The Alerts page displays all alerts for your LogicMonitor account. Accessible from the primary left navigation bar, the Alerts page allows you to filter, sort, view details for, and respond to alerts.
In addition to the global Alerts page, you’ll find filtered Alerts pages (i.e. Alerts tabs) available from the detail pages of your various devices, cloud resources, instances, websites, services, and groups. Regardless of where you access alerts (the Alerts page or Alerts tab), the functionality of these interfaces is largely identical.
Note: Alerts are timestamped according to the user’s configured time zone, assuming one has been set for the user and that it is the current active time zone. However, it is important to be aware that alert notifications are timestamped according to the time zone configured for the portal because these are not processed on a per-user basis. For more information on how user-specific time zones impacts the LogicMonitor interface, see Users.
The Alerts page displays a summary of alerts, called the alert table. You can filter the alerts displayed in the alert table to optimize relevancy. A large number of filters are available, along with the ability to save sets of commonly-used filter criteria for convenient future access.
Filters are available from the filter content area, which displays immediately above the alert table. Several common filters such as the alert severity, acknowledged status, and time range always display in the filter content area for easy access.
More advanced filters such as the LogicModule or alert rule filter can be brought forward by selecting them from the Add filter dropdown menu, shown next.
|Severity level||Filters alerts according to their current severity levels and provides a current active alert count for each severity level. If a severity level filter icon is grayed out, alerts with the corresponding severity level are excluded from the results.|
|Cleared||By default, the alert table does not include alerts that have been cleared. Use the cleared filter to toggle the display between the two mutually exclusive cleared states: those alerts that have not been cleared and those alerts that have been cleared.|
|Acknowledged||Filters the alert table by acknowledged status and provides a current count of all acknowledged active alerts. This filter supports three states:
|SDT||Filters the alert table by SDT status and provides a current count of all active alerts in SDT. This filter supports three states:
|Anomaly||Filters the alert table by anomaly status. This filter supports three states:
|Time Range||Filters alerts according to the time the alert was reported. The pre-defined “Any time” filter includes every alert that resides in your database. In addition to offering several predefined filters, the time range filter also offers the ability to define a custom time range.|
|Group*||Only includes alerts triggered by the resources/websites that are immediate members of the one or more groups specified for this filter.|
|Group (including subgroups)*||Only includes alerts triggered by the resources/websites that are members of the one or more groups (and their subgroups) specified for this filter.|
|Resource/Website*||Only includes alerts triggered by the resource(s)/website(s) specified for this filter.|
|LogicModule*||Only includes alerts triggered by instances belonging to the LogicModule(s) specified for this filter.|
|Instance*||Only includes alerts triggered by the instance(s) specified for this filter.|
|Datapoint*||Only includes alerts triggered by the datapoint(s) specified for this filter.|
|Alert rule*||Only includes alerts for which the specified alert rule(s) were applied.|
|Escalation Chain*||Only includes alerts for which the specified escalation chain(s) were used to deliver notifications.|
|Dependency Routing State||Use the Routing State filter to restrict the alert table according to alert routing criteria relevant to LogicMonitor’s root cause analysis feature. For more information on this filter, see Enabling Root Cause Analysis.|
|Dependency Role||Use the Dependency Role filter to restrict the alert table according to dependency criteria relevant to LogicMonitor’s root cause analysis feature. For more information on this filter, see Enabling Root Cause Analysis.|
|Suppression Type||Use the Suppression Type filter to restrict the alert table to alerts whose notifications have been suppressed. The following suppression types can be used as filter criteria:
|*Glob expressions are supported for these fields and the entry of an asterisk into the filter’s search field activates their usage. Glob expressions must be followed by an asterisk and multiple parameters or expressions using special characters must be surrounded by parentheses. For example, to include all resources whose names begin with “172”, you would enter |
Note: Multiple criteria within the same filter is joined using an OR operator; criteria across multiple filters is joined using an AND operator.
The Filter Alerts field allows you to filter the alert table by keyword. Single keywords are automatically wildcarded on both ends. For example, a search term of “time” could return “time”, “uptime”, and “timeout.”
Saving and Clearing Filter Views
Saving a Filter View
As you establish filters on the Alerts page, you have the ability to save the current filter view for future access by clicking the star icon. Saved filter views are associated with individual user accounts and are not available globally.
Upon saving, LogicMonitor captures:
- The current time range (as established by the time range filter)
- Any search criteria present in the keyword filter
- All other filter criteria present (for example, severity level, SDT status, acknowledgement status, defined datapoint(s), instance(s), and so on)
If a saved filter view is active, but criteria has been edited during the current session to cause the alert table results to fall out of compliance with the parameters of the active filter view, the star icon reverts back to an unfilled icon to serve as an indicator that you are no longer within the bounds of the selected filter view. When this happens, you can click the star icon to update/save the current active filter view with the new parameters or you can click the dropdown menu next to the active filter view name to either save the current parameters as a brand new filter view or revert back to the saved settings of the current active filter view.
Clearing a Filter View
To return the alert table back to its default filter settings (all alerts reported within the last 24 hours that have not been cleared), click the Clear icon.
Visually Grouping Alerts with the Header Graph
To speed up troubleshooting and time to resolution, the alerts in the alert table can also be viewed as a time-series graph. At its most basic, this graph mirrors the alerts currently displayed in the alert table and charts the aggregated alert count over a configured period of time.
However, the graph is most impactful when it is used to group alerts by a relevant dimension. For example, the graph’s aggregated alert counts can be grouped by alert severity, associated alert triggers (resource, LogicModule, instance, datapoint), matching alert rules, or the escalations chains used to deliver alert notifications.
The ability to quickly visualize alert commonalities is very helpful when investigating an alert storm or identifying recurring issues requiring remediation or adjustments to alert thresholds.
Note: The maximum limit for grouping is 10,000 alerts.
Displaying and Using the Header Graph
To show (and hide) the header graph, click the More Options icon located in the upper right corner of the Alerts page and select Header Graph. The graph will retain your prior groupings (dimensions) while reflecting the alerts currently listed in the alert table.
To select a dimension, click the three-way arrow icon to choose from the list of possible dimensions. Only one dimension can be grouped per graph, but you’ll notice that as you select additional dimensions, you are able to easily toggle among them using the dropdown on the right.
The graph is highly interactive, allowing you to:
- Zoom in on a time range by clicking and dragging across the desired timeframe
- Click on a grouping in the legend or in the graph itself to quickly include/exclude that group of alerts
As you interactively change the graph’s filters, the alert table automatically updates to remain in sync—and vice versa.
In the Header Graph, you can also select to manage and display your alert groups in a Tree Map graph. The Tree Map graph allows you to select two dimensions when grouping alerts. For example, you can select LogicModule and Resources to get a grouping of all LogicModules that are “in alert” for the given time range, as well as a count of the number of resources with each LogicModule alert. Using the header graph to drill down into a LogicModule will further group the alerts by Resources with that LogicModule alert.
Viewing Analysis Tabs for Alerts
You can see more context for alerts by adding Analysis Tabs to your Alerts page. To show (and hide) this feature, click More Options in the upper right corner of the Alerts page and then select Analysis Tabs. The Logs tab displays below the chart, allowing you to view the logs for the resources included in your active Alerts filter and quickly access the Logs page for further investigation.
The alert table can be sorted according to alert severity level (Severity column) or the time the alert was reported (Reported At column). Simply click on one of these column headers to initiate sorting (click once for descending order and twice for ascending order).
LogicMonitor also offers the ability to initiate secondary sorting using severity level as the primary sort and time alert was reported as the secondary sort. To initiate secondary sorting, first sort by severity level and then hold down the shift key while additionally setting sorting for reporting time.
Opening Detail Panels for Individual Alerts
When you click on an individual alert, an alert detail pane opens from the bottom of the Alerts page. The detail panel provides additional alert context, as well as the ability to act upon the alert in a number of ways.
There are up to five primary categories of information, organized by page tabs, that display for each individual alert, as well as a standard toolbar that allows you to perform a variety of actions for the alert. Each is described next.
The Overview tab consolidates many of the same details displayed in the alert table row, as well as displays the alert message and any manually-entered notes for the alert.
Note: The manual entry of general alert notes is only permitted for up to 48 hours after the alert has cleared.
When viewing alerts triggered by datapoints, the Overview tab additionally displays an alert overview graph that plots 60 minutes of data collected for the datapoint. This graph includes the expected range in which datapoint values are expected to fall (the expected range is shaded in blue and available to LogicMonitor Enterprise users only) and the ability to plot offsets that compare the current timeframe to values collected exactly 24 hours, one week, or 30 days ago. For more information on how the expected range is calculated or on using offsets, see Anomaly Detection Visualization.
The Graphs tab displays all relevant graphs associated with the alert. If the alert is not associated with a DataSource or website (for example, if the alert is triggered by an EventSource or ConfigSource alert), no Graphs tab displays.
By default, the time range for all graphs is set to “At time of alert,” which features one hour of data—starting 30 minutes before and ending 30 minutes after the alert occurred. This time range can be modified using a variety of predefined time ranges including the current global time range.
There are several ways in which you can manipulate the output and display of graphs from the Graphs tab of an alert, including viewing Ops Notes; expanding legends; generating forecasting or anomaly detection versions of the graph; or adding the graph to a dashboard. These options are standard across most areas of the interface in which graphs display and are talked about in detail in Graphs Tab.
If there are log anomalies associated with the alert, you can investigate further by selecting “View Logs” from the log anomalies graph. This will redirect you to the Logs page filtered to display log events from the relevant resource during the time period of the alert. See Reviewing Logs and log anomalies.
The History tab displays the frequency and severity of alerts over the past 24 hours, seven days, or 30 days—or over the previous calendar month. This is an ideal at-a-glance view of an instance’s performance over time and will help you determine whether an alert was a one-off fluke, if thresholds need to be re-evaluated, or if you need to provision more resources to your equipment.
When viewing the details of an alert triggered by a resource/instance with an external resource ID (ERI) assigned to it, a Maps tab displays. From this tab, you can click the Maps button and subsequently the Resource or Instance button to generate a topology map for the resource/instance in alert. A new browser window opens that displays the resource/instance as the focus of a new topology map in the Mapping page, allowing you to visually troubleshoot infrastructure that may be contributing or related or the alert. For more information on topology mapping, see Topology Mapping Overview.
When viewing the details of an alert with dependent alerts (in other words, the alert has undergone root cause analysis and determined to be an originating or direct cause alert), a Dependencies tab displays. For more information on this tab and LogicMonitor’s root cause analysis feature, see Enabling Root Cause Analysis.
Individual Alert Toolbar
From the toolbar that displays in the upper right corner of the alert detail pane, you can perform the following actions:
- Put into SDT. Click the SDT icon to schedule downtime for the device group, device, instance, or website associated with the alert. For more information on SDT functionality, see Scheduled Down Time (SDT) Tab.
- Acknowledge the alert. Click the acknowledge icon to indicate that the underlying issue of the alert is being actively fixed.
- Escalate the alert. Click the escalate icon to manually escalate the alert to the next level in its assigned escalation chain. The icon is grayed out If no escalation chain is assigned to the alert. For more information on escalation chains, see Escalation Chains.
For guidelines on acknowledging or escalating alerts, or putting alerts into SDT, see Guidelines for Responding to Alerts.
Performing Actions on Multiple Alerts at Once (Acknowledgment, SDT)
As discussed in the previous section, alerts can be acknowledged, escalated, annotated, or put into SDT individually from the alert detail pane. These actions can also be performed on multiple alerts at once by checking the checkbox to the left of one or more alerts.
Note: Notes cannot be added for alerts that cleared more than 48 hours ago.
Once the desired alerts are selected, click the Actions button to select one of the available actions from the dropdown menu.
Customizing Alert Table Settings
On a per-user basis, various aspects of the alert table can be customized, including:
- Alert table columns
- Alert table formatting
Customizing Alert Table Columns
Click the more options icon located in the upper right corner of the Alerts page to open the Column Settings dialog. From this dialog, you can make default columns visible/invisible, reorder columns, and add/delete custom columns.
Adding Custom Columns
Custom columns can be added to the alert table to display the values of properties or LogicMonitor tokens related to the resource in alert. Use the Search field at the bottom of the Column Settings dialog to add custom columns.
To add a property as a custom column, simply start typing the name of the property whose values you would like to see for each alert into the Search field and matching search results will be auto-generated as you type.
To add a token as a custom column, you must prepend and append the token name with “##” (for example, ##ALERTID##). Token names are not case sensitive (for example, ##AlertID## also works). Search results are not auto-generated when typing token names; instead, you’ll need to select the “Create ##<token>##” option that appears.
Customizing Alert Table Formatting
Several aspects of the alert table display can be customized to suit your viewing preferences. These settings are available by clicking Profile | Appearance from the left navigation menu while the Alerts page is open.
Date & Time Display
Use the Date & Time Display setting to indicate whether timestamps will be formatted using:
- The 12-hour clock or the 24-hour clock
- Full date display or compact date display. If full date display is chosen, a dropdown menu appears offering several display formatting options.
Alternating Row Color
Enable the Alternate Row Color setting to alternate the background color of rows.
Enable text wrapping for alert table columns using the Wrap Text setting. If this setting is disabled, truncated text can be seen by hovering over the column or by opening the alert to display its detail page.
Use the Font size setting to indicate the font size for the text that displays in the alert table.
Alert Severity Display
The alert severity icons that display in the Severity column can be updated to a light color theme and/or a condensed icon width theme using the Light Theme and Condensed Theme settings respectively.