, logic, integrations, or visualizations. by a specific metricClosed A measurement or data point that is monitored and analyzed to detect anomalies and generate incidents., or apply an operation on the metrics forwarded from that node.

The supported aggregation operations are:

  • min

  • max

  • average

  • count (distinct values of a string)

  • sum

These aggregation operations are context-sensitive (e.g., count is the only operation available for the Client IP metric).

An Aggregator node can follow a Data Query node or a Decision Branch node; the preceding node must outputClosed A document containing data sets generated by the execution of a runbook, including output of queries and reports from point products, as well as output of analysis or other runbook nodes. summarized data, not time series data. Metrics are collected from the last preceding Data Query node.

For each aggregator node, specify whether the corresponding data will be presented by all metrics all together (the default), or grouped by a single specified metric. You can select which metrics to include, and the aggregation operation to be performed on each.

Properties

Node Label: Type an informative name for the Aggregator node. You can keep the system-provided default of "Aggregator" if you wish.

Debug: Select Debug if you want to receive debug data when the node executes.

Grouping

Specify whether data from the preceding node is presented by all metrics all together (the default), or grouped by a single specified metric.

Metrics

Select which metrics to include, and the aggregation operation to be performed on each.

Runbook Compatibility

IncidentClosed A collection of one or more related triggers. Relationships that cause triggers to be combined into incidents include application, location, operating system, or a trigger by itself., On-Demand, External (Webhook), SubflowClosed A reusable automation chunk that performs frequently used functions, such as opening a ticket in an external system, and can be used to implement integrations with third-party systems.