From 4ac650f0a48dcfecdb6f6768a8d88ef53cb85a73 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Fri, 15 Aug 2025 13:12:08 -0400 Subject: [PATCH 01/13] First draft --- .../incident-management/view-alerts.md | 34 +++++++++++-------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/solutions/observability/incident-management/view-alerts.md b/solutions/observability/incident-management/view-alerts.md index 8de5f64c3f..0d2ab9e09c 100644 --- a/solutions/observability/incident-management/view-alerts.md +++ b/solutions/observability/incident-management/view-alerts.md @@ -50,6 +50,18 @@ From the **Alerts** table, you can click on a specific alert to open the alert d :screenshot: ::: +To further inspect the rule: + +* From the alert detail flyout, click **View rule details**. +* From the **Alerts** table, click the ![More actions](/solutions/images/serverless-boxesHorizontal.svg "") icon and select **View rule details**. + +To view the alert in the app that triggered it: + +* From the alert detail flyout, click **View in app**. +* From the **Alerts** table, click the ![View in app](/solutions/images/serverless-eye.svg "") icon. + +### Understand alert statuses [observability-view-alerts-understand-statuses] + There are four common alert statuses: `active` @@ -58,29 +70,23 @@ There are four common alert statuses: `flapping` : The alert is switching repeatedly between active and recovered states. -`recovered` -: The conditions for the rule are no longer met and recovery actions should be generated. - -`untracked` -: The corresponding rule is disabled or you’ve marked the alert as untracked. To mark the alert as untracked, go to the **Alerts** table, click the ![More actions](/solutions/images/serverless-boxesHorizontal.svg "") icon to expand the *More actions* menu, and click **Mark as untracked**. When an alert is marked as untracked, actions are no longer generated. You can choose to move active alerts to this state when you disable or delete rules. - ::::{note} **Flapping alerts** -The flapping state is possible only if you have enabled alert flapping detection. Go to the **Alerts** page and click **Manage Rules** to navigate to the {{obs-serverless}} **{{rules-app}}** page. Click **Settings** then set the look back window and threshold that are used to determine whether alerts are flapping. For example, you can specify that the alert must change status at least 6 times in the last 10 runs. If the rule has actions that run when the alert status changes, those actions are suppressed while the alert is flapping. +The flapping state is possible only if you have enabled alert flapping detection. Go to the **Alerts** page and click **Manage Rules** to navigate to the **{{rules-app}}** page. Click **Settings** then set the look back window and threshold that are used to determine whether alerts are flapping. For example, you can specify that the alert must change status at least 6 times in the last 10 runs. If the rule has actions that run when the alert status changes, those actions are suppressed while the alert is flapping. :::: +`recovered` +: The conditions for the rule are no longer met and recovery actions should be generated. Alerts will change to the recovered state if the rule's conditions are not met for the number of consecutive runs defined in its look back window. -To further inspect the rule: - -* From the alert detail flyout, click **View rule details**. -* From the **Alerts** table, click the ![More actions](/solutions/images/serverless-boxesHorizontal.svg "") icon and select **View rule details**. +::::{note} + Once an alert is recovered, the flapping state criteria is only applied to newly generated alerts. +:::: -To view the alert in the app that triggered it: -* From the alert detail flyout, click **View in app**. -* From the **Alerts** table, click the ![View in app](/solutions/images/serverless-eye.svg "") icon. +`untracked` +: The corresponding rule is disabled or you’ve marked the alert as untracked. To mark the alert as untracked, go to the **Alerts** table, click the ![More actions](/solutions/images/serverless-boxesHorizontal.svg "") icon to expand the *More actions* menu, and click **Mark as untracked**. When an alert is marked as untracked, actions are no longer generated. You can choose to move active alerts to this state when you disable or delete rules. ## Customize the alerts table [observability-view-alerts-customize-the-alerts-table] From b7058ba0e3bbc3f8565d7b2c5438d4b392cdab0f Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Mon, 18 Aug 2025 17:00:49 -0400 Subject: [PATCH 02/13] Alexandra's feedback --- .../incident-management/view-alerts.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/solutions/observability/incident-management/view-alerts.md b/solutions/observability/incident-management/view-alerts.md index 0d2ab9e09c..c11bf66b81 100644 --- a/solutions/observability/incident-management/view-alerts.md +++ b/solutions/observability/incident-management/view-alerts.md @@ -65,28 +65,29 @@ To view the alert in the app that triggered it: There are four common alert statuses: `active` -: The conditions for the rule are met and actions should be generated according to the notification settings. +: The conditions for the rule are met. Actions for the rule are run according to the notification settings. `flapping` : The alert is switching repeatedly between active and recovered states. -::::{note} -**Flapping alerts** - +::::{important} The flapping state is possible only if you have enabled alert flapping detection. Go to the **Alerts** page and click **Manage Rules** to navigate to the **{{rules-app}}** page. Click **Settings** then set the look back window and threshold that are used to determine whether alerts are flapping. For example, you can specify that the alert must change status at least 6 times in the last 10 runs. If the rule has actions that run when the alert status changes, those actions are suppressed while the alert is flapping. :::: `recovered` -: The conditions for the rule are no longer met and recovery actions should be generated. Alerts will change to the recovered state if the rule's conditions are not met for the number of consecutive runs defined in its look back window. +: The conditions for the rule are no longer met. Recovery actions for the rule will run if the rule's conditions _are not_ met during the current rule execution, but were met in the previous one. ::::{note} - Once an alert is recovered, the flapping state criteria is only applied to newly generated alerts. + +Note the following about alerts that change from the flapping state to recovered: +- Alerts in the flapping state will only change to recovered if the rule's conditions are not met for the number of consecutive runs that are defined by the **Alert status change threshold** for flapping alerts. +- After an alert is recovered, the flapping state criteria is only applied to newly generated alerts. :::: `untracked` -: The corresponding rule is disabled or you’ve marked the alert as untracked. To mark the alert as untracked, go to the **Alerts** table, click the ![More actions](/solutions/images/serverless-boxesHorizontal.svg "") icon to expand the *More actions* menu, and click **Mark as untracked**. When an alert is marked as untracked, actions are no longer generated. You can choose to move active alerts to this state when you disable or delete rules. +: The rule is disabled, or you’ve marked the alert as untracked. To mark the alert as untracked, go to the **Alerts** table, click the ![More actions](/solutions/images/serverless-boxesHorizontal.svg "") icon to expand the *More actions* menu, and click **Mark as untracked**. When an alert is marked as untracked, actions are no longer generated. You can choose to move active alerts to this state when you disable or delete rules. ## Customize the alerts table [observability-view-alerts-customize-the-alerts-table] From 10f3cfe25687848c54b1c28131e7c1c6d7ff7727 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Mon, 18 Aug 2025 17:07:23 -0400 Subject: [PATCH 03/13] Additional modifications --- .../observability/incident-management/view-alerts.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/solutions/observability/incident-management/view-alerts.md b/solutions/observability/incident-management/view-alerts.md index c11bf66b81..0e9dd9358c 100644 --- a/solutions/observability/incident-management/view-alerts.md +++ b/solutions/observability/incident-management/view-alerts.md @@ -65,7 +65,7 @@ To view the alert in the app that triggered it: There are four common alert statuses: `active` -: The conditions for the rule are met. Actions for the rule are run according to the notification settings. +: The conditions for the rule are met. Rule actions are run according to the notification settings. `flapping` : The alert is switching repeatedly between active and recovered states. @@ -76,13 +76,11 @@ The flapping state is possible only if you have enabled alert flapping detection :::: `recovered` -: The conditions for the rule are no longer met. Recovery actions for the rule will run if the rule's conditions _are not_ met during the current rule execution, but were met in the previous one. +: The conditions for the rule are no longer met. Rule recovery actions run if the rule's conditions _were not_ met during the current rule execution, but were in the previous one. ::::{note} -Note the following about alerts that change from the flapping state to recovered: -- Alerts in the flapping state will only change to recovered if the rule's conditions are not met for the number of consecutive runs that are defined by the **Alert status change threshold** for flapping alerts. -- After an alert is recovered, the flapping state criteria is only applied to newly generated alerts. +Alerts in the flapping state will only change to recovered if the rule's conditions are not met for the number of consecutive runs that are defined by the **Alert status change threshold** for flapping alerts. After an alert is recovered, the flapping state criteria is only applied to newly generated alerts. :::: From 936f2bb34ca283462ecf6fdef844614adfa1235e Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Mon, 18 Aug 2025 22:30:38 -0400 Subject: [PATCH 04/13] note changes --- .../incident-management/view-alerts.md | 24 ++++++++++++------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/solutions/observability/incident-management/view-alerts.md b/solutions/observability/incident-management/view-alerts.md index 0e9dd9358c..191d2db66b 100644 --- a/solutions/observability/incident-management/view-alerts.md +++ b/solutions/observability/incident-management/view-alerts.md @@ -2,6 +2,10 @@ mapped_pages: - https://www.elastic.co/guide/en/observability/current/view-observability-alerts.html - https://www.elastic.co/guide/en/serverless/current/observability-view-alerts.html +applies_to: + stack: all + serverless: + observability: all products: - id: observability - id: cloud-serverless @@ -65,22 +69,27 @@ To view the alert in the app that triggered it: There are four common alert statuses: `active` -: The conditions for the rule are met. Rule actions are run according to the notification settings. +: The conditions for the rule are met. Rule actions will run according to the notification settings. `flapping` -: The alert is switching repeatedly between active and recovered states. -::::{important} -The flapping state is possible only if you have enabled alert flapping detection. Go to the **Alerts** page and click **Manage Rules** to navigate to the **{{rules-app}}** page. Click **Settings** then set the look back window and threshold that are used to determine whether alerts are flapping. For example, you can specify that the alert must change status at least 6 times in the last 10 runs. If the rule has actions that run when the alert status changes, those actions are suppressed while the alert is flapping. +: The alert is switching repeatedly between active and recovered states. If the rule has actions that run when the alert status changes states, those actions are suppressed while the alert is flapping. + +::::{note} + +Alert flapping is turned on by default. To modify the conditions for changing an alert's status to the flapping state, configure the alert flapping settings. + +First, navigate to the **Alerts** page in the main menu, or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). Next, click **Manage Rules**, then **Settings** to open the global rule settings for the space. In the **Alert flapping detection** section, modify the rules' look back window and threshold for alert status changes. For example, you can specify that the alert must change status at least 6 times in the last 10 runs before it's status changes to flapping. :::: `recovered` -: The conditions for the rule are no longer met. Rule recovery actions run if the rule's conditions _were not_ met during the current rule execution, but were in the previous one. +: The conditions for the rule are no longer met. Rule recovery actions will run if the rule's conditions _were not_ met during the current rule execution, but were in the previous one. -::::{note} +::::{note} + +For flapping alerts, the recovered state will only be applied if the rule's conditions are not met for the number of consecutive runs that are defined by the flapping alerts' **Alert status change threshold**. After a flapping alert is recovered, the flapping state criteria is reinstated, but only for newly generated alerts. -Alerts in the flapping state will only change to recovered if the rule's conditions are not met for the number of consecutive runs that are defined by the **Alert status change threshold** for flapping alerts. After an alert is recovered, the flapping state criteria is only applied to newly generated alerts. :::: @@ -111,7 +120,6 @@ Each case can have a maximum of 1,000 alerts. :::: - ### Add an alert to a new case [observability-view-alerts-add-an-alert-to-a-new-case] To add an alert to a new case: From e0bc67801537e89691329056ad5f84fbdfdc810e Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Mon, 18 Aug 2025 22:38:21 -0400 Subject: [PATCH 05/13] Replace icons --- .../observability/incident-management/view-alerts.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/solutions/observability/incident-management/view-alerts.md b/solutions/observability/incident-management/view-alerts.md index 191d2db66b..dd610797c3 100644 --- a/solutions/observability/incident-management/view-alerts.md +++ b/solutions/observability/incident-management/view-alerts.md @@ -57,14 +57,14 @@ From the **Alerts** table, you can click on a specific alert to open the alert d To further inspect the rule: * From the alert detail flyout, click **View rule details**. -* From the **Alerts** table, click the ![More actions](/solutions/images/serverless-boxesHorizontal.svg "") icon and select **View rule details**. +* From the **Alerts** table, click the {icon}`boxes_horizontal` icon and select **View rule details**. To view the alert in the app that triggered it: * From the alert detail flyout, click **View in app**. -* From the **Alerts** table, click the ![View in app](/solutions/images/serverless-eye.svg "") icon. +* From the **Alerts** table, click the {icon}`eye` icon. -### Understand alert statuses [observability-view-alerts-understand-statuses] +## Understand alert statuses [observability-view-alerts-understand-statuses] There are four common alert statuses: @@ -94,7 +94,7 @@ For flapping alerts, the recovered state will only be applied if the rule's cond `untracked` -: The rule is disabled, or you’ve marked the alert as untracked. To mark the alert as untracked, go to the **Alerts** table, click the ![More actions](/solutions/images/serverless-boxesHorizontal.svg "") icon to expand the *More actions* menu, and click **Mark as untracked**. When an alert is marked as untracked, actions are no longer generated. You can choose to move active alerts to this state when you disable or delete rules. +: The rule is disabled, or you’ve marked the alert as untracked. To mark the alert as untracked, go to the **Alerts** table, click the {icon}`boxes_horizontal` icon to expand the **More actions** menu, and click **Mark as untracked**. When an alert is marked as untracked, actions are no longer generated. You can choose to move active alerts to this state when you disable or delete rules. ## Customize the alerts table [observability-view-alerts-customize-the-alerts-table] @@ -112,7 +112,7 @@ You can also use the toolbar buttons in the upper-right to customize the display ## Add alerts to cases [observability-view-alerts-add-alerts-to-cases] -From the **Alerts** table, you can add one or more alerts to a case. Click the ![More actions](/solutions/images/serverless-boxesHorizontal.svg "") icon to add the alert to a new or existing case. You can add an unlimited amount of alerts from any rule type. +From the **Alerts** table, you can add one or more alerts to a case. Click the {icon}`boxes_horizontal` icon to add the alert to a new or existing case. You can add an unlimited amount of alerts from any rule type. ::::{note} Each case can have a maximum of 1,000 alerts. From accc8e486e9b354be94832967fdae9c421675118 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 19 Aug 2025 00:00:27 -0400 Subject: [PATCH 06/13] Add example --- solutions/observability/incident-management/view-alerts.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/solutions/observability/incident-management/view-alerts.md b/solutions/observability/incident-management/view-alerts.md index dd610797c3..2e3fbe2045 100644 --- a/solutions/observability/incident-management/view-alerts.md +++ b/solutions/observability/incident-management/view-alerts.md @@ -88,7 +88,9 @@ First, navigate to the **Alerts** page in the main menu, or use the [global sear ::::{note} -For flapping alerts, the recovered state will only be applied if the rule's conditions are not met for the number of consecutive runs that are defined by the flapping alerts' **Alert status change threshold**. After a flapping alert is recovered, the flapping state criteria is reinstated, but only for newly generated alerts. +For flapping alerts, the recovered state will only be applied if the rule's conditions are not met for the number of consecutive runs that are defined by the flapping alerts' **Alert status change threshold**. For example, say you specify the status change threshold as 6 and the rules' lookback window is set to 10. If an alert repeatedly has switched between the active and recovered states at least 6 times in the last 10 runs, but then the rule's criteria is _not met_ on the eleventh run, the alert status will automatically change from flapping to recovered. + +After a flapping alert is recovered, the flapping state criteria is reinstated for newly generated alerts. :::: From 5f717c100c12914d292481b62cf6c91a5bb0176d Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 19 Aug 2025 04:21:46 -0400 Subject: [PATCH 07/13] expanded descip for recovered --- .../incident-management/view-alerts.md | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/solutions/observability/incident-management/view-alerts.md b/solutions/observability/incident-management/view-alerts.md index 2e3fbe2045..7603df6944 100644 --- a/solutions/observability/incident-management/view-alerts.md +++ b/solutions/observability/incident-management/view-alerts.md @@ -69,7 +69,7 @@ To view the alert in the app that triggered it: There are four common alert statuses: `active` -: The conditions for the rule are met. Rule actions will run according to the notification settings. +: The conditions for the rule are met. If the rule has [actions](../../../explore-analyze/alerts-cases/alerts/create-manage-rules.md#defining-rules-actions-details), {{kib}} generates notifications based on the action's notification settings. `flapping` @@ -79,21 +79,19 @@ There are four common alert statuses: Alert flapping is turned on by default. To modify the conditions for changing an alert's status to the flapping state, configure the alert flapping settings. -First, navigate to the **Alerts** page in the main menu, or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). Next, click **Manage Rules**, then **Settings** to open the global rule settings for the space. In the **Alert flapping detection** section, modify the rules' look back window and threshold for alert status changes. For example, you can specify that the alert must change status at least 6 times in the last 10 runs before it's status changes to flapping. +First, navigate to the **Alerts** page in the main menu, or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). Next, click **Manage Rules**, then **Settings** to open the global rule settings for the space. In the **Alert flapping detection** section, modify the rules' look back window and threshold for alert status changes. For example, you can specify that the alert must change its status at least 6 times in the last 10 runs for it to become a flapping alert. :::: `recovered` -: The conditions for the rule are no longer met. Rule recovery actions will run if the rule's conditions _were not_ met during the current rule execution, but were in the previous one. +: The conditions for the rule are no longer met. If the rule has [recovery actions](../../../explore-analyze/alerts-cases/alerts/create-manage-rules.md#defining-rules-actions-details), {{kib}} generates notifications based on the action's notification settings. Recovery actions only run if the rule's conditions aren't met during the current rule execution, but were in the previous one. -::::{note} - -For flapping alerts, the recovered state will only be applied if the rule's conditions are not met for the number of consecutive runs that are defined by the flapping alerts' **Alert status change threshold**. For example, say you specify the status change threshold as 6 and the rules' lookback window is set to 10. If an alert repeatedly has switched between the active and recovered states at least 6 times in the last 10 runs, but then the rule's criteria is _not met_ on the eleventh run, the alert status will automatically change from flapping to recovered. -After a flapping alert is recovered, the flapping state criteria is reinstated for newly generated alerts. + An active alert changes to recovered if the conditions for the rule that generated it are no longer met. -:::: + A flapping alert changes to recovered if the conditions for the rule that generated it are no longer met, and the alert's status stabilizes before refufilling the criteria for the flapping state. For instance, say you specify that an alert must change its status at least 6 times in the last 10 runs for it to become a flapping alert. If a flapping alert only changes its status 5 times in the last 10 runs, and rule's conditions are not met during the fifth rule run, the alert's status changes to recovered. + After a flapping alert is recovered, the criteria for the flapping status is restarted when new alerts are generated. `untracked` : The rule is disabled, or you’ve marked the alert as untracked. To mark the alert as untracked, go to the **Alerts** table, click the {icon}`boxes_horizontal` icon to expand the **More actions** menu, and click **Mark as untracked**. When an alert is marked as untracked, actions are no longer generated. You can choose to move active alerts to this state when you disable or delete rules. From 940409b4a94c246a39759cd3ae312f9fbbd97e4c Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 19 Aug 2025 04:49:05 -0400 Subject: [PATCH 08/13] anotha one --- .../incident-management/view-alerts.md | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/solutions/observability/incident-management/view-alerts.md b/solutions/observability/incident-management/view-alerts.md index 7603df6944..63e0632b0e 100644 --- a/solutions/observability/incident-management/view-alerts.md +++ b/solutions/observability/incident-management/view-alerts.md @@ -69,7 +69,7 @@ To view the alert in the app that triggered it: There are four common alert statuses: `active` -: The conditions for the rule are met. If the rule has [actions](../../../explore-analyze/alerts-cases/alerts/create-manage-rules.md#defining-rules-actions-details), {{kib}} generates notifications based on the action's notification settings. +: The conditions for the rule are met. If the rule has [actions](../../../explore-analyze/alerts-cases/alerts/create-manage-rules.md#defining-rules-actions-details), {{kib}} generates notifications based on the actions' notification settings. `flapping` @@ -77,21 +77,19 @@ There are four common alert statuses: ::::{note} -Alert flapping is turned on by default. To modify the conditions for changing an alert's status to the flapping state, configure the alert flapping settings. - -First, navigate to the **Alerts** page in the main menu, or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). Next, click **Manage Rules**, then **Settings** to open the global rule settings for the space. In the **Alert flapping detection** section, modify the rules' look back window and threshold for alert status changes. For example, you can specify that the alert must change its status at least 6 times in the last 10 runs for it to become a flapping alert. +Alert flapping is turned on by default. You can modify the criteria for changing an alert's status to the flapping state by configuring the **Alert flapping detection** settings. To do this, navigate to the **Alerts** page in the main menu, or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). Next, click **Manage Rules**, then **Settings** to open the global rule settings for the space. In the **Alert flapping detection** section, modify the rules' look back window and threshold for alert status changes. For example, you can specify that the alert must change its status at least 6 times in the last 10 runs for it to become a flapping alert. :::: `recovered` -: The conditions for the rule are no longer met. If the rule has [recovery actions](../../../explore-analyze/alerts-cases/alerts/create-manage-rules.md#defining-rules-actions-details), {{kib}} generates notifications based on the action's notification settings. Recovery actions only run if the rule's conditions aren't met during the current rule execution, but were in the previous one. +: The conditions for the rule are no longer met. If the rule has [recovery actions](../../../explore-analyze/alerts-cases/alerts/create-manage-rules.md#defining-rules-actions-details), {{kib}} generates notifications based on the actions' notification settings. Recovery actions only run if the rule's conditions aren't met during the current rule execution, but were in the previous one. An active alert changes to recovered if the conditions for the rule that generated it are no longer met. - A flapping alert changes to recovered if the conditions for the rule that generated it are no longer met, and the alert's status stabilizes before refufilling the criteria for the flapping state. For instance, say you specify that an alert must change its status at least 6 times in the last 10 runs for it to become a flapping alert. If a flapping alert only changes its status 5 times in the last 10 runs, and rule's conditions are not met during the fifth rule run, the alert's status changes to recovered. - - After a flapping alert is recovered, the criteria for the flapping status is restarted when new alerts are generated. + A flapping alert changes to recovered if the conditions for the rule that generated it are no longer met, and the alert's status stabilizes before refufilling the criteria for the flapping state. For instance, say that you specify an alert must change its status at least 6 times in the last 10 runs for it to become a flapping alert. If a flapping alert only changes its status 5 times in the last 10 runs, and rule's conditions are not met during the fifth rule run, the alert's status changes from flapping to recovered. + + Once a flapping alert is recovered, it cannot be changed to flapping again. Only new alerts with repeated status changes are candidates for the flapping status. `untracked` : The rule is disabled, or you’ve marked the alert as untracked. To mark the alert as untracked, go to the **Alerts** table, click the {icon}`boxes_horizontal` icon to expand the **More actions** menu, and click **Mark as untracked**. When an alert is marked as untracked, actions are no longer generated. You can choose to move active alerts to this state when you disable or delete rules. From 493a3bd87d0637a2bec9701e4bb531afae1b5d1c Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 19 Aug 2025 11:23:37 -0400 Subject: [PATCH 09/13] Update solutions/observability/incident-management/view-alerts.md --- solutions/observability/incident-management/view-alerts.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/solutions/observability/incident-management/view-alerts.md b/solutions/observability/incident-management/view-alerts.md index 63e0632b0e..0d28b7fbdc 100644 --- a/solutions/observability/incident-management/view-alerts.md +++ b/solutions/observability/incident-management/view-alerts.md @@ -87,7 +87,10 @@ Alert flapping is turned on by default. You can modify the criteria for changing An active alert changes to recovered if the conditions for the rule that generated it are no longer met. - A flapping alert changes to recovered if the conditions for the rule that generated it are no longer met, and the alert's status stabilizes before refufilling the criteria for the flapping state. For instance, say that you specify an alert must change its status at least 6 times in the last 10 runs for it to become a flapping alert. If a flapping alert only changes its status 5 times in the last 10 runs, and rule's conditions are not met during the fifth rule run, the alert's status changes from flapping to recovered. + A flapping alert changes to recovered when the rule's conditions are unmet for a specific number of consecutive runs. This number is determined by the **Alert status change threshold** setting, which you can configure under the **Alert flapping detection** settings. + +For instance, if the threshold is set so an alert must change status at least 6 times in the last 10 runs to be considered flapping, then for the flapping alert to recover, the rule's conditions must remain unmet for 6 consecutive runs. If the rule's conditions are met at any point during this recovery period, the count of consecutive unmet runs will reset, requiring the alert to remain unmet for an additional 6 consecutive runs to finally be reported as recovered. + Once a flapping alert is recovered, it cannot be changed to flapping again. Only new alerts with repeated status changes are candidates for the flapping status. From 1d0cf82faaafa1379dfe74ef1dded54e639101c3 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 19 Aug 2025 12:14:13 -0400 Subject: [PATCH 10/13] Updates stack rule docs --- .../alerts-cases/alerts/view-alerts.md | 31 ++++++++++++++----- 1 file changed, 23 insertions(+), 8 deletions(-) diff --git a/explore-analyze/alerts-cases/alerts/view-alerts.md b/explore-analyze/alerts-cases/alerts/view-alerts.md index 96812cf348..e595504362 100644 --- a/explore-analyze/alerts-cases/alerts/view-alerts.md +++ b/explore-analyze/alerts-cases/alerts/view-alerts.md @@ -49,22 +49,37 @@ If an alert is affected by a maintenance window, the alert details include its i ### Alert statuses [alert-status] -There are three common alert statuses: +There are four common alert statuses: `active` -: The conditions for the rule are met and actions should be generated according to the notification settings. +: The conditions for the rule are met. If the rule has [actions](create-manage-rules.md#defining-rules-actions-details), {{kib}} generates notifications based on the actions' notification settings. -`recovered` -: The conditions for the rule are no longer met and recovery actions should be generated. +`flapping` -`untracked` -: Actions are no longer generated. For example, you can choose to move active alerts to this state when you disable or delete rules. +: The alert is switching repeatedly between active and recovered states. If the rule has actions that run when the alert status changes states, those actions are suppressed while the alert is flapping. -::::{note} -An alert can also be in a "flapping" state when it is switching repeatedly between active and recovered states. This state is possible only if you have enabled alert flapping detection in **{{stack-manage-app}} > {{rules-ui}} > Settings**. For each space, you can choose a look back window and threshold that are used to determine whether alerts are flapping. For example, you can specify that the alert must change status at least 6 times in the last 10 runs. If the rule has actions that run when the alert status changes, those actions are suppressed while the alert is flapping. +::::{note} + +Alert flapping is turned on by default. You can modify the criteria for changing an alert's status to the flapping state by configuring the **Alert flapping detection** settings. To do this, navigate to the **Alerts** page in the main menu, or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). Next, click **Manage Rules**, then **Settings** to open the global rule settings for the space. In the **Alert flapping detection** section, modify the rules' look back window and threshold for alert status changes. For example, you can specify that the alert must change its status at least 6 times in the last 10 runs for it to become a flapping alert. :::: +`recovered` +: The conditions for the rule are no longer met. If the rule has [recovery actions](create-manage-rules.md#defining-rules-actions-details), {{kib}} generates notifications based on the actions' notification settings. Recovery actions only run if the rule's conditions aren't met during the current rule execution, but were in the previous one. + + + An active alert changes to recovered if the conditions for the rule that generated it are no longer met. + + A flapping alert changes to recovered when the rule's conditions are unmet for a specific number of consecutive runs. This number is determined by the **Alert status change threshold** setting, which you can configure under the **Alert flapping detection** settings. + +For instance, if the threshold is set so an alert must change status at least 6 times in the last 10 runs to be considered flapping, then for the flapping alert to recover, the rule's conditions must remain unmet for 6 consecutive runs. If the rule's conditions are met at any point during this recovery period, the count of consecutive unmet runs will reset, requiring the alert to remain unmet for an additional 6 consecutive runs to finally be reported as recovered. + + + Once a flapping alert is recovered, it cannot be changed to flapping again. Only new alerts with repeated status changes are candidates for the flapping status. + +`untracked` +: The rule is disabled, or you’ve marked the alert as untracked. To mark the alert as untracked, go to the **Alerts** table, click the {icon}`boxes_horizontal` icon to expand the **More actions** menu, and click **Mark as untracked**. When an alert is marked as untracked, actions are no longer generated. You can choose to move active alerts to this state when you disable or delete rules. + ## Mute alerts [mute-alerts] If an alert is active or flapping, you can mute it to temporarily suppress future actions. In both **{{stack-manage-app}} > Alerts** and **{{rules-ui}}**, you can open the action menu (…) for the appropriate alert and select **Mute**. To permanently suppress actions for an alert, open the actions menu and select **Mark as untracked**. From e4966b258a5bb925dc2951ef8fd23402b590fd71 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 19 Aug 2025 12:15:36 -0400 Subject: [PATCH 11/13] indent --- solutions/observability/incident-management/view-alerts.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/solutions/observability/incident-management/view-alerts.md b/solutions/observability/incident-management/view-alerts.md index 0d28b7fbdc..150643237d 100644 --- a/solutions/observability/incident-management/view-alerts.md +++ b/solutions/observability/incident-management/view-alerts.md @@ -89,9 +89,8 @@ Alert flapping is turned on by default. You can modify the criteria for changing A flapping alert changes to recovered when the rule's conditions are unmet for a specific number of consecutive runs. This number is determined by the **Alert status change threshold** setting, which you can configure under the **Alert flapping detection** settings. -For instance, if the threshold is set so an alert must change status at least 6 times in the last 10 runs to be considered flapping, then for the flapping alert to recover, the rule's conditions must remain unmet for 6 consecutive runs. If the rule's conditions are met at any point during this recovery period, the count of consecutive unmet runs will reset, requiring the alert to remain unmet for an additional 6 consecutive runs to finally be reported as recovered. + For instance, if the threshold is set so an alert must change status at least 6 times in the last 10 runs to be considered flapping, then for the flapping alert to recover, the rule's conditions must remain unmet for 6 consecutive runs. If the rule's conditions are met at any point during this recovery period, the count of consecutive unmet runs will reset, requiring the alert to remain unmet for an additional 6 consecutive runs to finally be reported as recovered. - Once a flapping alert is recovered, it cannot be changed to flapping again. Only new alerts with repeated status changes are candidates for the flapping status. `untracked` From 69a2f00e66c6400da9337b9949514fbd050d3b9c Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 19 Aug 2025 12:21:20 -0400 Subject: [PATCH 12/13] more formatting fixes --- explore-analyze/alerts-cases/alerts/view-alerts.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/explore-analyze/alerts-cases/alerts/view-alerts.md b/explore-analyze/alerts-cases/alerts/view-alerts.md index e595504362..b81232a711 100644 --- a/explore-analyze/alerts-cases/alerts/view-alerts.md +++ b/explore-analyze/alerts-cases/alerts/view-alerts.md @@ -47,7 +47,7 @@ To get more information about a specific alert, open its action menu (…) and s If an alert is affected by a maintenance window, the alert details include its identifier. For more information about their impact on alert notifications, refer to [*Maintenance windows*](maintenance-windows.md). -### Alert statuses [alert-status] +## Alert statuses [alert-status] There are four common alert statuses: @@ -72,9 +72,8 @@ Alert flapping is turned on by default. You can modify the criteria for changing A flapping alert changes to recovered when the rule's conditions are unmet for a specific number of consecutive runs. This number is determined by the **Alert status change threshold** setting, which you can configure under the **Alert flapping detection** settings. -For instance, if the threshold is set so an alert must change status at least 6 times in the last 10 runs to be considered flapping, then for the flapping alert to recover, the rule's conditions must remain unmet for 6 consecutive runs. If the rule's conditions are met at any point during this recovery period, the count of consecutive unmet runs will reset, requiring the alert to remain unmet for an additional 6 consecutive runs to finally be reported as recovered. + For instance, if the threshold is set so an alert must change status at least 6 times in the last 10 runs to be considered flapping, the rule's conditions must remain unmet for 6 consecutive runs for a flapping alert to recover. If the rule's conditions are met at any point during this recovery period, the count of consecutive unmet runs will reset, requiring the alert to remain unmet for an additional 6 consecutive runs to finally be reported as recovered. - Once a flapping alert is recovered, it cannot be changed to flapping again. Only new alerts with repeated status changes are candidates for the flapping status. `untracked` From edf238394e6175985fd690f12b21b0290d0901b7 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 19 Aug 2025 12:29:36 -0400 Subject: [PATCH 13/13] Cleanup --- explore-analyze/alerts-cases/alerts/view-alerts.md | 2 +- solutions/observability/incident-management/view-alerts.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/explore-analyze/alerts-cases/alerts/view-alerts.md b/explore-analyze/alerts-cases/alerts/view-alerts.md index b81232a711..7c5b4c6ea9 100644 --- a/explore-analyze/alerts-cases/alerts/view-alerts.md +++ b/explore-analyze/alerts-cases/alerts/view-alerts.md @@ -72,7 +72,7 @@ Alert flapping is turned on by default. You can modify the criteria for changing A flapping alert changes to recovered when the rule's conditions are unmet for a specific number of consecutive runs. This number is determined by the **Alert status change threshold** setting, which you can configure under the **Alert flapping detection** settings. - For instance, if the threshold is set so an alert must change status at least 6 times in the last 10 runs to be considered flapping, the rule's conditions must remain unmet for 6 consecutive runs for a flapping alert to recover. If the rule's conditions are met at any point during this recovery period, the count of consecutive unmet runs will reset, requiring the alert to remain unmet for an additional 6 consecutive runs to finally be reported as recovered. + For example, if the threshold requires an alert to change status at least 6 times in the last 10 runs to be considered flapping, then to recover, the rule's conditions must remain unmet for 6 consecutive runs. If the rule's conditions are met at any point during this recovery period, the count of consecutive unmet runs will reset, requiring the alert to remain unmet for an additional 6 consecutive runs to finally be reported as recovered. Once a flapping alert is recovered, it cannot be changed to flapping again. Only new alerts with repeated status changes are candidates for the flapping status. diff --git a/solutions/observability/incident-management/view-alerts.md b/solutions/observability/incident-management/view-alerts.md index 150643237d..282a4252a4 100644 --- a/solutions/observability/incident-management/view-alerts.md +++ b/solutions/observability/incident-management/view-alerts.md @@ -88,8 +88,8 @@ Alert flapping is turned on by default. You can modify the criteria for changing An active alert changes to recovered if the conditions for the rule that generated it are no longer met. A flapping alert changes to recovered when the rule's conditions are unmet for a specific number of consecutive runs. This number is determined by the **Alert status change threshold** setting, which you can configure under the **Alert flapping detection** settings. - - For instance, if the threshold is set so an alert must change status at least 6 times in the last 10 runs to be considered flapping, then for the flapping alert to recover, the rule's conditions must remain unmet for 6 consecutive runs. If the rule's conditions are met at any point during this recovery period, the count of consecutive unmet runs will reset, requiring the alert to remain unmet for an additional 6 consecutive runs to finally be reported as recovered. + + For example, if the threshold requires an alert to change status at least 6 times in the last 10 runs to be considered flapping, then to recover, the rule's conditions must remain unmet for 6 consecutive runs. If the rule's conditions are met at any point during this recovery period, the count of consecutive unmet runs will reset, requiring the alert to remain unmet for an additional 6 consecutive runs to finally be reported as recovered. Once a flapping alert is recovered, it cannot be changed to flapping again. Only new alerts with repeated status changes are candidates for the flapping status.