Managing Alerts from the Alerts Page

Introduction to the Alerts Page

The Alerts page displays all alerts for your LogicMonitor account. Accessible from the primary left navigation bar, the Alerts page allows you to filter, sort, view details for, and respond to alerts.

In addition to the global Alerts page, you’ll find filtered Alerts pages (i.e. Alerts tabs) available from the detail pages of your various devices, cloud resources, instances, websites, services, and groups. Regardless of where you access alerts (the Alerts page or Alerts tab), the functionality of these interfaces is largely identical.

Note: When viewing alerts from within the LogicMonitor UI, alerts are timestamped according to the user’s configured time zone, assuming one has been set for the user and that it is the current active time zone. However, it is important to be aware that alert notifications are timestamped according to the time zone configured for the portal because these are not processed on a per-user basis. For more information on how the configuration of user-specific time zones impacts the LogicMonitor interface, see Users.

Filtering Alerts

The Alerts page displays a summary of alerts, called the alert table. You can filter the alerts displayed in the alert table to optimize relevancy. A large number of filters are available, along with the ability to save sets of commonly-used filter criteria for convenient future access.

Filter Criteria

Filters are available from the filter content area, which displays immediately above the alert table. Several common filters such as the alert severity, acknowledged status, and time range always display in the filter content area for easy access.

More advanced filters such as the LogicModule or alert rule filter can be brought forward by selecting them from the Add filter dropdown menu, shown next.

Each filter’s behavior is outlined next.

Filter	Icon	Behavior
Severity level		Filters alerts according to their current severity levels and provides a current active alert count for each severity level. If a severity level filter icon is grayed out, alerts with the corresponding severity level are excluded from the results.
Cleared		By default, the alert table does not include alerts that have been cleared. Use the cleared filter to toggle the display between the two mutually exclusive cleared states: those alerts that have not been cleared and those alerts that have been cleared.
Acknowledged		Filters the alert table by acknowledged status and provides a current count of all acknowledged active alerts. This filter supports three states: Includes only those alerts that have been acknowledged (only the “ACK: On” option is checked and the filter icon displays a lower horizontal line). Includes only those alerts that haven’t been acknowledged (only the “ACK: Off” option is checked and the filter icon is grayed out). Includes all alerts regardless of acknowledged status (both options are checked/unchecked and the filter icon displays a lower and upper line). Note: A count is only present for this filter if the “Acknowledged” option is selected to be included in the alert count from the portal settings available on the Account Information page. When an acknowledged count is not present, it is subtracted from the severity level count(s). For example, if you currently have three critical alerts and one of them is acknowledged, the critical alert count will be 2.
SDT		Filters the alert table by SDT status and provides a current count of all active alerts in SDT. This filter supports three states: Includes only those alerts that are in SDT (only the “SDT: On” option is checked and the filter icon displays a lower horizontal line). Includes only those alerts that are not in SDT (only the “SDT: Off” option is checked and the filter icon is grayed out). Includes all alerts regardless of SDT status (both options are checked/unchecked and the filter icon displays a lower and upper line). Note: A count is only present for this filter if the “In SDT” option is selected to be included in the alert count from the portal settings available on the Account Information page. When an SDT count is present, it is subtracted from the severity level count(s). For example, if you currently have three critical alerts and one of them is in SDT, the critical alert count will be 2 and the SDT count will be 1.
Anomaly		Filters the alert table by anomaly status. This filter supports three states: Includes only those alerts that have been triggered by dynamic thresholds (only the “Anomaly:On” option is checked and the filter icon displays a lower horizontal line). Includes only those alerts that were not triggered by dynamic thresholds (only the “Anomaly: Off” option is checked and the filter icon is grayed out). Includes all alerts regardless of anomalous status (both options are checked/unchecked and the filter icon displays a lower and upper line). For more information on the role of dynamic thresholds in alerting, see Enabling Dynamic Thresholds for Datapoints.
Time Range		Filters alerts according to the time the alert was reported. The pre-defined “Any time” filter includes every alert that resides in your database. In addition to offering several predefined filters, the time range filter also offers the ability to define a custom time range.
Group*		Only includes alerts triggered by the resources/websites that are immediate members of the one or more groups specified for this filter.
Group (including subgroups)*		Only includes alerts triggered by the resources/websites that are members of the one or more groups (and their subgroups) specified for this filter.
Resource/Website*		Only includes alerts triggered by the resource(s)/website(s) specified for this filter.
LogicModule*		Only includes alerts triggered by instances belonging to the LogicModule(s) specified for this filter.
Instance*		Only includes alerts triggered by the instance(s) specified for this filter.
Datapoint*		Only includes alerts triggered by the datapoint(s) specified for this filter.
Alert rule*		Only includes alerts for which the specified alert rule(s) were applied.
Escalation Chain*		Only includes alerts for which the specified escalation chain(s) were used to deliver notifications.
Dependency Routing State		Use the Routing State filter to restrict the alert table according to alert routing criteria relevant to LogicMonitor’s root cause analysis feature. For more information on this filter, see Enabling Root Cause Analysis.
Dependency Role		Use the Dependency Role filter to restrict the alert table according to dependency criteria relevant to LogicMonitor’s root cause analysis feature. For more information on this filter, see Enabling Root Cause Analysis.
Suppression Type		Use the Suppression Type filter to restrict the alert table to alerts whose notifications have been suppressed. The following suppression types can be used as filter criteria: None. Returns alerts whose notifications have not been suppressed. (Note: Refrain from using the None filter criterion as it is not working as intended. This is a known issue that will be addressed in an upcoming release.) SDT. Returns alerts whose notifications have been suppressed due to scheduled downtime (SDT) of the triggering resource/instance. See SDT Tab for more details on how SDT impacts the delivery of alert notifications. Host Down. Returns alerts whose notifications have been suppressed because the Collector has not been able to access the triggering resource (host) for a period of six minutes or more. See HostStatus DataSource for more details on how down hosts impact the delivery of alert notifications. Cluster Alert. Returns alerts whose notifications have been suppressed because the triggering resources/datapoints are members of a cluster alert and the cluster alert has been configured to supersede the individual alerts. See Cluster Alerts for more details on how down cluster alerts impact the delivery of alert notifications for individual members. Collector Down. Returns alerts whose notifications were suppressed as a result of being triggered by devices impacted by a down Collector. See Monitoring Your Collectors for more details on how down Collectors impact the delivery of alert notifications. Anomaly Detection. Returns alerts whose notifications were suppressed as a result of being determined non-anomalous by LogicMonitor’s dynamic thresholds. See Enabling Dynamic Thresholds for Datapoints for more details on how dynamic thresholds can be used to suppress alert notifications for non-anomalous conditions.
*Glob expressions are supported for these fields and the entry of an asterisk into the filter’s search field activates their usage. Glob expressions must be followed by an asterisk and multiple parameters or expressions using special characters must be surrounded by parentheses. For example, to include all resources whose names begin with “172”, you would enter 172*. To include all resources whose names begin with “172” or “192”, you would enter ((172*|192*))*. To exclude all resources whose names begin with “172” or “192”, you would enter (!(172*|192*))*. See Using Glob Expressions Throughout the LogicMonitor Portal for more information.

Note: Multiple criteria within the same filter is joined using an OR operator; criteria across multiple filters is joined using an AND operator.

Keyword Filter

The Filter Alerts field allows you to filter the alert table by keyword. Single keywords are automatically wildcarded on both ends. For example, a search term of “time” could return “time”, “uptime”, and “timeout.”

Saving and Clearing Filter Views

Saving a Filter View

As you establish filters on the Alerts page, you have the ability to save the current filter view for future access by clicking the star icon. Saved filter views are associated with individual user accounts and are not available globally.

Upon saving, LogicMonitor captures:

• The current time range (as established by the time range filter)
• Any search criteria present in the keyword filter
• All other filter criteria present (for example, severity level, SDT status, acknowledgement status, defined datapoint(s), instance(s), and so on)

Note: If you had previously saved filter views from the prior version of the Alerts page UI, LogicMonitor is temporarily offering the ability to import those filters using the import saved views icon that displays on the Save as new View dialog.

If a saved filter view is active, but criteria has been edited during the current session to cause the alert table results to fall out of compliance with the parameters of the active filter view, the star icon reverts back to an unfilled icon to serve as an indicator that you are no longer within the bounds of the selected filter view. When this happens, you can click the star icon to update/save the current active filter view with the new parameters or you can click the dropdown menu next to the active filter view name to either save the current parameters as a brand new filter view or revert back to the saved settings of the current active filter view.

Clearing a Filter View

To return the alert table back to its default filter settings (all alerts reported within the last 24 hours that have not been cleared), click the Clear icon.

Visually Grouping Alerts with the Header Graph

To speed up troubleshooting and time to resolution, the alerts in the alert table can also be viewed as a time-series graph. At its most basic, this graph mirrors the alerts currently displayed in the alert table and charts the aggregated alert count over a configured period of time.

However, the graph is most impactful when it is used to group alerts by a relevant dimension. For example, the graph’s aggregated alert counts can be grouped by alert severity, associated alert triggers (resource, LogicModule, instance, datapoint), matching alert rules, or the escalations chains used to deliver alert notifications.

The ability to quickly visualize alert commonalities is very helpful when investigating an alert storm or identifying recurring issues requiring remediation or adjustments to alert thresholds.

Displaying and Using the Header Graph

To display (or hide) the header graph, click the more options icon located in the upper right corner of the Alerts page and select “Header Graph”. The graph will retain your prior groupings (dimensions) while reflecting the alerts currently listed in the alert table.

To select a dimension, click the three-way arrow icon to choose from the list of possible dimensions. Only one dimension can be grouped per graph, but you’ll notice that as you select additional dimensions, you are able to easily toggle among them using the dropdown on the right.

The graph is highly interactive, allowing you to:

• Zoom in on a time range by clicking and dragging across the desired timeframe
• Click on a grouping in the legend or in the graph itself to quickly include/exclude that group of alerts

As you interactively change the graph’s filters, the alert table automatically updates to remain in sync—and vice versa.

Sorting Alerts

The alert table can be sorted according to alert severity level (Severity column) or the time the alert was reported (Reported At column). Simply click on one of these column headers to initiate sorting (click once for descending order and twice for ascending order).

LogicMonitor also offers the ability to initiate secondary sorting using severity level as the primary sort and time alert was reported as the secondary sort. To initiate secondary sorting, first sort by severity level and then hold down the shift key while additionally setting sorting for reporting time.

Opening and Acting Upon an Individual Alert

When you click on an individual alert, an alert detail pane opens from the bottom of the Alerts page. The detail pane provides additional alert context, as well as the ability to act upon the alert in a number of ways.

There are up to five primary categories of information, organized by page tabs, that display for each individual alert, as well as a standard toolbar that allows you to perform a variety of actions for the alert. Each is described next.

Overview Tab

The Overview tab consolidates many of the same details displayed in the alert table row, as well as displays the alert message and any manually-entered notes for the alert.

Note: The manual entry of general alert notes is only permitted for up to 48 hours after the alert has cleared.

When viewing alerts triggered by datapoints, the Overview tab additionally displays an alert overview graph that plots 60 minutes of data collected for the datapoint. This graph includes the expected range in which datapoint values are expected to fall (the expected range is shaded in blue and available to LogicMonitor Enterprise users only) and the ability to plot offsets that compare the current timeframe to values collected exactly 24 hours, one week, or 30 days ago. For more information on how the expected range is calculated or on using offsets, see Anomaly Detection Visualization.

Graphs Tab

The Graphs tab displays all relevant graphs associated with the alert. If the alert is not associated with a DataSource or website (for example, if the alert is triggered by an EventSource or ConfigSource alert), no Graphs tab displays.

By default, the time range for all graphs is set to “At time of alert,” which features one hour of data—starting 30 minutes before and ending 30 minutes after the alert occurred. This time range can be modified using a variety of predefined time ranges including the current global time range.

There are several ways in which you can manipulate the output and display of graphs from the Graphs tab of an alert, including viewing Ops Notes; expanding legends; generating forecasting or anomaly detection versions of the graph; or adding the graph to a dashboard. These options are standard across most areas of the interface in which graphs display and are talked about in detail in Graphs Tab.

If there are log anomalies associated with the alert, you can investigate further by selecting “View Logs” from the log anomalies graph. This will redirect you to the Logs page filtered to display log events from the relevant resource during the time period of the alert. See Reviewing Logs and log anomalies.

History Tab

The History tab displays the frequency and severity of alerts over the past 24 hours, seven days, or 30 days—or over the previous calendar month. This is an ideal at-a-glance view of an instance’s performance over time and will help you determine whether an alert was a one-off fluke, if thresholds need to be re-evaluated, or if you need to provision more resources to your equipment.

Maps Tab

When viewing the details of an alert triggered by a resource/instance with an external resource ID (ERI) assigned to it, a Maps tab displays. From this tab, you can click the Maps button and subsequently the Resource or Instance button to generate a topology map for the resource/instance in alert. A new browser window opens that displays the resource/instance as the focus of a new topology map in the Mapping page, allowing you to visually troubleshoot infrastructure that may be contributing or related or the alert. For more information on topology mapping, see Topology Mapping Overview.

Dependencies Tab

When viewing the details of an alert with dependent alerts (in other words, the alert has undergone root cause analysis and determined to be an originating or direct cause alert), a Dependencies tab displays. For more information on this tab and LogicMonitor’s root cause analysis feature, see Enabling Root Cause Analysis.

Individual Alert Toolbar

From the toolbar that displays in the upper right corner of the alert detail pane, you can perform the following actions:

• Put into SDT. Click the SDT icon to schedule downtime for the device group, device, instance, or website associated with the alert. For more information on SDT functionality, see Scheduled Down Time (SDT) Tab.
• Acknowledge the alert. Click the acknowledge icon to indicate that the underlying issue of the alert is being actively fixed.
• Escalate the alert. Click the escalate icon to manually escalate the alert to the next level in its assigned escalation chain. The icon is grayed out If no escalation chain is assigned to the alert. For more information on escalation chains, see Escalation Chains.

For guidelines on acknowledging or escalating alerts, or putting alerts into SDT, see Guidelines for Responding to Alerts.

Performing Actions on Multiple Alerts at Once (Acknowledgment, SDT)

As discussed in the previous section, alerts can be acknowledged, escalated, annotated, or put into SDT individually from the alert detail pane. These actions can also be performed on multiple alerts at once by checking the checkbox to the left of one or more alerts.

Note: Notes cannot be added for alerts that cleared more than 48 hours ago.

Once the desired alerts are selected, click the Actions button to select one of the available actions from the dropdown menu.

Customizing Alert Table Settings

On a per-user basis, various aspects of the alert table can be customized, including:

• Alert table columns
• Alert table formatting

Customizing Alert Table Columns

Click the more options icon located in the upper right corner of the Alerts page to open the Column Settings dialog. From this dialog, you can make default columns visible/invisible, reorder columns, and add/delete custom columns.

Adding Custom Columns

Custom columns can be added to the alert table to display the values of properties or LogicMonitor tokens related to the resource in alert. Use the Search field at the bottom of the Column Settings dialog to add custom columns.

To add a property as a custom column, simply start typing the name of the property whose values you would like to see for each alert into the Search field and matching search results will be auto-generated as you type.

To add a token as a custom column, you must prepend and append the token name with “##” (for example, ##ALERTID##). Token names are not case sensitive (for example, ##AlertID## also works). Search results are not auto-generated when typing token names; instead, you’ll need to select the “Create ##<token>##” option that appears.

Customizing Alert Table Formatting

Several aspects of the alert table display can be customized to suit your viewing preferences. These settings are available by clicking Profile | Appearance from the left navigation menu while the Alerts page is open.

Note: With the refresh of the Alerts page UI, LogicMonitor has temporarily removed the ability to configure LogicMonitor to play sounds for new alerts. We will be bringing this capability back shortly. In the meantime, you may use the prior version of the Alerts page, which is accessible by removing the “s” from the very end of the Alerts page URL (transforming “/alerts” to “/alert”), if you’d like for previously-configured sounds to signal the arrival of alerts. The prior version of the Alerts page must be open in order for sounds to play.

Date & Time Display

Use the Date & Time Display setting to indicate whether timestamps will be formatted using:

• The 12-hour clock or the 24-hour clock
• Full date display or compact date display. If full date display is chosen, a dropdown menu appears offering several display formatting options.

Alternating Row Color

Enable the Alternate Row Color setting to alternate the background color of rows.

Text Wrapping

Enable text wrapping for alert table columns using the Wrap Text setting. If this setting is disabled, truncated text can be seen by hovering over the column or by opening the alert to display its detail page.

Font Size

Use the Font size setting to indicate the font size for the text that displays in the alert table.

Alert Severity Display

The alert severity icons that display in the Severity column can be updated to a light color theme and/or a condensed icon width theme using the Light Theme and Condensed Theme settings respectively.