Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 19 Current »

About triggered alerts' queries

You can access the search window by using the associated query from a triggered alert. This allows you to investigate the events that led to its triggering, pinpointed within the exact timeframe in which the alert occurred. You will access the search in incognito mode, which means any changes in the query will not be saved.

What permissions do I need?

To access the Alerts overview area and see the alert queries, you need at least the Triggered alerts (view) permission (see a detailed description of the alerts permissions here).

Additionally, you need to have alerts assigned with View access (see Assign resources to a role), which will be those you will see on the list.

Open query from the alert list

You can open the query to explore it in the search window by clicking the ellipsis menu at the end of the row and selecting Go to query.

15_Explore triggered alerts' query.png

Open query from the alert details window

You can also explore the query in the search window through the alert details window, which opens by clicking an alert’s ID on the list (more info about the details window here). Inside this window, click on the Open in query editor button above the query.

25_Explore triggered alerts' query.png

Query data explained

Depending on the triggering method used to define the alert and its specific settings, the events and timeframe shown in the table will differ. The reason for this is to provide you with specific context to help you identify the anomalous situation exposed by the alert. These are the different possibilities when accessing an alert query:

Each-type alerts

  • Time range (ungrouped data): it starts slightly before the eventdate registered in the triggered alert’s extraData (adapted to your timezone) and concludes slightly after it. These additional moments are to account for any triggering delay.

  • Time range (grouped data): it starts with the beginning of the grouping period, which corresponds to the eventdate registered in the triggered alert’s extraData (adapted to your timezone), and concludes after the period specified in the query grouping.

  • Events shown: the event that triggered the alert.

Multiple alerts

If multiple alerts are triggered in a quick succession or simultaneously, the time range will be adjusted to include all their eventdates upon accessing any of their queries.

Several-type alerts

  • Time range: it starts with the eventdate registered in the triggered alert's extraData (adapted to your timezone) and concludes after the period specified in the alert definition settings.

  • Events shown: all the events that triggered the alert due to exceeding the threshold established in the alert definition settings.

Low-type alerts

  • Time range: it starts with the eventdate registered in the alert's extraData (adapted to your timezone) and concludes after the period specified in the alert definition settings.

  • Events shown: all the events (or no event at all) that triggered the alert due to not reaching the threshold established in the alert definition settings.

Inactivity-type alerts

  • Time range: it starts 10 minutes before the beginning of the inactivity period and concludes 1 minute after the end. These extra minutes enable the visualization of previous events for reference and exclude false positives by considering the triggering delay. The beginning of the inactivity period corresponds to the eventdate registered in the triggered alert’s extraData (adapted to your timezone), while its end corresponds to the expiration of the period specified in the alert definition settings.

  • Events shown: all events occurring during the current period regardless of the key, providing reference for the series of values around the absent value that triggered the alert.

Rolling-type alerts

  • Time range: it starts with the eventdate registered in the alert extraData (adapted to your timezone) and concludes after the backperiod specified in the alert settings.

  • Events shown: the event group that triggered the alert.

Multiple alerts

If multiple alerts are triggered during the same period, all the event groups in the same period will be displayed together upon accessing any of their queries.

Deviation-type alerts

  • Time range: it starts with the eventdate registered in the alert's extraData (adapted to your timezone) and concludes after the period specified in the query grouping.

  • Events shown: all event groups occurring during the current period, providing reference for the aggregation values that determined the median and triggered the alert due to a greater deviation than the threshold specified in the alert definition settings.

Multiple alerts

As all event groups within a period are already shown for a single alert, accessing any of the queries in a series of alerts triggered during the same period will not alter the result.

Gradient-type alerts

  • Time range: it starts with the eventdate registered in the alert's extraData (adapted to your timezone) and concludes after the period specified in the query grouping.

  • Events shown: the event group that triggered the alert due to a greater variation in its aggregation value than the threshold specified in the alert definition settings, as compared to the previous period.

Multiple alerts

If multiple alerts are triggered during the same period, all the event groups in the same period will be displayed together upon accessing any of their queries.

  • No labels