Schema for alert objects.
An example Alert object using a Datadog alert:
{ "alert_id": 12867, "alias": null, "assignee": "[email protected]", "check": "datadog.dogstatsd.client.bytes_sent", "class": "storage", "dedupe_key": "my-laptop::datadog.dogstatsd.client.bytes_sent:12867", "description": "Metric datadog.dogstatsd.client.bytes_sent value back in bounds: 303.3499946594238", "event_count": 2, "external_names": null, "first_event_time": 1652730410, "incidents": 2632, "last_event_time": 1652730430, "last_status_change_time": 1652732475, "location": { "region": "us-west-1" }, "maintenance": null, "manager": "Datadog", "manager_id": null, "namespace": "my-laptop.local::moog:integration:datadog::datadog.dogstatsd.client.bytes_sent", "policy": null, "service": null, "severity": "clear", "severity_numeric": 0, "source": "my-laptop.local", "status": "closed", "status_numeric": 9, "tags": { "host": "my-laptop.local", "Integration": "Datadog", "maintenance": "false" }, "type": "Activity" }
- alert_id
- alias
- assignee
- check
- class
- dedupe_key
- description
- event_count
- external_names
- first_event_time
- incidents
- last_event_time
- last_status_change_time
- location
- maintenance
- manager
- manager_id
- namespace
- policy
- service
- severity
- severity_numeric
- source
- status
- status_numeric
- tags
- type
alert_id
integer
The auto-generated identification number Moogsoft Cloud assigns to each alert.
alias
string
The alias for the alert source, as defined in the alias
field in the event or the source field in the anomaly. You can specify aliases through ingestion or enrichment.
assignee
email address
The Moogsoft Cloud user currently assigned to investigate this alert.
check
string
An identifier for the type of alert. For example, check could indicate the type of test which caused the alert to be created (such as ping or response time).
class
string
The high-level category of the performance issue reported by the alert. Examples include application
, network
, middleware
, and cloud
. This value is based on the service field in events.
If a metric anomaly does not have a service
tag specified, Moogsoft auto-generates this field based on the metric source and name.
dedupe_key
string
The key used to identify duplicate events. By default, Moogsoft autogenerates this key based on the source
, service
, and check
fields in the event itself. This key also includes class
if an event includes this field.
See Deduplicate events to reduce noise.
description
string
Alert description, based on the description
field in the ingested event.
event_count
integer
Number of events in the alert.
external_names
string
The name of an outbound integration.
first_event_time
UTC timestamp
The timestamp of the first event or anomaly added to the alert.
incidents
list
The list of incidents in which this alert is included. This list includes both open and resolved incidents.
If you have multiple correlation definitions, one alert might match multiple definitions and be included in multiple incidents.
last_event_time
UTC timestamp
Timestamp of the most recent event included in the alert.
last_status_change_time
UTC timestamp
Timestamp when the alert status was most recently updated.
location
list
You can include generic geolocation information in the location
field of an ingested event. This is a structured list of key-value pairs, such as { City: 'London', Street: '31 High Street'}
maintenance
string
Reserved for future use.
manager
string
The generator or intermediary of the events in this alert.
manager_id
intege
The unique identifier for the alert in the source system.
namespace
string
An internal field used to identify the source metric for any events were generated via Anomaly Detection.
policy
string
Reserved for future use.
service
list of strings
The applications or services associated with the events added to this alert.
severity
string
The relative severity of the event: clear
, unknown
, warning
, minor
, major
, critical
.
severity_numeric
integer
A numeric representation of alert severity. 0 = clear
, 1 = unknown
, 2 = warning
, 3 = minor
, 4 = major
, 5 = critical
.
source
string
The node where the original events and/or anomalies occurred. This is typically an IP or fully-qualified domain name.
status
string
The alert status: closed
, in progress
, open
, resolved
.
status_numeric
integer
A numeric representation of the alert status: 0 = unknown
, 1 = open
, 2 = in progress
, 7 = superseded
, 8 = resolved
, 9 = closed
.
tags
string
All optional tags included in this alert. You can specify tags during ingestion, or use event enrichment to add tags after ingestion.
type
string
The type of the alert. The type
is context-specific based on class. For example, when class
is "application", type
could be "availability", "performance", "memory", "resources", or "storage".