Alert API Object

Schema for alert objects.

{
  "active_incidents_count": 3,
  "alert_id": 156514,
  "check": "cpu",
  "dedupe_key": "www.your-source.com::retail::support::cpu",
  "description": "CPU spike to 75%",
  "event_count": 1,
  "event_type": "Log",
  "first_event_time": 1618156518,
  "incidents": [ 90312, 90313, 90314 ],
  "last_event_time": 1618156518,
  "last_status_change_time": 1618156518,
  "location": { "region": "us-west-1" },
  "maintenance": "placeholder_maintenance",
  "service": [ "retail", "support" ],
  "service_count": 2,
  "severity": "major",
  "source": "www.your-source.com",
  "status": "open",
  "tags": { "key": "value" }
}

active_incidents_count

integer

The number of active incidents in which the alert is included.

If you have multiple correlation definitions, one alert might fit multiple definitions and thus get included in multiple incidents.

alias

string

The alias for the alert source, as defined in the alias field in the event or the source field in the anomaly. You can specify aliases through ingestion or enrichment.

class

string

The high-level category of the performance issue reported by the alert. Examples include application, network, middleware, and cloud. This value is based on the service field in events.

If a metric anomaly does not have a service tag specified, Moogsoft auto-generates this field based on the metric source and name.

dedupe_key

string

The key used to identify duplicate events. By default, Moogsoft autogenerates this key based on the source, service, and check fields in the event itself. This key also includes class if an event includes this field.

See Event deduplication: how-to and best practices.

description

string

Alert description, based on the description field in the ingested event.

event_count

integer

Number of events in the alert.

first_event_time

UTC timestamp

The timestamp of the first event or anomaly added to the alert.

incidents

list

The list of incidents in which this alert is included. This list includes both open and resolved incidents.

If you have multiple correlation definitions, one alert might match multiple definitions and be included in multiple incidents.

last_event_time

UTC timestamp

Timestamp of the most recent event included in the alert.

last_status_update_time

UTC timestamp

Timestamp when the alert status was most recently updated.

location

list

You can include generic geolocation information in the location field of an ingested event. This is a structured list of key-value pairs, such as { City: 'London', Street: '31 High Street'}

maintenance

string

Reserved for future use.

manager

string

The generator or intermediary of the events in this alert.

service

list of strings

The applications or services associated with the events added to this alert.

severity

integer or string

The relative severity of the event: 0 = clear, 1 = unknown, 2 = warning, 3 = minor, 4 = major, 5 = critical.

source

string

The node where the original events and/or anomalies occurred. This is typically an IP or fully-qualified domain name.

status

string

The alert status: closed, in progress, open, resolved.

tags

string

All optional tags included in this alert. You can specify tags during ingestion, or use event enrichment to add tags after ingestion.

utcOffset

string

The UTC offset of the time zone where the events occurred.