Manage Alerts

Alerts can be managed individually, or as a group, by using the checkboxes on the left side of the Alert UI and the customization bar.

The columns of the table can also be configured, to provide you with the necessary data for your use cases.

Select a group of alerts and perform several batch operations, such as filtering, deleting, enabling, disabling, or exporting to a JSON object. Select individual alerts to perform tasks such as creating a copy for a different team.

View Alert Details

The bell button next to an alert indicates that you have not resolved the corresponding events. The Activity Over Last Two Weeks column visually notifies you with an event chart showing the number of events that were triggered over the last two weeks. The color of the event chart represents what severity level they are.

To view alert details, click the corresponding alert row. The slider with the alert details will appear. Click an individual event to Take Action. You can do one of the following:

Acknowledge: Mark that the event has been acknowledged by the intended recipient.
Create Silence from Event: If you no longer want to be notified, use this option. You can choose the scope for alert silence. When silenced, alerts will still be triggered but will not send you any notifications.
Explore: Use this option to troubleshoot by using the PromQL Query Explorer.

The event feed will be empty and The Activity Over Last Two Weeks column will have no event chart if no events are reported in the past two weeks.

Enable and Disable Alerts

Alert UI

Alerts can be enabled or disabled using the slider or the customization bar. You can perform these operations on a single alert or on multiple alerts as a batch operation.

From the Alerts module, check the boxes beside the relevant alerts.
Click Enable Selected or Disable Selected as necessary.

Use the slider beside the alert to disable or enable individual alerts.

Automatic Disabling

Sysdig automatically disables an alert in the following conditions:

Alert has more than 10K segments.
The segmentation limit for an alert is limited to 10K. Any alert that exceeds this limit will be automatically disabled.
Alert has accumulated more than 2000 alert notifications per day.

In these scenarios:

Alert notifications will not be resolved when the alert is deactivated.
An event is generated notifying about the alert deactivation.

For more information, see Service Limits.

Manual Alert Resolution

Alerts can be manually resolved when the triggering entity no longer exists or simply to clean up the triggering alerts occurrences from the environment. You can do it in the following ways:

From the Alerts page, all of the triggering segments for a given alert rule can be manually resolved. You can also bulk select multiple alerts rules and resolve all the alert occurrences for multiple alert rules.
From the Events page, a single triggering segment can be manually resolved using the Take Action button. To do so, click the relevant event and select Take Action > Manually Resolve.

Manually resolved alerts will still be evaluated after the resolution and if the alert condition is true, will return to a firing state.

Edit an Existing Alert

To edit an existing alert:

Do one of the following::
- Click the Edit button beside the alert.
- Click an alert to open the detail view, then click Edit on the top right corner.
Edit the alert, and click Save to confirm the changes.

Copy an Alert

Alerts can be copied within the current team to allow for similar alerts to be created quickly, or copied to a different team to share alerts.

Copy an Alert to the Current Team

To copy an alert within the current team:

Highlight the alert to be copied.
The detail view is displayed.
Click Copy.
The Copy Alert screen is displayed.
Select Current from the drop-down.
Click Copy and Open.
The particular alert in the edit mode appears.
Make necessary changes and save the alert.

Copy an Alert to a Different Team

Highlight the alert to be copied.
The detail view is displayed.
Click Copy.
The Copy Alert screen is displayed.
Select the teams that the alert should be copied to.
Click Send Copy.

Search for an Alert

Search Using Strings

The Alerts table can be searched using partial or full strings. For example, the search below displays only events that contain kubernetes:

Filter Alerts

The alert feed can be filtered in multiple ways, to drill-down into the environment’s history and refine the alert displayed. The feed can be filtered by severity or status. Examples of each are shown below.

The example below shows only high and medium severity:

The example below shows the alerts that are invalid:

Export Alerts as JSON

A JSON file can be exported to a local machine, containing JSON snippets for each selected alert:

Click the checkboxes beside the relevant alerts to be exported.
Click Export JSON.

Delete Alerts

Open the Alert page and use one of the following methods to delete alerts :

Hover on a specific alert and click Delete.
Hover on one or more alerts, click the checkbox, then click Delete on the bulk-action toolbar.
Click an alert to see the detailed view, then click Delete on the top right corner.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.