Alert API Object

Schema for alert objects.

An example Alert object using a Datadog alert:

      {
        "alert_id": 12867,
        "alias": null,
        "assignee": "[email protected]",
        "check": "datadog.dogstatsd.client.bytes_sent",
        "class": "storage",
        "dedupe_key": "my-laptop::datadog.dogstatsd.client.bytes_sent:12867",
        "description": "Metric datadog.dogstatsd.client.bytes_sent value back in bounds: 303.3499946594238",
        "event_count": 2,
        "external_names": null,
        "first_event_time": 1652730410,
        "incidents": 2632,
        "last_event_time": 1652730430,
        "last_status_change_time": 1652732475,
        "location": {
            "region": "us-west-1"
         },
        "maintenance": null,
        "manager": "Datadog",
        "manager_id": null,
        "namespace": "my-laptop.local::moog:integration:datadog::datadog.dogstatsd.client.bytes_sent",
        "policy": null,
        "service": null,
        "severity": "clear",
        "severity_numeric": 0,
        "source": "my-laptop.local",
        "status": "closed",
        "status_numeric": 9,
        "tags": {
            "host": "my-laptop.local",
            "Integration": "Datadog",
            "maintenance": "false"
          },
        "type": "Activity"
      }
      

alert_id

integer

The auto-generated identification number Moogsoft Cloud assigns to each alert.

alias

string

The alias for the alert source, as defined in the alias field in the event or the source field in the anomaly. You can specify aliases through ingestion or enrichment.

assignee

email address

The Moogsoft Cloud user currently assigned to investigate this alert.

check

string

An identifier for the type of alert. For example, check could indicate the type of test which caused the alert to be created (such as ping or response time).

class

string

The high-level category of the performance issue reported by the alert. Examples include application, network, middleware, and cloud. This value is based on the service field in events.

If a metric anomaly does not have a service tag specified, Moogsoft auto-generates this field based on the metric source and name.

dedupe_key

string

The key used to identify duplicate events. By default, Moogsoft autogenerates this key based on the source, service, and check fields in the event itself. This key also includes class if an event includes this field.

See Deduplicate events to reduce noise.

description

string

Alert description, based on the description field in the ingested event.

event_count

integer

Number of events in the alert.

external_names

string

The name of an outbound integration.

first_event_time

UTC timestamp

The timestamp of the first event or anomaly added to the alert.

incidents

list

The list of incidents in which this alert is included. This list includes both open and resolved incidents.

If you have multiple correlation definitions, one alert might match multiple definitions and be included in multiple incidents.

last_event_time

UTC timestamp

Timestamp of the most recent event included in the alert.

last_status_change_time

UTC timestamp

Timestamp when the alert status was most recently updated.

location

list

You can include generic geolocation information in the location field of an ingested event. This is a structured list of key-value pairs, such as { City: 'London', Street: '31 High Street'}

maintenance

string

Reserved for future use.

manager

string

The generator or intermediary of the events in this alert.

manager_id

intege

The unique identifier for the alert in the source system.

namespace

string

An internal field used to identify the source metric for any events were generated via Anomaly Detection.

policy

string

Reserved for future use.

service

list of strings

The applications or services associated with the events added to this alert.

severity

string

The relative severity of the event: clear, unknown, warning, minor, major, critical.

severity_numeric

integer

A numeric representation of alert severity. 0 = clear, 1 = unknown, 2 = warning, 3 = minor, 4 = major, 5 = critical.

source

string

The node where the original events and/or anomalies occurred. This is typically an IP or fully-qualified domain name.

status

string

The alert status: closed, in progress, open, resolved.

status_numeric

integer

A numeric representation of the alert status: 0 = unknown, 1 = open, 2 = in progress, 7 = superseded, 8 = resolved, 9 = closed.

tags

string

All optional tags included in this alert. You can specify tags during ingestion, or use event enrichment to add tags after ingestion.

type

string

The type of the alert. The type is context-specific based on class. For example, when class is "application", type could be "availability", "performance", "memory", "resources", or "storage".