SumoLogic
diff --git a/‎blog-service/2022/12-31.md‎
Lines changed: 1 addition & 1 deletion b/‎blog-service/2022/12-31.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/alerts/monitors/alert-response.md‎
Lines changed: 8 additions & 9 deletions b/‎docs/alerts/monitors/alert-response.md‎
Lines changed: 8 additions & 9 deletions
diff --git a/‎docs/alerts/monitors/alert-variables.md‎
Lines changed: 32 additions & 30 deletions b/‎docs/alerts/monitors/alert-variables.md‎
Lines changed: 32 additions & 30 deletions
@@ -204,7 +204,7 @@ Update - GitHub Advanced Security dashboards are now available for the Sumo Logi
 
 New - We’re happy to announce the release of Alert Grouping, which allows you to generate more than one alert from a given monitor by specifying a group condition on one or more fields. For example, rather than creating multiple monitors for each `service`, you could create one single monitor that notifies you when some metric (i.e., CPU utilization, error count) goes above the threshold for a given `service`. [Learn more](/docs/alerts/monitors/alert-grouping).
 
-New - Configurable Resolution Window for Logs allows more quickly resolve alerts when the underlying issues are fixed. You can configure how long a monitor will wait, before resolving the alert, when the underlying issues was corrected (earlier the monitor waited one complete window before resolving). [Learn more](/docs/alerts/monitors/create-monitor/#trigger-type).
+New - Configurable Resolution Window for Logs allows more quickly resolve alerts when the underlying issues are fixed. You can configure how long a monitor will wait, before resolving the alert, when the underlying issues was corrected (earlier the monitor waited one complete window before resolving). See [Logs trigger types](/docs/alerts/monitors/create-monitor/#trigger-type-logs) and [Metrics trigger types](/docs/alerts/monitors/create-monitor/#trigger-type-metrics).
 
 New - You can now access your monitor playbook as a template variable, `{{playbook}}`. You can reference this template variable to customize your notification payloads similar to any other template variable. [Learn more](/docs/alerts/monitors/alert-variables).
 
 
@@ -63,26 +63,25 @@ The following is an example Slack payload with the variable:
 
 ## Alerts list
 
-The Alerts list shows all of your Alerts from monitors triggered within the past seven days. By default, the list is sorted by status (showing **Active** on top, followed by **Resolved**), and then chronologically by creation time.
+The Alerts list shows all of your Alerts from monitors triggered within the past 7 days. By default, the list is sorted by status (showing **Active** on top, followed by **Resolved**), and then chronologically by creation time.
 
 [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). To access the Alerts list, click the bell icon in the top menu. <br/> <img src={useBaseUrl('img/alerts/alert-list-page-bell-border.png')} alt="alert-list-page-bell-border" width="300"/>
 
 [**New UI**](/docs/get-started/sumo-logic-ui/). To access the Alerts list, in the main Sumo Logic menu select **Alerts > Alert List**. You can also click the **Go To...** menu at the top of the screen and select **Alert List**.
- 
 
 To filter or sort by category (e.g., **Name**, **Severity**, **Status**), you can use the search bar or click on a column header.<br/>![search alert list.png](/img/monitors/search-alert-list.png)
 
 :::info Limitations
 The Alerts list displays up to 1,000 alerts.
 :::
 
-### Resolve alerts
+### Resolving alerts
 
 To resolve an alert, click a row to select it, then click **Resolve**.
 
 ### Translating thresholds
 
-Threshold translating allows you to open the Alert Response Page in the **Metrics Explorer** that helps you to easily view the threshold associated with an alert. This also helps you to understand how your monitor's thresholds are translating into metrics and compare the threshold values set in a monitor with the data displayed in the Metrics Explorer chart.
+Threshold translating allows you to open the Alert Response page in the **Metrics Explorer** that helps you to easily view the threshold associated with an alert. This also helps you to understand how your monitor's thresholds are translating into metrics and compare the threshold values set in a monitor with the data displayed in the Metrics Explorer chart.
 
 For example, when you open an alert response page in Metrics Explorer, you can see critical thresholds defined with some number. You can then see that this threshold is also applied and enabled in the Metrics Explorer view, with exactly the same number defined.<br/> <img src={useBaseUrl('img/alerts/arp-metrics-explorer.png')} alt="arp-metrics-explorer" width="800"/>
 
@@ -99,7 +98,7 @@ To view the Alert Response chart in Metrics Explorer, follow the steps below:
 1. Use this feature to compare the threshold values set in a monitor with the data displayed in the Metrics Explorer graph and gain a better understanding of how your monitors are translating into metrics.
 
 :::note
-Note that the same threshold translating functionality supports to [Create Monitors from the Metrics Explorer](/docs/alerts/monitors/create-monitor/#from-your-metrics-explorer) and [Opening Monitor in the Metrics Explorer](/docs/alerts/monitors/settings/#view-in-metrics-explorer).
+Note that the same threshold translating functionality supports to [Create Monitors from the Metrics Explorer](/docs/alerts/monitors/create-monitor/#from-metrics-explorer) and [Opening Monitor in the Metrics Explorer](/docs/alerts/monitors/settings/#view-in-metrics-explorer).
 :::
 
 
@@ -111,7 +110,7 @@ An Alert provides curated information to on-calls in order for them to troublesh
 * **Alert Details**. Overview of the alert that was triggered to help you understand the issue and its potential impact. 
 * **Alert Context**. System curated context helps you understand potential underlying symptoms within the system that might be causing the issue.
 
-### Alert Details
+### Alert details
 
 The details section provides:
 * a chart to visualize the alerting KPI before and during the alert.
@@ -154,13 +153,13 @@ Below this, as you scroll down on the page, you'll see context cards covered in
 * Related Alerts and Monitor History show the top 250 alerts.
 :::
 
-### Context Cards
+### Alert context cards
 
 **Alert Context** provides additional insights that the system has discovered automatically by analyzing your data. The system uses artificial intelligence and machine learning to track your logs and metrics data and find interesting patterns in the data that might help explain the underlying issue and surfaces them in the form of context cards.
 
 Depending on the type of data an alert is based on (metrics or logs) and the detection method (static or outlier), you'll see different context cards. You will see a progress spinner labeled **Analyzing alert content** at the bottom of the window when cards are still being loaded. It may take a minute for some cards to load.<br/> ![analyzing alert content.png](/img/monitors/analyzing-alert-content.png)
 
-### Log Fluctuations
+### Log fluctuations
 
 This card detects different signatures in your log messages using [LogReduce](/docs/search/logreduce) such as errors, exceptions, timeouts, and successes. It compares log signatures trends with a normal baseline period and surfaces noteworthy changes in signatures.
 
@@ -315,7 +314,7 @@ To cancel an inherited subscription, you'll need to remove the subscription from
 
 Alert notification preferences give you granular control over specific monitor activity you want to follow.<br/><img src={useBaseUrl('img/alerts/alert-preferences.png')} alt="alert-list-page-bell-border" width="400"/>
 
-1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select your username and then **Preferences**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu, select your username and then **Preferences**. 
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select your username and then **Preferences**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu, select your username and then **Preferences**.
 2. Click on any of the following checkboxes to enable your desired preferences:
    * **Display alert badge when my subscribed monitors are triggered**. the bell icon is displayed in the top nav
    * **Notify about only subscribed monitors**. the bell icon will only push notifications for monitors you're subscribed to
 
@@ -23,7 +23,7 @@ Variables must be enclosed by double curly brackets (`{{ }}`). Unresolved variab
 | `{{Query}}` | The query used to run the alert. | &#9989;| &#9989;|
 | `{{QueryURL}}` | The URL to the logs or metrics query within Sumo Logic. | &#9989;| &#9989;|
 | `{{ResultsJson}}` | JSON object containing the query results that triggered the alert. A maximum of 200 aggregate results or 10 raw messages for this field can be sent via webhook. | &#9989;| &#9989;<br/>Not available with Email notifications |
-| `{{ResultsJson.fieldName}}` | The value of the specified field name. For example, the payload specification `{{ResultsJson.client_ip}} had {{ResultsJson.errors}} errors` would result in a subject line like this: `70.69.152.165 had 391 errors`.<br/><br/>A maximum of 200 aggregate results or 10 raw messages for this field can be sent via webhook.<br/><br/>A field name must match (case-insensitive) the field from your search and must be alphanumeric characters, underscores, and spaces. If you have a field name that has an unsupported character, use the [`as`](../../search/search-query-language/search-operators/as.md) operator to rename it.<br/><br/>You can return a specific result by providing an array index value in bracket notation such as `{{ResultsJson.fieldName}}[0]` to return the first result.<br/><br/>**Reserved Fields**<br/>The following are reserved field names. They are generated by Sumo Logic during collection or search operations.<ul><li>_raw - Message</li><li>_messagetime - Time</li><li>_sourceHost - Host</li><li>_sourceCategory - Category</li><li>_sourceName - Name</li><li>_collector - Collector</li><li>_timeslice</li><li>_signature</li></ul> | &#9989;| &#9989;<br/>Email notifications only return the first result. |
+| `{{ResultsJson.fieldName}}` | The value of the specified field name. For example, the payload specification `{{ResultsJson.client_ip}} had {{ResultsJson.errors}} errors` would result in a subject line like this: `70.69.152.165 had 391 errors`.<br/><br/>A maximum of 200 aggregate results or 10 raw messages for this field can be sent via webhook.<br/><br/>A field name must match (case-insensitive) the field from your search and must be alphanumeric characters, underscores, and spaces. If you have a field name that has an unsupported character, use the [`as`](../../search/search-query-language/search-operators/as.md) operator to rename it.<br/><br/>You can return a specific result by providing an array index value in bracket notation such as `{{ResultsJson.fieldName}}[0]` to return the first result.<br/><br/>**Reserved Fields**<br/>The following are reserved field names. They are generated by Sumo Logic during collection or search operations.<ul><li>`_raw` - Message</li><li>_messagetime - Time</li><li>`_sourceHost` - Host</li><li>`_sourceCategory` - Category</li><li>`_sourceName` - Name</li><li>`_collector` - Collector</li><li>`_timeslice`</li><li>`_signature`</li></ul> | &#9989;| &#9989;<br/>Email notifications only return the first result. |
 | `{{NumQueryResults}}` | The number of results the query returned. Results can be raw messages, time-series, or aggregates.<br/>An aggregate query returns the number of aggregate results; displayed in the **Aggregates** tab of the [Search page](/docs/search).<br/>A non-aggregate query returns the number of raw results; displayed in the **Messages** tab of the [Log Search](/docs/search) page. | &#9989;| &#9989;|
 | `{{Id}}` | The unique identifier of the monitor or search that triggered the alert. For example, `00000000000468D5`. | &#9989;| &#9989;|
 | `{{DetectionMethod}}` | This is the type of Detection Method used to detect alerts. Values are based on static or outlier triggers and data type, either logs or metrics. The value will be either `LogsStaticCondition`, `MetricsStaticCondition`, `LogsOutlierCondition`, `MetricsOutlierCondition`,  `LogsMissingDataCondition`, `MetricsMissingDataCondition`, or `StaticCondition` (deprecated). | &#9989;| &#9989;|
@@ -37,7 +37,37 @@ Variables must be enclosed by double curly brackets (`{{ }}`). Unresolved variab
 | `{{SourceURL}}` | The URL to the configuration or status page of the monitor in Sumo Logic. | &#9989;| &#10060; |
 | `{{AlertResponseUrl}}` | When your monitor is triggered, it will generate a URL and provide it as the value of this variable where you can use it to open alert response. | &#9989;| &#10060; |
 | `{{AlertName}}` | Name of the alert that will be displayed on the alert page.  | &#9989;| &#9989;|
-| `{{Playbook}}` | Allows you to access the [playbook content](/docs/alerts/monitors/create-monitor#trigger-type) that was configured as part of the initial monitor setup. | &#9989;| &#9989;|
+| `{{Playbook}}` | Allows you to access the [playbook content](/docs/alerts/monitors/create-monitor/#step-4-playbook-optional) configured as part of your initial monitor setup. | &#9989;| &#9989;|
+
+:::info Legacy variables
+
+Here are legacy variables available for alert notifications from metrics monitors and Scheduled Searches.
+
+<details>
+<summary>Click to view</summary>
+
+| Variables | Description | Metrics Monitors | Scheduled Searches |
+| :-- | :-- | :-- | :-- |
+|  `{{SearchName}}` | Description of the saved search or monitor. In the delivered payload, this variable is replaced with the Name you assigned to the search or monitor when you created it. | &#9989;| &#9989;|
+| `{{SearchDescription}}` | Description of the saved search or monitor. In the delivered payload, this variable is replaced by the Description you assigned to the search or monitor when you created it. | &#9989;| &#9989;|
+| `{{SearchQuery}}` | The query used to run the saved search. In the delivered payload, this variable is replaced by your saved search query or metric query. | &#9989;| &#9989;|
+| `{{SearchQueryUrl}}` | The URL to the search or metrics query. In the delivered payload, this is a URL that you can click to run the saved logs or metric query. | &#9989;| &#9989;|
+| `{{TimeRange}}` | The time range that triggered the alert. | &#9989;| &#9989;|
+| `{{FireTime}}` | The start time of the log search or metric query that triggered the notification. | &#9989;| &#9989;|
+| ` {{AggregateResultsJson}}` | JSON object containing search aggregation results. A maximum of 200 aggregate results can be sent via webhook. | &#10060; | &#9989; <br/>Not available with Email notifications |
+| `{{RawResultsJson}}` | JSON object containing raw messages. A maximum of 10 raw messages can be sent via webhook. | &#10060; | &#9989;<br/>Not available with Email notifications |
+| `{{NumRawResults}}` | Number of results returned by the search. | &#10060; | &#9989;|
+| `{{Results.fieldname}}` | The value returned from the search result for the specified field. For example, this payload specification:<br/>`{{Results.client_ip}} had {{Results.errors}} errors`<br/>Results in a subject line like this:<br/>`70.69.152.165 had 391 errors`<br/>A maximum of 200 aggregate results or 10 raw messages for this field can be sent via webhook.<br/>A field name must match (case-insensitive) the field from your search and must be **alphanumeric characters**, **underscores**, and b. If you have a field name that has an unsupported character use the [as](../../search/search-query-language/search-operators/as.md) operator to rename it. | &#9989;| &#9989;|
+| `{{AlertThreshold}}` | The condition that triggered the alert (for example, above 90 at least once in the last 5 minutes) | &#9989;| &#10060; |
+| `{{AlertSource}}` | The metric and sourceHost that triggered the alert, including associated tags for that metric. | &#9989;| &#10060; |
+| `{{AlertGroup}}` | The alert grouping that triggered the alert, including associated values for that metric. | &#9989;| &#10060; |
+| `{{AlertSource.fieldname}}` | The value returned from the AlertSource object for the specified field name. | &#9989;| &#10060; |
+| `{{AlertID}}` | The ID of the triggered alert. | &#9989;| &#10060; |
+| `{{AlertStatus}}` | Current status of the time series that triggered (for example, Critical or Warning). | &#9989;| &#10060; |
+| `{{AlertCondition}}` | The condition that triggered the alert. | &#10060; | &#9989; |
+
+</details>
+:::
 
 ## Examples
 
@@ -90,31 +120,3 @@ Variables must be enclosed by double curly brackets (`{{ }}`). Unresolved variab
 ```sql
 Monitor Alert: {{TriggerTimeRange}} on {{Name}}
 ```
-
-## Legacy variables
-
-This section provides the old variables available for alert notifications from metrics monitors and Scheduled Searches. The following table shows where the old variables are supported.
-
-:::tip
-We recommend instead using the new variables listed above. In the future, legacy variables will be deprecated.
-:::
-
-| Variables | Description | Metrics Monitors | Scheduled Searches |
-| :-- | :-- | :-- | :-- |
-|  `{{SearchName}}` | Description of the saved search or monitor. In the delivered payload, this variable is replaced with the Name you assigned to the search or monitor when you created it. | &#9989;| &#9989;|
-| `{{SearchDescription}}` | Description of the saved search or monitor. In the delivered payload, this variable is replaced by the Description you assigned to the search or monitor when you created it. | &#9989;| &#9989;|
-| `{{SearchQuery}}` | The query used to run the saved search. In the delivered payload, this variable is replaced by your saved search query or metric query. | &#9989;| &#9989;|
-| `{{SearchQueryUrl}}` | The URL to the search or metrics query. In the delivered payload, this is a URL that you can click to run the saved logs or metric query. | &#9989;| &#9989;|
-| `{{TimeRange}}` | The time range that triggered the alert. | &#9989;| &#9989;|
-| `{{FireTime}}` | The start time of the log search or metric query that triggered the notification. | &#9989;| &#9989;|
-| ` {{AggregateResultsJson}}` | JSON object containing search aggregation results. A maximum of 200 aggregate results can be sent via webhook. | &#10060; | &#9989; <br/>Not available with Email notifications |
-| `{{RawResultsJson}}` | JSON object containing raw messages. A maximum of 10 raw messages can be sent via webhook. | &#10060; | &#9989;<br/>Not available with Email notifications |
-| `{{NumRawResults}}` | Number of results returned by the search. | &#10060; | &#9989;|
-| `{{Results.fieldname}}` | The value returned from the search result for the specified field. For example, this payload specification:<br/>`{{Results.client_ip}} had {{Results.errors}} errors`<br/>Results in a subject line like this:<br/>`70.69.152.165 had 391 errors`<br/>A maximum of 200 aggregate results or 10 raw messages for this field can be sent via webhook.<br/>A field name must match (case-insensitive) the field from your search and must be **alphanumeric characters**, **underscores**, and b. If you have a field name that has an unsupported character use the [as](../../search/search-query-language/search-operators/as.md) operator to rename it. | &#9989;| &#9989;|
-| `{{AlertThreshold}}` | The condition that triggered the alert (for example, above 90 at least once in the last 5 minutes) | &#9989;| &#10060; |
-| `{{AlertSource}}` | The metric and sourceHost that triggered the alert, including associated tags for that metric. | &#9989;| &#10060; |
-| `{{AlertGroup}}` | The alert grouping that triggered the alert, including associated values for that metric. | &#9989;| &#10060; |
-| `{{AlertSource.fieldname}}` | The value returned from the AlertSource object for the specified field name. | &#9989;| &#10060; |
-| `{{AlertID}}` | The ID of the triggered alert. | &#9989;| &#10060; |
-| `{{AlertStatus}}` | Current status of the time series that triggered (for example, Critical or Warning). | &#9989;| &#10060; |
-| `{{AlertCondition}}` | The condition that triggered the alert. | &#10060; | &#9989; |