Skip to main content

View alert fields

The following table describes the alert fields which display as columns in the top pane and in the Details area on the Alerts page. Note that alerts only include relevant fields. If alerts have no assigned value for a field (NULL), then the field does not display in the list of fields.

Notes

  • Unless otherwise noted, the term "events" refers to both ingested event notifications and metric anomalies.

  • APEX AIOps Incident Management stores all timestamps in UTC format. The dates and times displayed in the UI are based on your browser's local time.

Column name

Details field name (if different)

Description

alias

The alias for the alert source, as defined in the alias field in the event or the source field in the anomaly. You can specify aliases through ingestion or enrichment.

assigned groups

User groups assigned to this alert.

assignee

User assigned to this alert.

none

changes

The last change made to the alert. Multiple changes are possible, if they are made at the same time (as in a workflow, or when a new event changes multiple field values simultaneously).

check

An identifier for the type of alert.

For example, check could indicate the type of test which caused the alert to be created (such as ping or response time).

class

The high-level category of the performance issue reported by the alert. Examples include application, network, middleware, and cloud. This value is based on the service field in events.

If a metric anomaly does not have a service tag specified, Incident Management auto-generates this field based on the metric source and name.

created at

The timestamp when Incident Management ingested the first event, identified it as unique, and created the new alert.

dedupe key

The unique identifier which describes this alert. Events with the same deduplication key belong to the same alert.

description

The alert description, based on the description field in the ingested event.

event count

The number of events in the alert.

none

external details

The number of sets of external details (objects in the array) in the alert.

external IDs

external details.external id

A list of identifiers for the alert on external systems.

external integration IDs

external details. integration id

A list of identifiers in Incident Management for the integrations which have sent outbound notifications for this alert.

external integration names

external details. integration name

A list of user-friendly names in Incident Management for the integrations which have sent outbound notifications for this alert.

external integration types

external details. integration type

A list of the types (webhook or category, such as PagerDuty or ServiceNow) of integrations have sent outbound notifications for this alert.

external links

external details. external link

One or more HTML links to systems outside of Incident Management which usually link to the equivalent alert on the external system

external names

A list of user-friendly object names (such as ticket numbers) on external systems which are the equivalent of this alert.

first event time

The timestamp of the first event or anomaly added to the alert.

id

The alert ID. Incident Management auto-generates the ID when it creates the alert.

in maintenance

Displays true if the alert is in an active maintenance window or false if it is not.

incidents

The list of incidents where this alert is a member.

last event time

The timestamp of the most recent event included in the alert.

last status change time

The event time when the alert was last updated.

location.<specific_location>

You can include generic geolocation information in the location field of an ingested event. This is a structured list of key-value pairs, such as { City: 'London', Street: '31 High Street'}

Tags for location display identically as columns and as fields. For example: location.suite

For more detailed information on using location and a full list of supported location tags, see Use location tags in event data.

maintenance

The ID of the last maintenance window that potentially impacted this alert.

maintenance window occurrence IDs

maintenance window. occurrence id

The IDs of the specific maintenance window instances (such as one occurrence of a repeating scheduled window) affecting one ore more alerts in the incident.

maintenance windows

A list of all maintenance windows potentially impacting this alert.

manager

The generator or intermediary of the events in this alert.

manager id

The unique identifier for the alert in the source system.

namespace

An internal field used to set a metric identifier for any events which were generated via Anomaly Detection.

none

originator

The system or service responsible for the last change to the alert.

policy

The metric policy responsible for identifying the anomalies which led to the creation of this alert.

service

The external application or service that generated the ingested event or metric. This is a required field for ingested events and is used to identify duplicate and similar events.

severity

Current severity of the alert, determined by the most recent event in the alert, in string format.

severity high water

The highest severity an alert has reached.

severity numeric

Current severity of the alert, determined by the most recent event in the alert, in numerical format.

severity high water numeric

A numerical representation of the highest severity an alert has reached.

source

The node where the original events and/or anomalies occurred. This is typically an IP or fully qualified domain name.

status

The alert status in string format.

status numeric

The numeric alert status.

tag.tag_name

The optional tags included in this alert. You can specify tags during ingestion, or use event enrichment to add tags after ingestion.

type

The type of the alert. The type is context-specific based on class. For example, when the class is application, type could be availability, performance, memory, resources, or storage.

In this section: