The matching condition will determine when this rule should be applied. You can choose any field that exists within the payload of an alert and match on a specific value for that field using a direct match or wildcard matching.
When viewing an incident in the timeline, field names are on the left and values are on the right:
In the above example, the field of interest is the entity_id field and the value that matters is the phrase “This is a test”. The matching condition, therefore, is the following (wildcard matching used in this example, hence the “*” asterisks).
Rules can match on an alert field value using a simplified wildcard syntax to match some or all of the string. The asterisk “*” character matches 0 or more characters and the “?” character matches exactly one character. They can be used anywhere in the match pattern, as many times as needed.
|Phrase||Matches||Does Not Match|