An alert signals that a policy’s conditions are being violated. They are activated by an initializing event and contain all subsequent events violating the policy in an uninterrupted duration of time.
Relationship with Events
Every 5 minutes, a data point (PT5M) is created and analyzed for each metric on each element. Most data points happen within the acceptable range of expected behavior. The initial point that violates the policy begins an alert; all data points in violation of a policy are referred to as events.
An alert lasting 20 minutes with 4 events:
X – X – X – X – X – X
Let’s imagine the above is a series of data points for a particular metric being monitored on your policy. The Xs in green are within compliance of our configured policy settings. The bold red X is the first data point in violation of your policy (an event) and also marks the beginning of an alert. The subsequent pink Xs are separate events, but part of the same alert.
Events can be examined on the Events menu. They are ordered by time but also filterable by the alerts they are part of. Using the Events Graph, you may also select a time frame to inspect.
The Top Violators Report displays a list of elements in your environment that have triggered the most events within a specified time frame. This report provides the same type of data as the Event menu, but the data is grouped instead by element.
How to View Alerts
To view Alerts, click Alerts > Open or Alerts > Closed.
Types of Alerts
Policies (a set of alerting conditions) fall into three categories:
- Open: Policy is firing
- Closed: Policy has fired
- No Status: Policy has not fired (green)
Open alerts are not tied to time controls because they are happening in the moment. Closed alerts are tied to time controls. This feature shows any policy that fired during your selected time range.
Alerts Determine if Notifications are Sent
When configured, notifications are external messages sent to other sources like email or an incident management solution. Notifications can be sent when a policy is open and alerting.
If we use the earlier example of a 20 minute alert containing 4 events on a policy with a configured duration of 15 minutes, the initial notification would not go out until the third event. Additional notifications can be sent periodically while the alert is still active and also when the alert is cleared (meaning the policy has closed).