Searching and filtering alerts

Search alerts

To search for an alert in the table:

Click anywhere in the Search field.
Type a description of the alert in the search field. For example, type "error" and the system will show in the table all alerts that contain the text "error" in the summary.

Note: A search term that is entered in the Search

text field is not part of a saved filter. Only the configuration that is applied in the Filter conditions side panel is part of the saved filter.

Predefined alert filters

All alerts are displayed in the alert list by default. Click the Down chevron icon to select from the following predefined filters:

Alerts with runbooks
Alerts with topology
Critical
Last 24 hours
Last 7 days
Last hour
Open alerts
Part of an incident

Filter alerts

Click Filter Filter to open the filter side panel. There are two filter modes available to build your filter, Basic and Advanced.

Basic mode
Advanced mode

Note: Advanced filters cannot be viewed in Basic mode.

Alert filters

Basic mode

Select from the following filters for alerts:
- Severity:
  - Critical
  - Major
  - Minor
  - Warning
  - Informational
  - Indeterminate
- Suppressed:
  - Yes
  - No
- State:
  - Open
  - Clear
  - Closed
- Insights:
  - Part of an incident
  - Runbooks available
  - Enrichment
- Impacted applications:
  
  Find impacted applications to filter by.
- Grouping insights:
  - Temporal
  - Alert source
  - Scope-based
  - Topological path
  - Topological group
- Trigger alert
  - Yes
  - No
Expand Other properties and complete the fields as follows:
- AND and OR: when adding conditions, you can join multiple condition types by using the AND and OR operators. The AND operator means that alerts are matched only if all of the individual conditions are true. The OR operator means that alerts are matched if any of the individual conditions are true. The default behavior for alert filter conditions is AND.
- Property: select from alert attributes that are predefined for Cloud Pak for AIOps and common to most alerts.
  - If you want to minimize the scope to a specific key within the alert's properties, enter a string value that matches a key from an alert. For example, if you wanted to access the "name" property for the "sender" of an alert, type "name" into the Value field and select the respective property, or directly type "sender.name" and either select the property or press return:
  - If you have a custom property "field1" stored in the "details" of an alert, you can also access that using the Other Properties section. Enter "details.field1" and select the property from the drop down or press return. Then, enter the string value in the Value field.
    
    Note: The permitted characters for the "details" field are A to Z, a to z, 0-9, and "_" (underscore).
  - You can also access more properties of alert.sender, alert.resouce, and alert.type by typing your custom property in the Property field. For example, to filter alerts where the alert.sender.customProperty = "custom", type sender.customProperty and select "Property: sender.customProperty". The only permitted special character for custom properties is "_" (underscore).
    
    For more information, see Examples of policy conditions mapped to alert JSON.
- Operator: select a comparison operator from this list. The range of comparisons available is determined by your selection in the Property field.
- Value: the fields (or free-form string value) that appear here are dependent on the options that are selected in the Property and Operator lists.
Click Reset filter to clear changes that have been applied to a filter, or select Clear all from the list of options (three vertical dots). From the options list you can also Delete filter and Edit filter settings.

Advanced mode

The Advanced tab allows you to create custom filter conditions. The filter language is based on a version of the PostgreSQL WHERE clause. For more information about the filter language syntax, see Advanced filter language syntax.
When entering a filter on the Advanced tab, the syntax is validated as you construct the expression. The editor does not allow you to apply or save a malformed expression. A green checkmark indicates that the syntax is correct.
As you type, example values are suggested based on supported alert and incident properties. For more information about properties that can be searched on with data types, see Issue resolution API reference (Swagger). However, you are not required to use these values. Custom properties can be used (suggestions are not provided).
Note: Alert or incident insight properties are not supported.

When a filter is saved in advanced mode, it cannot be converted back to basic mode. The Basic tab is no longer displayed when editing an advanced filter.

Warning: Excessive use of regular expressions with the Like operator can impact on performance.
Click Apply to apply your filter condition.
Click Reset filter to clear changes that have been applied to a filter, or select Clear all from the list of options (three vertical dots). From the options list you can also Delete filter and Edit filter settings.

To update an existing filter

After you have modified the existing filter criteria, click Save.
A Filter updated message is displayed to confirm that your changes have been saved.

Note: An asterisk (*) is displayed next to the filter name if there are unsaved changes to the selected filter. An asterisk is also displayed when another user has modified the current filter. Unsaved filters are only applied to the already fetched alerts. Click Reset filter in the filter side panel to get the latest changes to the filter and have them applied to the alert list.

To create or save a new filter

Click the three vertical dots in the Filter conditions side panel to open the list of options.
To modify an existing filter and save it under a new name, select Save as a new filter.
1. Enter a Filter name and Description.
  
  Note: Filter names must be unique across different categories of filters, whether a normal filter or a restriction filter set by an administrator. If a chosen filter name is already in use for any type of filter, an error message is displayed to say the filter name exists.
  
  Select who can use this filter from the following options:
  - Only me
  - Specified users, user groups, or both: to manage access, you can select users, user groups, or both. Any selections that you make includes yourself. After you select the users or user groups who can use the filter, you must specify their level of access:
    - Can use: users can see the filter in the drop-down list and apply it to the list of alerts.
    - And edit: users can use, edit, and save the filter.
    - And manage: users can use, edit, and manage the filter name, description, and access control.
  - Everyone: also specify whether everyone can Use this filter or Edit this filter.
2. Click Save as new filter.
To create a new blank filter, select Create filter. This is equivalent to Save as a new filter > All alerts.

To save as new restriction filter

If you are an administrator who has manage profiles privileges enabled, you can set Role Based Access Control (RBAC) functionality that allows you to see and click the Save as a new restriction filter option, thus applying certain restriction filters, incidents in this case.

After you have applied the filters, click the three vertical dots in the Filter conditions side panel to open the list of options.
Select Save as new restriction filter from the dropdown.

The Save a new restriction filter dialog that opens is slightly different from the regular Save a new filter dialog window also in terms of fields to complete, as shown below.
Click Save as new restriction filter.
Note:
- A Role Based Access Control (RBAC) restriction filter can be applied to a user that filters the data they see, but they can also apply their own filter conditions on top of that RBAC filter.
- Free-form string values that are applied on top of a saved filter, either by using the search text field or the filter conditions side panel, are case-insensitive. However, saved filters applied to the incident list are case-sensitive.