Explore triggered alerts' query
About triggered alerts' queries
You can access the search window by using the associated query from a triggered alert. This allows you to investigate the events that led to its triggering, pinpointed within the exact timeframe in which the alert occurred. You will access the search in incognito mode, which means any changes in the query will not be saved.
What permissions do I need?
To access the Alerts overview area and see the alert queries, you need at least the Triggered alerts (view) permission (see a detailed description of the alerts permissions here).
Additionally, you need to have alerts assigned with View access (see Assign resources to a role), which will be those you will see on the list.
Open query from the alert list
You can open the query to explore it in the search window by clicking the ellipsis menu at the end of the row and selecting Go to query.
Open query from the alert details window
You can also explore the query in the search window through the alert details window, which opens by clicking an alert’s ID on the list (more info about the details window here). Inside this window, click on the Open in query editor button above the query.
Query data explained
Depending on the triggering method used to define the alert and its specific settings, the events and timeframe shown in the table will differ. The reason for this is to provide you with specific context to help you identify the anomalous situation exposed by the alert. These are the different possibilities when accessing an alert query:
Each-type alerts
Time range (ungrouped data): it starts slightly before the eventdate registered in the triggered alert’s extraData (adapted to your timezone) and concludes slightly after it. These additional moments are to account for any triggering delay.
Time range (grouped data): it starts with the beginning of the grouping period, which corresponds to the eventdate registered in the triggered alert’s extraData (adapted to your timezone), and concludes after the period specified in the query grouping.
Events shown: the event that triggered the alert.
Multiple alerts
If multiple alerts are triggered in a quick succession or simultaneously, the time range will be adjusted to include all their eventdates upon accessing any of their queries.
Several-type alerts
Time range: it starts with the eventdate registered in the triggered alert's extraData (adapted to your timezone) and concludes after the period specified in the alert definition settings.
Events shown: all the events that triggered the alert due to exceeding the threshold established in the alert definition settings. If the alert was configured to monitor fields for value counter, the table will be filtered to display only the events with the specific value exceeding the threshold.
Low-type alerts
Time range: it starts with the eventdate registered in the alert's extraData (adapted to your timezone) and concludes after the period specified in the alert definition settings.
Events shown: all the events (or no event at all) that triggered the alert due to not reaching the threshold established in the alert definition settings.
Inactivity-type alerts
Time range: it starts with the beginning of the inactivity period, which corresponds to the eventdate registered in the triggered alert’s extraData (adapted to your timezone), while its end corresponds to the expiration of the period specified in the alert definition settings.
Events shown: the table will be filtered to display only the events with the specific value that stopped showing up and remained absent for the specified period, providing reference for its presence just before disappearing.
Eventdate vs alertdate
Bear in mind that the eventdate shown in the table represents the date of the last recorded activity for the missing value, not the date of the triggered alert. The alert is triggered only after verifying that the inactivity period has actually exceeded the specified duration.
Rolling-type alerts
Time range: it starts with the eventdate registered in the alert extraData (adapted to your timezone) and concludes after the backperiod specified in the alert settings.
Events shown: the event group that triggered the alert.
Multiple alerts
If multiple alerts are triggered during the same period, all the event groups in the same period will be displayed together upon accessing any of their queries.
Deviation-type alerts
Time range: it starts with the eventdate registered in the alert's extraData (adapted to your timezone) and concludes after the period specified in the query grouping.
Events shown: all event groups occurring during the current period, providing reference for the aggregation values that determined the median and triggered the alert due to a greater deviation than the threshold specified in the alert definition settings.
Gradient-type alerts
Time range: it starts with the eventdate registered in the alert's extraData (adapted to your timezone) and concludes after the period specified in the query grouping.
Events shown: the table will be filtered to show only the event group with the value combination that triggered the alert due to the variation in its aggregation value, which shifted more than the specified threshold from the previous to the current period.
Â
Related articles
Â