new doc alert conditions

DebashisBorgohainO2 · DebashisBorgohainO2 · commit 64760fd3b104 · 2025-06-19T14:59:57.000+05:30
diff --git a/docs/images/alert-conditions.png b/docs/images/alert-conditions.png
diff --git a/docs/user-guide/alerts/.pages b/docs/user-guide/alerts/.pages
@@ -2,6 +2,7 @@ nav:
     - Alerts Overview: index.md
     - Alerts in OpenObserve: alerts.md
     - Alert Folders: alert-folders.md
+    - Alert Conditions: alert-conditions.md
     - Import and Export Alerts: import-export-alerts.md
     - Multi-window Selector in Scheduled Alerts (SQL Mode): multi-window-selector-scheduled-alerts-concept.md
     - Use Multi-window Selector in Scheduled Alerts: multi-window-selector-scheduled-alerts.md
diff --git a/docs/user-guide/alerts/alert-conditions.md b/docs/user-guide/alerts/alert-conditions.md
@@ -0,0 +1,40 @@
+This guide explains how to define alert conditions in OpenObserve using logical operators and grouping rules.
+
+## Define Alert Conditions
+While creating an alert, you can define multiple conditions to determine when the alert should be triggered. Use logical operators such as AND and OR to combine conditions. These operators allow you to create structured, rule-based logic to control alert evaluation.
+
+**To define multiple conditions:**
+
+1. In the **Add Alert** view, navigate to the **Conditions** section.
+2. Select an operator between AND or OR at the top level. This operator will be applied across all items added at the same level.
+3. Define an individual condition using a column, an operator, and a value.
+4. Select **+ Condition** to add more conditions at the same level.
+5. Select **+ Condition Group** to add a grouped block of conditions. A group has its own operator, independent from the parent group or other groups at the same level.
+
+![Alert conditions](../../images/alert-conditions.png)
+
+## Example
+The configuration shown in the image includes the following conditions:
+
+1. The top-level logical operator is `OR`. 
+2. There are three items at the top level:
+
+- A condition: `k8s_namespace_name` equals `dev3`
+- A condition group with the `AND` operator:
+
+    - `k8s_cluster` equals `common-dev`
+    - `k8s_deployment_name` equals `ingress-nginx-controller`
+
+- Another condition group with the `AND` operator:
+
+    - `k8s_pod_name` equals `dev3-openobserve-ingester`
+    - `k8s_deployment_name` equals `dev3-openobserve-router`
+
+## How it works
+The alert is triggered if any one of these items is true:
+
+- `k8s_namespace_name` is `dev3`.
+- Both `k8s_cluster` is `common-dev` and `k8s_deployment_name` is `ingress-nginx-controller`.
+- Both `k8s_pod_name` is `dev3-openobserve-ingester` and `k8s_deployment_name` is `dev3-openobserve-router`.
+
+Because the top-level operator is `OR`, only one item must be true for the alert to trigger.
