Alert Viewer
Alerts are displayed in the Alert Viewer. From a ChatOps integration (Slack or Microsoft Teams), you can launch into an Alert Viewer that shows the alerts that are associated to a specific incident. The numbers on the columns represent sort order. By default, alerts are sorted in the table by Severity. Where severity is the same, alerts are sorted by First occurrence. Each increasing sort order only sorts equivalent values. So once all values in a column sort order are unique (not equivalent), subsequent sort orders are ignored.
There is also an alert list that displays all of the alerts found by IBM Cloud Pak® for AIOps. Follow the steps below to navigate to the main Alert Viewer.
Viewing alerts
- Click the navigation icon at the upper-left corner of the screen to go to the main navigation menu.
- In the main navigation menu, click Operate > Alerts.
The following table lists alert attributes.
| Attribute | Description |
|---|---|
| Severity | Displays the severity of the alert. The possible values that can display in the Severity column are 6: Critical, 5: Major, 4: Minor, 3: Warning, 2: Informational, 1: Indeterminate. |
| Business criticality | Set in Resource management to define the importance of an application, resource group, or resource to the business. |
| State | An alert has one of the following three states: Open - Always has a severity other than clear to indicate an active issue that can require your attention. Clear - Working as expected, also
has a severity of clear. Closed - No longer active or relevant, a deleted event. Also has a severity of clear. |
| Ranking | Probable cause assigns a ranking to all of the alerts in the incident. Alerts are ranked in order of likelihood of being the cause of the incident. |
| Summary | Provides more detail about the alert. For possible log anomaly summaries, see Log anomaly summaries. |
| Event Type | Describes the type of alert, for example, Utilization, Anomaly, System status, or Threshold breach. For possible log anomaly alert types, see Log anomaly alert types. |
| Sender | Identifies what, such as a log anomaly, that sent the alert. Different senders can result in different alert attributes. |
| Resource | The source from which the alert originated. This attribute can be a device name or hostname, service name, or application. |
| First occurrence | Displays the date and time in which the alert first occurred. The date format shown is based on your browser locale settings. Refer to the browser help for instructions on display format for dates, times, and numbers. |
| Last occurrence | Displays the date and time in which the alert last occurred. The date format shown is based on your browser locale settings. Refer to the browser help for instructions on display format for dates, times, and numbers. |
| Runbooks | A number in this column indicates the number of runbooks that are associated to an alert. Click the number to display the runbook details in the side panel. From here, you can see more information, preview, and run the runbook. |
| Topology | If the resource on which an alert occurred can be located in the network topology system, a large dot  is presented in the alert's Topology column. Click the to display a topology map for this alert, centered on the resource on which the alert occurred. |
| Seasonal | Alerts that occur within a seasonal time window. Alerts that are not part of an alert group, that have associated seasonality, have a circle  visible in this column. Alerts that
are part of an alert group, that have associated seasonality, have a dot in this column. Click the circle or dot to display more information in the Seasonality section of the Alert details panel. |
| In incident | Indicates if the alert is associated to an incident. |
| Trigger * | Denotes alerts that are defined as trigger alerts. That is, an alert that either caused the incident to be created, or would have caused creation had an incident not already existed. An incident takes the name of its trigger alert. |
| Suppressed | A 'Yes' in this column indicates that the alert.suppressed flag is set to true for the alert. The alert is still present in the system and can be viewed in the Alert Viewer, but the alert is filtered out of the
view by default. |
| Golden signal | A label based on the value of alert.type.classification that describes the type of the event. For example, utilization, system status, threshold breach, and so on. Golden signal labels are divided into the categories of Effect:
latency, error, availability. Cause: saturation, traffic. None: information. |
*Only displayed on alert lists within the context of an incident.
Click the Correlation information icon 
to enable the Correlation column and display three more icons under this column. If the alert is part of an
alert group, the type of analysis that is used to generate the group is indicated in these columns.
| Correlation column | Description |
|---|---|
| Temporal group | Details of a temporal group in which this alert is involved. |
| Scope-based group | Details of a scope-based group in which this alert is involved. |
| Topological group | Details of a topology group in which this alert is involved. |
For more information, see Displaying analytics details for an alert group.
To view more detailed information about the alert list count, click the information icon 
at the bottom of the table.
The following alert list information is displayed:
-
Showing (alerts): The number of alerts that are shown in the alert list.
-
Showing (groups): The number of alert groups that are shown in the alert list.
-
Grouped: The number and percentage of alerts that are part of a group shown in the alert list.
-
Limit: The limit for the number of alerts you can view in the alert list at one time. This value is set by an administrator.
-
Total matched: The number of alerts identified in the system that match the current saved filter. This can be higher than the number shown when there is a limit set to improve performance.
-
Total active: The total number of alerts in the system that haven't been archived. Historical alerts are archived for AI training.
Alert anomaly detection
IBM Cloud Pak for AIOps analyzes alert counts over time to learn about the normal pattern of behavior to detect situations such as alert storms. If an anomalous alert rate is detected, an alert is raised and displayed as a metric anomaly in the Alert Viewer. When you click this alert, the Alert details panel depicts the expected values against the actual values.