Alerts 2.0 provides a comprehensive overview of your alert management system.
Powered by OpsQL, you can query, interpret, and act on the alerts.
With Alerts 2.0, you can do the following:
Search for queries using OpsQL, save, and share the views.
Note
If you select a specific client to search for alert queries, only those specific client queries are displayed.
View a summary of the specific alert in a slide-out panel for quick reference.
Perform actions on the alert from the slide-out panel.
Perform bulk actions on multiple alerts.
Select a refresh duration from 1 minute to 24 hours.
The New Alert listing page supports Service Provider context. Service Provider users can search for alerts across all clients within All Partners.
Alerts Column Settings
You can select alert attributes and resource attributes for listing from the Column Settings popup window.
Follow these steps to add or remove a column:
Click the Settings icon available on the upper-right corner of the alerts listing screen to view a list of alert attributes including resource attributes.
Search for the alert attribute or resource attribute.
Click Update. The Alerts listing page is updated accordingly.
The alert/resource attribute is added as a column in the list.Scroll to the right of the screen to view the column(s).
Updated attribute names
The below attribute names in the new alerts browser of the alert listing page have been changed:
Heal Time is now labeled as Alert Critical Warning Duration.
Created Time is now labeled as Triggered Time.
Manage External Ticket IDs
You can now track and manage external ticket IDs directly from the Alert Browser by:
Filter Using OPSQL: Use the extTicketId attribute in your OPSQL queries to filter alerts based on external ticket IDs. This helps in quickly locating alerts tied to specific external incidents.
Note
To search alerts using the extTicketId attribute in OPSQL, use the contains operator.
Add as a Column: Customize your Alert Browser view by adding the External Ticket ID field through the column settings. This provides quick access to ticket mappings without drilling into individual alert details. See Alerts Column Settings for more details about column settings.
View Multiple IDs: If an alert is linked to multiple external tickets, all associated IDs are displayed as comma-separated values in the column, making it easy to match with incident management systems.
Alert Email Notification
Email notification links for alerts now redirect to the new Alerts page instead of the classic view. Actions like Acknowledge and Suppress from escalation emails will also open directly in the new alert details page with the selected action applied.
Filter Alerts
You can use OpsQL to build custom queries that filter and analyze alert data effectively. Each query consists of attributes, operators, and values, allowing you to define precise conditions such as severity, alert state, source, and timestamps.
You can combine multiple conditions using logical operators and apply comparison operators to refine your search.
Filter alerts by Comments
You can use OpsQL to search and filter alerts based on comments and the timestamp of the last comment.
Supported Attributes
comment.description: Use this field to search for specific keywords or phrases within alert comments.
lastCommentDate: Use this field to filter alerts based on the date and time when the last comment was added to the alert.
Note
Exact Timestamp Required for lastCommentDate = SearchesWhen using the = operator with lastCommentDate, users must provide the full timestamp (including date, time, and seconds) for the query to return results.Example:
lastCommentDate = "2025-05-15T10:45:30Z"
Older alerts might not appear in results when filtering by comment date or comment content, especially if the comments were added before comment indexing was enabled.
If an alert has more than one comment containing the searched keyword, that alert will be listed multiple times in the results one for each matching comment.
When filtering using comment.description, it is expected that you may see duplicate alert IDs. Each row corresponds to a unique comment that matches the search criteria, even if multiple comments belong to the same alert.
Filter alerts by Suppression Duration
You can now use OpsQL queries in the Alerts Browser to search for suppressed alerts based on duration and specific time periods.
The following filters have been added to help users search and analyze suppressed alerts more effectively:
Filter alerts suppressed for a specific duration (in minutes):
"filterCriteria": "createdTime > -30d AND suppressDurationMins = 5"
Note
Searching by suppression duration in hours is not directly supported. You must convert hours into minutes and use the suppressDurationMins field.
Example workaround:To search for alerts suppressed for 2 hours:"filterCriteria": "createdTime > -30d AND suppressDurationMins = 120"
Filter alerts suppressed permanently:"filterCriteria": "createdTime > -30d AND suppressDurationMins = 0 AND status = 'Suppressed'"
Filter alerts suppressed between specific dates and times:"filterCriteria": "status = 'Suppressed' AND statusHistory.suppressedTime > '2025-03-10T10:05:00+0000' AND statusHistory.suppressedTime < '2025-03-11T10:05:00+0000'"This returns all alerts that were suppressed between March 10th, 10:05 AM UTC and March 11th, 10:05 AM UTC.
Alerts Slide-Out
You can view the summary of an alert on the Alerts Slide-Out.
To view the Alerts slide-out:
Click the Alert ID on the Alerts listing page. By default, the open and acknowledged alerts for the last seven days are displayed. To learn how to build queries, click here.
The alerts slide-out has the following information:
The current Alert status, alert state and Alert ID information is displayed along with the alert subject.
The First alert time and Last alert time information
Total occurrence (repeat count) of the alert, Inference, Correlated (The Inference information appears if it is a correlated alert. The Correlated information appears if it is an inference alert. Click the respective links to get the details.)
Information like Alert Type, Resource, Metric, Component, Client, Alert Description, Resource Type.
Last Comment information
Show More: Click View Details to view the alert details.
ACTIONS: Use the ACTIONS button to perform the following actions on an alert:
Action
Description
View details
Refers to an option that allows the user to see more information about the alert.
Acknowledge
Acknowledging an alert is a way of confirming that you have seen it and are aware of its existence.
You can attach an incident to an alert to establish a clear relationship between a specific alert and a broader incident.
Run Process
Adds a process definition to an alert and runs the process.
Heal
Heals an alert.
Acknowledge an alert
Acknowledging an alert typically means that you confirm that you have seen and are aware of the alert. When an alert is generated, it requires some action or attention from a user. Acknowledging alerts helps ensure that critical issues are not overlooked and appropriate actions are taken on time to address them. It also helps facilitate communication and coordination among team members by providing clarity on who is responsible for handling each alert.
To acknowledge an alert:
Select an alert from the alerts browser.The slide-out is displayed.
Click Actions from the slide-out.
Select Acknowledge from the list.The ACKNOWLEDGE ALERTS page is displayed.
Enter the comments under Comments section.
Click ACKNOWLEDGE.The alert is acknowledged.
You can access the details of the last acknowledged user and leave comments directly from the ACTIVITY LOG tab within the slide-out.
Create incident
Navigate to the Alerts page.
From the list, select an alert for which you want to create an incident.The slide-out is displayed.
Click Actions from the slide-out.
Select Create incident from the list.The create incident page is displayed.
Enter the incident details and click Save.The incident is created.
You can find the incident number in the “incidentId” column. By clicking on the incidentId, you can access the details of the corresponding incident in the alert slide-out window. From there, you can modify the incident and take further action.
Suppress an Alert
Navigate to the Alerts page.
From the list, select an alert which you want to suppress.The slide-out is displayed.
Click Actions from the slide-out.
Select Suppress from the list.The SUPPRESS ALERTS page is displayed.
Select the suppress duration and enter your comments.
Click SUPPRESS.
Create Inference
Note
You can create an inference only if you have the ALERTS_MANAGE permission.
Creating an inference allows you to group multiple related alerts into a single, meaningful event. This helps in identifying the root cause more efficiently by analyzing patterns across alerts that may originate from the same resource or services.
Navigate to the Alerts page.
From the list, select multiple alerts that you want to create inference.
Click Actions.
Select Create Inference from the list.The Create Inference Alert slide-out is displayed.
On the Create Inference Alert page, enter below information:
Alert to be Inference: This section displays the list of alerts you’ve selected to be part of the inference. Each alert is shown with its:
ID
Created Time
Subject
Subject: Enter a summary or title for the inference. You can use $ to insert a dynamic field reference.
Description: Provide additional details about the inference. This can include the context, suspected root cause, or any relevant information. Like the subject, you can use $ to insert field references.
Click CREATE INFERENCE.The inference is now created.
Merge Inferences
You can now merge multiple child inferences with a status of Open or Acknowledged into a manually created Master Inference Alert directly from the Alert Browser. This feature helps reduce noise by grouping related inferences under a single master alert, improving incident investigation and resolution workflows.
Note
This feature is only applicable to inferences that are manually created. System-generated inferences cannot be used as master alerts for merging.
Navigate to the Alerts page.
From the list, select multiple child inferences that you want to merge.
Note
To retrieve a list of manually created inference alerts, you can use the following OPSQL query in the Alert Browser:isInferenceAlert = "true" AND correlationPolicyId IS NULL
Click Actions.
Select Attach Inference from the list.The Attach Inference Alert slide-out is displayed.
On the Attach Inference Alert page, select the manually created master inference to which you want to attach the selected child inferences.
Note
You can select up to 250 alerts when creating a manual inference. If one or more of the selected alerts are inference alerts, the selection limit is reduced to 50 alerts.
Older inferences can be selected as child alerts and attached to a new master inference created within the last 24 hours.
Inferences older than 24 hours cannot be used as master inferences, but they can still be selected as child inferences.
Click ATTACH INFERENCE.
Export
The Export functionality lets you to export the response alerts from the Alerts 2.0 page as a report.
Prerequisite: The Alert Listing app should be installed.
To export alerts filter criteria:
From All Clients, select a client.
On the Alerts 2.0 page, use the search option to search for alerts using the OpsQL query.The Search results are displayed.
Click the Export icon available next to the Filters option.A message asks the user to install the Alert Listing app if it is not already installed. Click Install App to install the app.
The page is redirected to the Alert Listing app screen.The configuration properties in the Alert Listing app are auto-filled with the filter criteria that were provided in the search.The run process is initiated. The process progress depends on the data and the configuration parameters.
Click the Recent icon available in the Configure Parameters section to view the progress.
How to build queries
Build queries using the basic and advanced query modes. The query modes have attributes, logical operators, and values that are dynamically populated. Select these parameters to form valid expressions and complete building the queries.
The following sections describe the steps that both the basic and advanced users should follow for building the queries:
A beginner can start querying using the Basic Query mode. The Basic Query mode allows you to create a query without knowing the exact syntax.
To build a query:
Click Command Center > Alerts. The ALERTS query page is displayed.
By default, the Open and Acknowledged alerts that have been updated within the last 7 Days are displayed. To clear the query, click the close X icon.
To start building a query, click +QUERY. The ATTRIBUTES list is populated.
Select an attribute and then select an operator from the OPERATORS drop-down that is dynamically populated.
Select a value from the VALUES drop-down. The values are populated based on the selected attribute and operator.
The query result is displayed.
Click + to add another expression.
The AND logical operator is selected by default. Click and select the desired operator.
Follow the steps mentioned above to form another expression – attribute, operator and value.
The query result is displayed.
The following additional actions can be performed:
To create a new tab, click +.
To delete a query, click X.
Click REFRESH to refresh the query result list. You can set the refresh duration from 1 Minute to 24 Hours. The default is set to 15 Minutes. Click Off if you do not want to refresh the query result list.
For Power Users
As a power user you can go ahead and use the Advance Query mode.
To start querying:
Click Command Center > Alerts. The ALERTS query page is displayed.By default, the Open and Acknowledged alerts that have been updated within the last 7 Days are displayed on the Alerts page. To clear the query, click the close X icon.
Click the Advance Query mode icon to switch to the Advance query mode.
As soon as you start typing the attribute name in the Search box, the available attributes are displayed automatically.
Select the attribute and the operator from the dynamically populated matching operator list and then type in (or select) a value.
Select the logical operators, AND or OR
Follow the steps mentioned above – select the attribute, operator and value to form an expression.
You can add as many valid expressions as possible.
Click the search icon or hit enter. The query result is displayed.
You can click the Basic Query mode icon to switch to the Basic Query mode.
Switch between Basic and Advanced Query modes at any time
You can switch between the Basic and the Advanced Query modes anytime without making any changes to the query.
For more information on the OpsQL Query Language and examples, click here.
Alert filters
The following filters can be applied to alerts using Alerts 2.0:
Attribute Name
Description
Created Time
Alert created time. Select the date range.
Updated Time
Alert updated time. Select the date range.
Resources
Search for the resources. Note: Also available as an inline filter.
Entity Type
Filter alerts by entity type:
Resource
Integration
Service
Client
Metrics
Filter alerts by metric name. Note: Also available as an inline filter.
Resource Types
Filter alerts by resource type.
Alert Types
Filter alerts by alert type:
Agent
Obsolete
Scheduled Maintenance
Forecast
Change Detection
Prediction
Maintenance
Monitoring
Priorities
Filter alerts by priority, where P0 is the highest priority and P5 is the lowest priority.
Current States
Filter alerts by their current state:
Critical
Warning
Ok
Info
Observed
Status
Filter alerts by their current status:
Acknowledged
Ticketed
Closed
Suppressed
Open
Correlated
Inline filter
The Inline filter allows users to add the value of a cell as an additional filter. In the following example, clicking the filter icon filters the results of the table, where the metric is CPU.
View Resource Custom Attributes as Alert Tags
Prerequisite
You must define the custom attributes as alert tags on the associated resources. See Add custom attribute values for more details.
Custom attributes defined at the resource level and marked as Alert Tags are now automatically reflected in alerts triggered by those resources. This feature improves alert visibility and filtering by bringing key resource context into the alert view.
Filtering Alerts Using Resource TagsYou can also use these alert tags in OPSQL queries to filter relevant alerts as shown below:
In the image above, the OPSQL query filters all alerts where the custom attribute Extension has the value http://test.com.
Where to View Alert Tags
On the Alerts page, select the alert for which you want to view the associated alert tags.
On the alert details page, select CUSTOM ATTRIBUTES tab.
Under the ALERT TAGS section, you will see all resource custom attributes that are marked as alert tags.These tags mirror the values defined on the impacted resource.
The custom attributes attr and Extension are tagged at the resource level.
Correlated and Inference Alert Icons
You can identify Correlated and Inference alerts by icons in the Alerts 2.0 page. To identify the correlated and inference alerts, hover over the icon next to the Alert ID, on the Alerts 2.0 page.
De-Correlate Alerts
You can de-correlate a single or multiple correlated alerts from the ALerts 2.0 page.
To de-correlate an alert:
In the Alerts 2.0 page, select a single or multiple correlated alerts that you want to de-correlate.
Click Actions.
Select De-Correlate from the drop-down list.
The DE-CORRELATE ALERTS slide-out page is displayed.
Enter the comments and click DE-CORRELATE. The correlated alert is de-correlated.
My Alerts Views
To navigate to the My Alerts Views slide-out:
Click the hamburger menu icon at the upper-left corner of the Alerts page, to view the My Alerts Views slide-out.
You can perform the following actions from the My Alerts Views slide-out:
Once you execute a query, you can save the query results as a view.
To save a view:
Click the hamburger menu icon at the upper-left corner of the Alerts page.
From the slide-out, click the + icon. The SAVE VIEW popup is displayed.
Enter a name for the view and click ADD.
The view is saved and displayed in the slide-out.
Use the up/down arrow icons to hide/show the views in the slide-out.
The Save and Restore icons appear after you create a view.
Set Favorite
To mark a view as favorite:
Search for the view using the search icon.
Hover over the view name on the slide-out.
Click the star icon. The view is added as favorite and appears under the FAVORITE category. The blue colored star icon indicates that the view is added as favorite.
If you want to unfavorite the view, click the blue colored star against the view. The view is removed from the Favorite category.
You can perform the following other actions on the saved view:
Restore
The Restore option reverts to the previous query.
Once you have made changes to a specific query, which is already saved as a view:
Hover over the view name on the slide-out.
Click the actions menu. The VIEW OPTIONS popup is displayed.
Click the Restore option. The previous query automatically appears in the Search box. Note: You must not save the changes you made to the query for the view. Otherwise, the query will not be reverted.
Rename
The Rename option allows you to rename the name of the view.
To rename a view:
Hover over the view name on the slide-out.
Click the actions menu. The VIEW OPTIONS popup is displayed.
Click the Rename option. The RENAME VIEW popup is displayed.
Enter a new name for the view in the Name box and click SAVE. The view is renamed.
Copy
The Copy option allows you to create a copy of a view.
To create a copy of a view:
Hover over the view name on the slide-out.
Click the actions menu. The VIEW OPTIONS popup is displayed.
Click the Copy option. The COPY VIEW popup is displayed.
Enter a name for the view in the Name box and click SAVE. The view is copied and is displayed in the slide-out.
Set Default View
The Set Default View option allows you to set a view as a default view for the current user.
To set a view as a default:
Hover over the view name on the slide-out.
Click the actions menu. The VIEW OPTIONS popup is displayed.
Click the Set Default View option. The Set Default View dialog box is displayed.
Turn on the My Default View option.
Click the SET DEFAULT button.
Refresh the browser. You can see that the view is set as default for the current user.
To set the default view for other users, share the view and make it default for the user you want to set as default.
Share
The Share option allows you to share an alert view to a particular partner or client role. Select the Partner Roles and Client Roles from the Share View - View Name window and click Share.
To share a view:
Hover over the view name on the slide-out.
Click the actions menu. The VIEW OPTIONS popup is displayed.
Click the Share option. The Share View dialog box is displayed.
Select a role from the drop-down list.
Click SHARE. The view is shared.
Notes:
The view will be available to the users with the assigned roles.
If you are logged in as a Partner, you can share the alert view to both partners and clients.
If you are logged in as a Client, you can share the alert view only to the clients.
The views can be shared to more than one role.
A user who has selected a default view can also assign it as a default to other users. To do so, the user has to share the view using the View - Share option.
Remove
The Remove option allows you to remove a view.
To remove a view:
Hover over the view name on the slide-out.
Click the actions menu. The VIEW OPTIONS popup is displayed.
Click the Remove option. A confirmation dialog box is displayed.
Click REMOVE. The view is removed.
Alerts Details page
The new Alerts details page provides a comprehensive view of the alerts that are generated.
The Alerts Details page allows you to:
View information about an alert.
Perform various actions like create an incident, attach an incident, view alert history, view resource alerts.
To access the Alerts Details page:
Click Command Center > Alerts. The Alerts listing page is displayed.
Click the Alert ID for which you want to view details. The alerts slide-out is displayed which has the summary of the alert.
Click View details.
Following is the information that is displayed on the Alerts details page and the actions you can perform:
Information
Action/Description
Repeat Count
Count of the number of duplicate alerts generated by the resource. Click the repeat count link. This shows the list of alerts in a popover.
Ticket - Create or Attach
Click the Create/Attach link to either create a new incident or attach an existing incident to the alert.
To create an incident, click Create , enter the information required and click the Create button.
To attach an incident, click Attach. Select the incident from the Attach to Alert window and click the Attach button. You can also change the query to search for an incident.
First Alert Time
The time when the first alert was generated.
Elapsed Time
The time from when the first alert was generated till the current time.
Inference
Clicking the link opens up a tab that shows the inference alerts listing page.
Correlated
Clicking the link opens up a tab that shows the correlated alerts listing page.
Alert History
The alert occurrence over a period of time. By default, it shows the occurrence of the alert for the past 7 days and the next 7 days.
Hover over the bubble chart to view the number of alerts with their states. Click on a bubble to view the list of alerts.
You can change the time period to 15 or 30 days by clicking the This Alert +/- 7 Days link.
A graph is shown for the metric, for the same time range, based on the component. Hover over the graph to view the metric value and the time.
Alert logs: View the alert logs, if available.
Knowledge Base
Click the Knowledge Base tab to view the list of KB articles.
Actions
You can perform the following actions from the Actions dropdown:
Escalation Policy: Shows all the related escalation policies.
Acknowledge: Acknowledge the alert
Suppress: Suppress the alert
Create Incident: Create an incident
Update Incident: Update the incident
Run Process: Run a process
Heal: Heal the alert
Close: Close the alert
Remote consoles and Run Command icons
You can launch Remote consoles and Run Command to troubleshoot on the devices directly from the Alerts details page.
Topology icon
It will navigate to the topology map, which shows all the connected devices.
Examples
The following are example illustrations for each alerts:
Log Alert Visualization with Inputs
The subsequent section provides a visual representation of log alerts along with their corresponding inputs. The log time range is prominently displayed, and by clicking it, you are seamlessly navigated to the logs page.
In contrast to the previous version where only the metric graph was visible, the updated visualization now includes a logarithmic graph. Moreover, the definition name is now presented as LOG.
Filter: alertType = LOG
Change Detection Alert Visualization with Inputs
For lower, upper, and average values, you’ll see the alert definition name if created through an alert definition, and the template name if created from a template.
By clicking on the Definitions page within the details section, you will be redirected to the Alerts page.
Filter: alertType = Change_Detection
Monitoring Alerts Visualization with Inputs
Upon the generation of an alert from an alert definition, the alert definition name will be visibly presented. In cases where the alert is created from a template, the monitoring template name will be displayed.
Note: Alerts generated from the Alert Definition are produced using PromQL.
Filter: alertType = Monitoring
Integration Alerts Visualization with Inputs
When object type is equal to integrations, only integration data is present; no resource data is included. The name of the integration data is specified.
Filter: Object Type = Integration
Note
This is a feature-flag based functionality. Contact OpsRamp Support for more information.
View Historical Alert Comments
You can use the Include Alert Comment History checkbox on the alert details page to view previous comments logged in the Activity Log (Alert Log) for alerts that have reappeared on the same Host, Metric, and Component.
Use CaseWhen a new alert is triggered for the same Host, Metric, and Component combination as a previous one, users often need to quickly understand the alert’s history. By enabling the Include Alert Comment History option, you can access comments from prior alerts, giving you insight into past troubleshooting actions.
To enable the checkbox:
From the Alerts page, select any alert to view its details.
On the alert details page, scroll down to the Alert Log section.
Select the Include Alert Comment History checkbox.The system displays up to the last 200 comments from historical alerts.
