Schema for alert objects.
{
"active_incidents_count": 3,
"alert_id": 156514,
"check": "cpu",
"dedupe_key": "www.your-source.com::retail::support::cpu",
"description": "CPU spike to 75%",
"event_count": 1,
"event_type": "Log",
"first_event_time": 1618156518,
"incidents": [ 90312, 90313, 90314 ],
"last_event_time": 1618156518,
"last_status_change_time": 1618156518,
"location": { "region": "us-west-1" },
"maintenance": "placeholder_maintenance",
"service": [ "retail", "support" ],
"service_count": 2,
"severity": "major",
"source": "www.your-source.com",
"status": "open",
"tags": { "key": "value" }
}
- active_incidents_count
- alias
- class
- dedupe_key
- description
- event_count
- first_event_time
- incidents
- last_event_time
- last_status_update_time
- maintenance
- location
- manager
- service
- severity
- source
- status
- tags
- utcOffset
active_incidents_count
integer
The number of active incidents in which the alert is included.
If you have multiple correlation definitions, one alert might fit multiple definitions and thus get included in multiple incidents.
alias
string
The alias for the alert source, as defined in the alias field in the event or the source field in the anomaly. You can specify aliases through ingestion or enrichment.
class
string
The high-level category of the performance issue reported by the alert. Examples include application, network, middleware, and cloud. This value is based on the service field in events.
If a metric anomaly does not have a service tag specified, Moogsoft auto-generates this field based on the metric source and name.
dedupe_key
string
The key used to identify duplicate events. By default, Moogsoft autogenerates this key based on the source, service, and check fields in the event itself. This key also includes class if an event includes this field.
See Event deduplication: how-to and best practices.
description
string
Alert description, based on the description field in the ingested event.
event_count
integer
Number of events in the alert.
first_event_time
UTC timestamp
The timestamp of the first event or anomaly added to the alert.
incidents
list
The list of incidents in which this alert is included. This list includes both open and resolved incidents.
If you have multiple correlation definitions, one alert might match multiple definitions and be included in multiple incidents.
last_event_time
UTC timestamp
Timestamp of the most recent event included in the alert.
last_status_update_time
UTC timestamp
Timestamp when the alert status was most recently updated.
location
list
You can include generic geolocation information in the location field of an ingested event. This is a structured list of key-value pairs, such as { City: 'London', Street: '31 High Street'}
maintenance
string
Reserved for future use.
manager
string
The generator or intermediary of the events in this alert.
service
list of strings
The applications or services associated with the events added to this alert.
severity
integer or string
The relative severity of the event: 0 = clear, 1 = unknown, 2 = warning, 3 = minor, 4 = major, 5 = critical.
source
string
The node where the original events and/or anomalies occurred. This is typically an IP or fully-qualified domain name.
status
string
The alert status: closed, in progress, open, resolved.
tags
string
All optional tags included in this alert. You can specify tags during ingestion, or use event enrichment to add tags after ingestion.
utcOffset
string
The UTC offset of the time zone where the events occurred.