Choose the Best Matching Option: First Match or Closest Match

What is the difference?

First Matching Cluster:


Closest Matching Cluster:


In Cookbook, you can specify the cluster match type. Typical Cookbook contains multiple Recipes, and alerts are evaluated against the recipes in the prioritization you defined. If you select closest_match, the alerts are evaluated against all recipes in the Cookbook, and processed by the best matching recipe.

If you choose first_match, an alert is added to a candidate cluster as soon as it as it meets the criteria of one recipe. At that point the evaluation of that alert stops even though there may be other recipe that matches the alert better.

When To Use Which Type?

If a Recipe has all of the attribute similarities set to 100% match, then when an alert matches a candidate cluster, there is no need to keep checking it against other clusters. In this case, you can set Cluster By as First Matching Cluster. Otherwise, choose Closest Matching Cluster to evaluate an alert against all the candidate clusters to determine the best match.