A system includes a non-transitory memory and a hardware processors configured to perform operations including receiving a plurality of events from one or more network monitoring systems, wherein each event includes a message output by a network monitoring system communicating a status of a network resource connected to a network, clustering similar events into one or more event clusters, extracting an event template for each event cluster, extracting a regular expression (regex) for each event cluster, grouping the events into one or more groups of events having the same or similar extracted regexes, and outputting the one or more groups of events.