On This Page

Home / Cribl Insights/ Alerts/Active Alerts

Active Alerts

Use the Active Alerts tab to review, filter, and investigate alerts across your environment. This view serves as the system of record for Monitor evaluations and alert lifecycles. It aggregates per-evaluation samples, deduplicates them by a unique identifier, and tracks state transitions to help you focus on active issues.

Overview of Active Alerts

When you navigate to Insights > Alerts > Active Alerts, you see a table of alert instances. Each row represents a unique alert entity, defined by the Monitor and its specific dimensions.

The Active Alerts Table

The table displays the following key information for each alert:

  • Alert: The name of the Monitor that triggered the event.
  • Severity: The current severity level: Critical, Warning, or Info.
  • Time: The time elapsed from when the alert was first seen to the last recorded sample.
  • Dimensions: The specific label set captured at evaluation. For example, these labels might include product, cid, route, or destination.

Key Concepts

Alert Identifier (ID) is derived from the Monitor groupings and labels. Active Alerts aggregates evaluations under the same ID to avoid duplicate rows. For example, if a single Monitor evaluates multiple servers, each server generates a unique ID and its own row in the table.

Status is derived from rule evaluations and configured delays. Typical transitions follow a path from OK to Alerting to Resolved. The system attaches severity as a label based on the firing rule.

Workflow: Review and Investigate

Follow these steps to triage incidents effectively using Active Alerts.

1. Set Scope and Filters

Use the Time Range selector to focus on the window you are investigating. Apply filters to narrow the results to your specific area of responsibility. For example, you can filter by Product, Monitor, severity, status, or search text. Filtering affects both the list table and the histogram.

2. Prioritize the List

Sort or filter by Product, Monitor, and Severity to address critical conditions first. Review the Status and Last Change columns to distinguish between what is active now versus what has already recovered.

3. Open Alert Details

Select an alert row to open its Details view. This view provides a deep dive into the specific instance.

The pane displays the Monitor name, current status, severity, ID, trigger date, and labels. It also provides quick actions to edit the Monitor configuration and add a Muting Rule.

  • The chart displays a time-series aligned to the selected tab. Use this to correlate threshold crossings, identify behaviors, or spot data gaps.
  • The Monitor details pane shows how the monitor evaluates alerts and where it sends them. It displays the Query, the associated Product and Unit, and the configured Rules, including the rule name, severity thresholds, and any included or excluded tags. The Notification Targets section shows which targets receive alerts from the monitor.

History Tabs

  • Specific Monitor: Shows recent evaluation events for the selected monitor across all of its alert instances. Use this to compare the behavior of the affected entity against other entities watched by the same monitor.
  • All Active Alerts: Shows all active alert instances across all monitors and products, not just the one you selected. Use this to see what else is firing at the same time and to spot broader patterns or cascades.

4. Take Action

From the alert details, you can take immediate steps to resolve the issue or manage the Notification.

  • Mute: You can mute notifications temporarily during maintenance. You can apply this mute to the specific monitor to cover a set of monitors. Permanent mutes are not supported.
  • Adjust configuration: If an alert is noisy or generating false positives, open the monitor configuration. You can adjust rule thresholds, tighten label filters, or change the Fire and Clear delays to reduce unnecessary alerts.

5. Validate Recovery

As conditions recover, alerts update in place and then transition to Resolved after the thresholds are no longer being met for the monitor. This preserves a complete trail for audit and review.

Tips for Effective Triage

  • Search Effectively: Use the search box to match an alertId, entity, or Monitor name. Combine this with Product and severity filters to find specific issues quickly.
  • Reduce Noise: If you see many short-lived alerts, consider increasing the Fire or Clear delays in the Monitor settings. Alternatively, you can adjust the Rule operators or thresholds to be less sensitive.