Managing Alerts from the Alerts Page
Last updated on 04 October, 2022The Alerts page displays all alerts for your LogicMonitor account. Accessible from the primary left navigation bar, the Alerts page allows you to filter, sort, view details for, and respond to alerts.
In addition to the global Alerts page, you’ll find filtered alerts pages on the Alerts tabs. These are available from the detail pages of your various devices, cloud resources, instances, websites, services, and groups. Regardless of where you access alerts (page or tab), the functionality is largely identical.
Note: Alerts are timestamped according to the user’s configured time zone, assuming one has been set for the user and that it is the current active time zone. However, it is important to be aware that alert notifications are timestamped according to the time zone configured for the portal because these are not processed on a per-user basis. For more information on how user-specific time zones impacts the LogicMonitor interface, see Users.
Filtering Alerts
The Alerts page displays a summary of alerts, called the alert table. You can filter the alerts displayed in the alert table to optimize relevancy. A large number of filters are available, along with the ability to save sets of commonly-used filter criteria for convenient future access.
Filter Criteria
Filters are available from the filter content area, which displays immediately above the alert table. Several common filters such as the alert severity, acknowledged status, and time range always display in the filter content area for easy access.
You can add more advanced filters such as the LogicModule or alert rule filter by selecting them from the Add filter dropdown menu.
Available filter types are described in the following.
| Filter | Icon | Behavior |
| Severity level |    | Filters alerts according to their current severity levels and provides a current active alert count for each severity level. If a severity level filter icon is grayed out, alerts with the corresponding severity level are excluded from the results. Click the icon again to remove the filter. |
| Cleared |  | By default, the alert table does not include alerts that have been cleared. Use the cleared filter to toggle the display between the two mutually exclusive cleared states: those alerts that have not been cleared and those alerts that have been cleared. |
| ACK (Acknowledged) |  | Filters the alert table by acknowledged status. The filter has these states:
|
| SDT (Scheduled Down Time) |  | Filters the alert table by SDT status. The filter has these states:
|
| Anomaly |  | Filters the alert table by anomaly status. The filter has these states:
|
| Time Range | Filters alerts according to the time the alert was reported. The pre-defined “Any time” filter includes every alert that resides in your database. You can use pre-defined time range filters, or define a custom one. | |
| Resource Group* | Only includes alerts triggered by the resources/websites that are immediate members of the one or more groups specified for this filter. | |
| Resource Group (with subgroups)* | Only includes alerts triggered by the resources/websites that are members of the one or more groups (and their subgroups) specified for this filter. | |
| Resource* | Only includes alerts triggered by the resource(s)/website(s) specified for this filter. | |
| LogicModule* | Only includes alerts triggered by instances belonging to the LogicModule(s) specified for this filter. | |
| Instance* | Only includes alerts triggered by the instance(s) specified for this filter. | |
| Datapoint* | Only includes alerts triggered by the datapoint(s) specified for this filter. | |
| Alert Rule* | Only includes alerts for which the specified alert rule(s) were applied. | |
| Escalation Chain* | Only includes alerts for which the specified escalation chain(s) were used to deliver notifications. | |
| Notification State | Use the Notification State filter to restrict the alert table according to alert routing criteria relevant to LogicMonitor’s root cause analysis feature. Also applies for anomaly detection/dynamic thresholds. For more information on this filter, see Enabling Root Cause Analysis. | |
| Dependency Role | Use the Dependency Role filter to restrict the alert table according to dependency criteria relevant to LogicMonitor’s root cause analysis feature. For more information on this filter, see Enabling Root Cause Analysis. | |
| Suppression Type | Use the Suppression Type filter to restrict the alert table to alerts whose notifications have been suppressed. The following suppression types can be used as filter criteria:
| |
*Glob expressions are supported for these fields and the entry of an asterisk into the filter’s search field activates their usage. Glob expressions must be followed by an asterisk and multiple parameters or expressions using special characters must be surrounded by parentheses. For example, to include all resources whose names begin with “172”, you would enter 172*. To include all resources whose names begin with “172” or “192”, you would enter ((172*|192*))*. To exclude all resources whose names begin with “172” or “192”, you would enter (!(172*|192*))*. See Using Glob Expressions Throughout the LogicMonitor Portal for more information.
| ||
Note: Multiple criteria within the same filter is joined using an OR operator; criteria across multiple filters is joined using an AND operator.
Keyword Filter
The Filter Alerts field lets you filter the alert table by keyword. Single keywords are automatically wildcarded on both ends. For example, a search term of “time” could return “time”, “uptime”, and “timeout.”
Saving and Clearing Filter Views
Saving a Filter View
When creating filters on the Alerts page you can save the current filter view for future access by clicking the star icon. Saved filter views are associated with your individual user account and are not available globally.
Upon saving, LogicMonitor captures:
- The current time range (as established by the time range filter).
- Any search criteria present in the keyword filter.
- All other filter criteria present (for example, severity level, SDT status, acknowledgement status, defined datapoint(s), instance(s), and so on).
If a saved filter view is active, but criteria has been edited during the current session causing the alert table results to not match the active filter, the star icon reverts back to an unfilled icon. This indicates that you are no longer within the bounds of the selected filter view. Click the star icon to update or save the current active filter view with the new parameters. Or, click the dropdown menu next to the active filter view name to either save the current parameters as a new filter view, or revert back to the saved settings of the current active filter view.
Clearing a Filter View
Click Clear to reset the alert table to its default filter settings. The default filter shows all alerts reported within the last 24 hours that have not been cleared.
Sorting Alerts
The alert table can be sorted by alert severity level (Severity column), or the time the alert was reported (Reported At column). Click on the column headers to sort, and click once for descending order and twice for ascending order.
You can do secondary sorting using severity level as primary sort, and the time the alert was reported as secondary sort. To do this, first sort by severity level. Then hold down the shift key while additionally setting sorting for reporting time.
Visually Grouping Alerts with the Header Graph
To speed up troubleshooting and time to resolution, the alerts in the alert table can also be viewed as a time-series graph. At its most basic, this graph mirrors the alerts currently displayed in the alert table and charts the aggregated alert count over a configured period of time.
However, the graph is most impactful when it is used to group aggregated alert counts by a relevant dimension. For example, alerts can be grouped by severity, associated triggers (resource, LogicModule, instance, datapoint), matching rules, tenants, or the escalation chains used to deliver notifications.
The ability to quickly visualize alert commonalities is helpful when investigating an alert storm or identifying recurring issues requiring remediation or adjustments to alert thresholds.
Note: The maximum limit for grouping is 10,000 alerts.
Displaying and Using the Header Graph
To show (and hide) the header graph, click More Options (three dots) in the upper right corner of the Alerts page and select Header Graph. The graph will retain your prior groupings (dimensions) while reflecting the alerts currently listed in the alert table.
To select a dimension, click the three-way arrow icon in the upper left to display available dimensions. Only one dimension can be grouped per graph, but you can toggle among them using the dropdown on the right.
The graph is interactive and lets you:
- Zoom in on a time range by clicking and dragging across the desired timeframe.
- Click on a grouping in the legend or in the graph itself to quickly include/exclude that group of alerts.
When you change the graph’s filters the alert table automatically updates to stay in sync.
In the Header Graph, you can also manage and display your alert groups in a Tree Map graph. This allows you to select two dimensions when grouping alerts. For example, you can select LogicModule and Resources to get a grouping of all LogicModules that are “in alert” for the given time range, as well as a count of the number of resources with each LogicModule alert. Using the header graph to drill down into a LogicModule will further group the alerts by Resources with that LogicModule alert.
Grouping Alerts by Tenant
Selecting the Tenant dimension grouping option lets you filter alerts based on tenants. This helps you identify resources associated with tenants when investigating alerts. The tenant property can for example represent service provider customers (tenants), or teams within an enterprise organization.
The tenant property can be mapped to resources either manually, or through the API. The tenant value for alerts from unmapped resources will be shown as “undefined” when the Tenant dimension is selected.
If you are already using a custom property for tenant information, you can override the default property name (tenant.identifier) to use a custom name. This is then used to retrieve the tenant information when alerts are triggered.
Do the following to change the tenant identifier property:
- Go to Settings > Account Information > Portal Settings.
- In the Tenant Identifier Property Name field, change the default value to the name of your tenant property.
Viewing Analysis Tabs for Alerts
The Analysis Tabs on the Alerts page helps you streamline troubleshooting. These tabs provide more content like associated logs, graphs, and topology for selected alerts. The analysis tabs are useful for example when troubleshooting an alert storm.
Click More Options (three dots) in the upper right corner of the Alerts page and select Analysis Tabs.
Logs Tab
This lets you to view the logs for the resources included in your active alerts filter, and quickly access the Logs page for further investigation.
Maps Tab
Using topology visualization, the information here helps you quickly identify where an issue is in your environment. The topology map displays connections between the resources that are part of the filtered alerts. You can double-click on a node to open the associated resource. This view works in a similar way as the mappings for resources, see Mapping Page.
Graphs Tab
This shows a list of datapoint graphs available for the filtered alerts to visualize and help you understand what signals are related to the issue. A datapoint is a piece of data that is collected during monitoring. Datapoints are configured as part of a DataSource definition, and are used to trigger alerts when collected data is outside a specified threshold or range. See Datapoint Overview.
Using Detail Panels for Individual Alerts
When you click on an alert in the alert table list, a detail pane opens at the bottom. This pane provides additional alert context and lets you investigate and act upon the alert in different ways.
When exploring alert details you can maximize the pane view as follows:
- Click the hyperlink in the upper left of the pane.
- Click the expand icon in the upper right to of the pane.
- Click the Copy Link URL icon to get a link that you can open in a web browser.
- Drag the top border of the detail pane upward.
The following describes the alert action toolbar and context information available from the details panel for individual alerts. Note that you may not see all the information described here for all alerts.
Overview Tab
This consolidates some of the details displayed in the alert table row, and displays the alert message and any manually entered notes.
Note: The manual entry of general alert notes is only permitted for up to 48 hours after the alert has cleared.
When viewing alerts triggered by datapoints, the Overview tab additionally displays an alert overview graph that plots 60 minutes of data collected for the datapoint. This graph includes the expected range in which datapoint values are expected to fall. The expected range is shaded in blue and available to LogicMonitor Enterprise users only. It also includes the ability to plot offsets that compare the current timeframe to values collected exactly 24 hours, one week, or one month ago. See Anomaly Detection Visualization.
Graphs Tab
This displays all relevant graphs associated with the alert. If the alert is not associated with a DataSource or website, (for example, if the alert is triggered by an EventSource or ConfigSource alert), the Graph tab is not shown.
By default, the time range for all graphs is set to “At time of alert”. This features one hour of data, starting 30 minutes before and ending 30 minutes after the alert occurred. From the drop-down menu you can modify the time range using predefined time ranges, including the current global time range.
You can change the output and display of graphs for an alert from the Graphs tab. You can for example include viewing Ops Notes; expanding legends; generating forecasting or anomaly detection versions of the graph; or adding the graph to a dashboard. These options are standard across most areas of the interface in which graphs display. See Graphs Tab.
If there are log anomalies associated with the alert, you can investigate these by clicking More options (three dots) from the log anomalies graph, and select View Logs . This will open the Logs page filtered to display log events from the relevant resource during the time period of the alert. See Reviewing Logs and log anomalies.
History Tab
This displays the frequency and severity of alerts over the past 24 hours, seven days, 30 days, or over the previous calendar month. Use this to get a view of an instance’s performance over time to help you determine whether an alert was relevant, if thresholds need to be re-evaluated, or if you need to provision more resources to your equipment.
Maps Tab
When viewing the details of an alert triggered by a resource/instance with an external resource ID (ERI) assigned to it, the Maps tab displays. From this you can click Maps, and the Resource or Instance button to generate a topology map for the assigned resource/instance. A new browser window opens displaying the resource/instance as the focus of a new topology map in the Mapping page. This lets you visually troubleshoot infrastructure that may be related to the alert. See Topology Mapping Overview.
Dependencies Tab
When viewing the details of an alert with dependent alerts, a Dependencies tab displays. This is available for alerts that have undergone root cause analysis, and being determined to be an originating or direct cause alert. See Enabling Root Cause Analysis.
Acting on Alerts
You can manually perform actions on single alerts, or on multiple alerts at once. Alerts can be acknowledged, escalated, annotated, or put into SDT.
Note: Notes cannot be added for alerts that cleared more than 48 hours ago.
Acting on Single Alerts
From the toolbar in the upper right corner of the alert detail pane you can do the following:
- Put into SDT: Click the SDT icon to schedule downtime for the device group, device, instance, or website associated with the alert. See Scheduled Down Time (SDT) Tab.
- Acknowledge the alert: Click the ACK icon to indicate that the underlying issue of the alert is being actively fixed.
- Escalate the alert: Click the Escalate icon to manually escalate the alert to the next level in its assigned escalation chain. The icon is grayed out If no escalation chain is assigned to the alert. See Escalation Chains.
- Annotate alerts: Add a note for the alert in the Notes area and click the Save icon.
For guidelines on acknowledging or escalating alerts, or putting alerts into SDT, see Guidelines for Responding to Alerts.
Acting on Multiple Alerts
You can perform actions on multiple alerts from the table view in the Alerts page.
- Select the checkboxes to the left of the desired alerts. You can also use the checkbox dropdown to select or deselect all alerts, or invert the current selection.
- Click the Actions button to select one of the available actions from the dropdown menu.
Customizing the Alert Table
You can customize the alert table column display and formatting according to your personal preferences. These settings are saved with your profile.
Customizing Column Display
On the Alerts page, click the More Options (three dots) icon in the upper right corner, and select Table Settings. From here you can make default columns visible or invisible, reorder columns, and add or delete custom columns.
Adding Custom Columns
Custom columns can be added to the alert table to display the values of properties or LogicMonitor tokens related to the resource in alert. Use the Search field at the bottom of the Column Settings dialog to add custom columns.
To add a property as a custom column, simply start typing the name of the property whose values you would like to see for each alert into the Search field and matching search results will be auto-generated as you type.
To add a token as a custom column, you must prepend and append the token name with “##” (for example, ##ALERTID##). Token names are not case sensitive (for example, ##AlertID## also works). Search results are not auto-generated when typing token names; instead, you’ll need to select the “Create ##<token>##” option that appears.
Customizing Formatting
You can customize the formatting of the alert table display, to suit your viewing preferences. In the LogicMonitor left navigation bar, select More Options > Profiles > Appearence.
Available formatting options are described in the following.
Date & Time
This setting indicates whether timestamps will be formatted using:
- The 12-hour clock or the 24-hour clock
- Full date display or compact date display. If full date display is chosen, a dropdown menu appears offering more options.
Alternate Row Color
Enable thissetting to alternate the background color of rows.
Wrap text
Enable this setting to apply text wrapping for alert table columns. If this setting is disabled, truncated text can be seen by hovering over the column or by opening the alert to display its detail page.
Font Size
Select the desired font size for the text in the alert table.
Alerting
You can set the color theme for the alert severity icons in the Severity column can be updated to a light color theme and/or a condensed icon width theme. You also have the option to play a sound when new alerts occur.