Important: This documentation is about an older version. It's relevant only to the release noted, many of the features and functions have been updated or replaced. Please view the current version.
View alert state and history
An alert rule and its corresponding alert instances can transition through distinct states during their evaluation. There are three key components that helps us understand the behavior of our alerts:
- Alert Instance State: Refers to the state of the individual alert instances.
- Alert Rule State: Determined by the “worst state” among its alert instances.
- Alert Rule Health: Indicates the status in cases of
Error
orNoData
events.
To view the state and health of your alert rules:
- In the left-side menu, click Alerts & IRM and then Alerting.
- Click Alert rules to view the list of existing alerts.
- Click an alert rule to view its state, health, and state history.
View state history
Use the State history view to get insight into how your alert instances behave over time. View information on when a state change occurred, what the previous state was, the current state, any other alert instances that changed their state at the same time as well as what the query value was that triggered the change.
Note
Open source users must configure alert state history in order to be able to access the view.
To access the State history view, complete the following steps.
Navigate to Alerts & IRM -> Alerting -> Alert rules.
Click an alert rule.
Select Show state history.
The State history view opens.
The timeline view at the top displays a timeline of changes for the past hour, so you can track how your alert instances are behaving over time.
The bottom part shows the alert instances, their previous and current state, the value of each part of the expression and a unique set of labels.
Common labels are displayed at the top to make it easier to identify different alert instances.
From the timeline view, hover over a time to get an automatic display of all the changes that happened at that particular moment.
These changes are displayed in real time in the timestamp view at the bottom of the page. The timestamp view is a list of all the alert instances that changed state at that point in time. The visualization only displays 12 instances by default.
The value shown for each instance is for each part of the expression that was evaluated.
Click the labels to filter and narrow down the results.