Managing Alerts from the Alerts Page
IN THIS ARTICLE:
Introduction to the Alerts Page
The Alerts page displays all alerts for your LogicMonitor account. Accessible from the primary left-hand navigation bar, the Alerts page allows you to filter, sort, view details, and respond to alerts.
In addition to the global Alerts page, you'll find filtered Alerts pages (i.e. Alerts tabs) that are available from the detail pages of your various devices, cloud resources, instances, websites, services, and groups. Regardless of where you access alerts (the Alerts page or Alerts tab), the functionality of these interfaces is largely identical.
Note: When viewing alerts from within the LogicMonitor UI (i.e. Alerts page or tab), alerts are timestamped according to the user's configured time zone, assuming one has been set for the user and that it is the current active time zone. However, it is important to be aware that alert notifications received via email, SMS, or voice are timestamped according to the time zone configured for the portal because these are not processed on a per-user basis. For more information on how the configuration of user-specific time zones impacts the LogicMonitor interface, see Users.
The Alerts page displays a summary of alerts, called the alert table. You can filter the alerts displayed in the alert table to optimize relevancy. A large number of filters are available, along with the ability to save sets of commonly-used filter criteria for convenient future access.
The majority of filters are available from the filter content area, which expands/collapses by clicking the All Filters button.
Several of the filters support free-form text (e.g. group, resource, LogicModule, etc.). For these filters, once you begin entering a value into the Enter Filter… field, matching values display. More than one value can be added for each of these filters and glob expressions are supported.
Other filters feature radio buttons or checkbox selections. Each filter's function is briefly outlined next:
- Time range. The time range filter filters alerts according to the time the alert was triggered. The default "Any time" setting includes every alert that resides in your database. The time range filter features several other predefined time ranges in addition to "Any time" (e.g. past hour, past week, etc.), as well as the ability to create custom time ranges.
- Group. Only displays alerts triggered by resources/websites belonging to the one or more group(s) specified for this filter.
- Resource. Only displays alerts triggered by the resource(s)/website(s) specified for this filter.
- LogicModule. Only displays alerts triggered by instances belonging to the one or more LogicModule(s) specified for this filter.
- Instance. Only displays alerts triggered by the instance(s) specified for this filter.
- Datapoint. Only displays alerts triggered by the datapoint(s) specified for this filter.
- Alert Rule. Only displays alerts for which the specified alert rule(s) apply.
- Escalation Chain. Only displays alerts for which the specified escalation chain(s) were used to deliver notifications.
- Severity. Only displays alerts whose current severity levels match those selected for this filter.
- Acknowledged. Use the Acknowledged filter to restrict the alert table to only those alerts that have been acknowledged ("Yes" option), exclude alerts that have been acknowledged ("No" option), or return to the default behavior of including both acknowledged and unacknowledged alerts ("All" option).
- SDT. Use the SDT filter to restrict the alert table to only those alerts in SDT ("Yes" option), exclude alerts in SDT ("No" option), or return to the default behavior of including all alerts regardless of SDT status ("All" option).
- Anomaly. Use the Anomaly filter to restrict the alert table to only those alerts whose notifications were not routed as a result of dynamic threshold evaluation ("No" option), those alerts whose notifications were routed after dynamic threshold evaluation ("Yes" option), or return to the default behavior of including all alerts regardless of anomaly status ("All" option). For more information on dynamic threshold evaluation's role in alerting, see Enabling Dynamic Thresholds for Datapoints.
- Routing State. Use the Routing State filter to restrict the alert table according to alert routing criteria relevant to LogicMonitor's root cause analysis feature. For more information on this filter and how to use its "All" criterion in conjunction with one of its other routing state criterion, see Enabling Root Cause Analysis.
- Dependency Role. Use the Dependency Role filter to restrict the alert table according to dependency criteria relevant to LogicMonitor's root cause analysis feature. For more information on this filter and how to use its "All" criterion in conjunction with one of its other dependency role criterion, see Enabling Root Cause Analysis.
- Cleared. By default, the alert table does not display alerts that have been cleared. Use the Cleared filter to restrict the alert table to only those alerts that have been cleared ("Yes" option), include both cleared and uncleared alerts ("All" option), or return to the default behavior of excluding cleared alerts ("No" option).
Note: Multiple criteria within the same filter is joined using an OR operator; criteria across multiple filters is joined using an AND operator.
The Filter field allows you to filter the alert table by keyword. Single keywords are automatically wildcarded on both ends. For example, a search term of "time" could return "time", "uptime", and "timeout."
If multiple terms are entered, they are automatically joined using the AND operator and are wildcarded at the beginning and end of the full string (e.g. searching on "trigger alert" is the same as searching on "*trigger AND alert*"). Be sure to add additional wildcards when multiple keywords are in use if necessary. For example, if you want "trigger AND alert" to match on logs also containing "trigger" or "triggers," you'll need to manually enter one more wildcard (i.e. "trigger* AND alert").
An OR or an AND NOT operator can be used instead of the default AND operator. When using either of these operators, only one keyword can be on either side of the operator. For example, searching on "trigger OR alert" will return results as expected, but searching on "trigger alert OR SAML" will not.
With the exception of manually entered operators (i.e. AND, OR, and AND NOT), keyword filters are not case sensitive. A keyword filter is joined with other current active filters using an AND operator.
Along the top of the Alerts page, the total number of active alerts displays, along with alert category breakdowns based on severity, SDT status, and acknowledgment status. These numbers, when clicked, act as quick filters that automatically clear any other filters in place.
When the total number of active alerts is clicked as a quick filter, the alert table automatically sorts using both the alert severity level column (primary sort) and the Alert Began column (secondary sort). Other quick filters, when clicked, preserve the sort order that was previously active.
Note: In order to see quick filters for SDT and acknowledgment status, your account's portal settings (as discussed in About the Account Information Page) must designate that the statuses of "Acknowledged" and "In SDT" be included in the alert count.
As you establish filters on the Alerts page, you have the ability to save the current set of filter criteria for future access by clicking Saved Filters. Saved filters are associated with individual user accounts and are not available globally.
Upon saving, LogicMonitor captures:
- The current time range (as established by the time range filter)
- Any search criteria present in the search field
- All criteria present for the standard filters (e.g. severity, datapoint, resources, etc.)
Note: LogicMonitor offers three predefined filters that represent common sets of criteria.
If a saved filter is active, but criteria has been edited during the current session to cause the alert display results to fall out of compliance with the parameters of the active filter, an asterisk is appended to the filter's name to serve as a reminder that you are no longer within the bounds of the selected filter. When this happens, you can click the saved filter name to reset the page display back to its saved filter criteria, update it with the new criteria, or save the current filter criteria as a brand new filter.
▲ The asterisk appended to the saved filter's name indicates there is a discrepancy between the current active saved filter and the display criteria. Clicking Saved Filters displays a dropdown menu that allows you to (1) save the current filter criteria as a brand new filter, (2) update the saved filter with the new criteria, or (3) quickly return (i.e. reset) to original saved filter criteria.
The All Filters button displays a running tally of all filter criteria currently applied to the alert table. This count includes all filters active as part of a saved filter, filters set on an ad-hoc basis (including time range), and any keyword search parameters currently active in the search field.
Alerts can be sorted according to several criteria including alert severity, the time the alert began, the resource/website or datapoint that triggered the alert, the time the alert was acknowledged, and more. To sort the alert table, simply click on a column header that supports sorting (click once for ascending order and twice for descending order).
LogicMonitor also offers the ability to initiate secondary sorting using an alert's severity status and alert began timestamp in combination. This allows you to simultaneously sort on both the alert severity level (primary sort) and the time alert began (secondary sort).
To turn on secondary sorting for the alert table, click on the icon that acts as the header for the far left alert severity column. This automatically sorts using the chosen ascending/descending orders of both the alert severity and "Began" columns. To turn off secondary sorting, simply click on a column other than the "Began" column (or click the icon twice more) to reset the table to a single sort order.
Opening and Acting Upon an Individual Alert
When you click on an individual alert, the row expands to display more details for the alert. The primary use of this display is to facilitate troubleshooting and contextualization of triggered alerts by bringing all alert-specific information (and available actions) into a single pane.
There are up to three primary categories of information, organized by page tabs, that display for each individual alert, as well as a standard toolbar that allows you to perform a variety of actions for the alert. Each is described next.
The Overview tab displays a significant amount of detail for an individual alert.
The Graphs tab displays all relevant graphs associated with the alert. If the alert is not associated with a DataSource or website (e.g. it's an EventSource or ConfigSource alert, etc.), no Graphs tab displays.
By default, the time range for all graphs is set to "At time of alert," which features one hour of data—starting 30 minutes before and ending 30 minutes after the alert occurred.
There are several ways in which you can manipulate the output and display of graphs from the Graphs tab of an alert, including viewing Ops Notes, expanding legends, or adding the graph to a dashboard. These options are standard across most areas of the interface in which graphs display and are talked about in detail in Graphs Tab.
The History tab displays the frequency and severity of alerts over the past 24 hours, seven days, 30 days, or calendar month. This is an ideal at-a-glance view of an instance's performance over time and will help you determine whether an alert was a one-off fluke, if thresholds need to be re-evaluated, or if you need to provision more resources to your equipment.
When viewing the details of an alert with dependent alerts (i.e. the alert has undergone root cause analysis and determined to be an originating or direct cause alert), a Dependencies tab is available in addition to the Overview, Graphs, and History tabs. For more information on this tab and LogicMonitor's root cause analysis feature, see Enabling Root Cause Analysis.
Individual Alert Toolbar
From the toolbar that displays at the bottom of each opened tab, you can perform the following actions:
- Open device or website. Click the View Device button or View Website button to navigate directly to the device or website.
- Escalate the alert. Click the Escalate button to manually escalate the alert to the next level in its assigned escalation chain. For more information on escalation chains, see Escalation Chains.
- Acknowledge the alert. Click the Acknowledge button to indicate that the underlying issue of the alert is being actively fixed.
- Put into SDT. Click the SDT button to schedule downtime for the device, instance, or website. For more information on SDT functionality, see Scheduled Down Time (SDT) Tab.
- Add notes. Click the Add a Note button to enter notes for annotation and contextualization purposes.
- Open topology map. Click the Maps button and select either "Resource" or "Instance" to generate a topology map for the resource/instance in alert. This button only displays if the resource/instance has an external resource ID (ERI) assigned to it. Assuming an ERI is present, a new browser tab opens that displays the resource/instance as the focus of a new topology map in the Mapping page, allowing you to visually troubleshoot infrastructure that may be related or contributing to the alert. For more information on topology mapping, see Topology Mapping Overview.
Acknowledging Alerts and Putting Alerts into SDT en Masse
As discussed in the previous section, an alert can be acknowledged or put into SDT individually from its expanded detail pane. Alerts can also be acknowledged or put into SDT en masse by checking the checkbox to the left of one or more alert (or all alerts using the topmost checkbox) in the alert table and clicking the Acknowledge or Put in SDT option at the top of the alert table.
Note: You cannot put devices into SDT in bulk from the alert table, only the devices' instances. This is to prevent unintentionally putting a large number of devices into SDT. However, you can put entire devices into SDT when performing the action from the expanded view of an individual alert.
Customizing Alert Table Settings
Clicking into the Alert Table Settings dialog (using the cogwheel icon located above the alert table) offers several options for customizing your alert table view. The first page of the Alert Table Settings dialog is devoted to column management; clicking More Options brings up the rest of the available settings.
From the first page of the Alert Table Settings dialog, you can add, remove, or reorder alert table columns.
Adding Custom Columns
Use the Add Custom Column field to add columns to the alert table. These columns can display the values of properties and LogicMonitor tokens.
To add a property as a custom column, simply start typing the name of the property whose values you would like to see for each alert into the Add Custom Column field and matching search results will be auto-generated as you type.
To add a token as a custom column, you must prepend and append the token name with "##" (e.g. ##ALERTID##). Token names are not case sensitive (i.e. ##AlertID## also works). Search results are not auto-generated when typing token names into the Add Custom Column field.
▲ When entering a property as a custom column, shown in the left Table Settings dialog example, LogicMonitor auto-generates search results as you type. When entering a token as a custom column, search results are not auto-generated and the token must be prepended and appended with two pound signs (##), as shown in the Table Settings dialog example on the right.
Removing and Reordering Columns
From the list of available columns found immediately below the Add Custom Column field, check or uncheck any columns that you would like included or excluded from the alert table. To reorder columns, simply drag and drop the column into its new position.
Note: Alert table columns can also be reordered right from the alert table by dragging and dropping the column names into their new positions. Similarly, column widths can be resized on the alert table by finding and dragging their borders. If you hover over a table cell that has truncated text due to the column not being wide enough, a tooltip appears displaying the text in its entirety.
Results Per Page
Use the Results per page setting to indicate how many rows will be displayed in the alert table per page of results.
Use the Hour Display setting to indicate whether timestamps will be formatted using the 12-hour clock (e.g. 8:51 pm) or the 24-hour clock (e.g. 20:51).
Time & Date Display
Use the Time & Date Display setting to indicate whether timestamps will be formatted in full mode (e.g. May 08 2019 20:51 (4 months)) or compact mode (e.g. May 08 20:51 (4 months)).
Use the Font size setting to indicate the font size for the text that displays in each alert row, as well as in the individual alert detail panes.
Alert Severity Interface
Use the first two Alert Severity Interface settings to enable a light color theme for the alert severity icons and/or a condensed theme.
By default, text wrapping is enabled for the alert table columns to allow you to see all alert details at a glance, but this can be disabled using the Enable Text Wrap setting for a more condensed table view. If this setting is disabled, truncated text can be seen by hovering over the column or by opening the alert to display its detail page.
Alternating Row Color
Enable the Alternating Row Color setting to alternate the background color of rows between white and light blue.
Play Sounds for New Alerts
Enable the Play sounds for new Alerts setting to configure sounds for incoming alerts. As shown next, you can configure different sounds for each alert severity level.
The Alerts page must be open in order for sounds to play. This setting is particularly useful when the Alerts page is displayed on an NOC screen or computer tab and an additional means of signaling an alert would be helpful.