Searching and filtering alerts

Search for alerts by name, or filter the list based on selected criteria. You can also save a filter configuration for future use.

  1. Click the navigation icon at the upper-left corner of the screen to go to the main navigation menu.
  2. In the main navigation menu, click Operate > Alerts.

Predefined alert filters

Predefined filters All alerts are displayed in the alert list by default. Click the Down chevron icon Downward-pointing chevron icon to select from the following predefined filters:

  • Predefined filters Alerts with runbooks

  • Predefined filters Alerts with topology

  • Predefined filters Critical

  • Predefined filters Last 24 hours

  • Predefined filters Last 7 days

  • Predefined filters Last hour

  • Predefined filters Open alerts

  • Predefined filters Part of an incident

Filter alerts

Click Filter Filter to open the filter side panel. There are two filter modes available to build your filter, Basic and Advanced.

Note: Advanced filters cannot be viewed in Basic mode.

Alert filters
Figure. Alert filters

Basic mode

  • Select from the following filters for alerts:

    • Severity:

      • Critical Critical

      • Major Major

      • Minor Minor

      • Warning Warning

      • Information Informational

      • Indeterminate Indeterminate


    • Suppressed:

      • Yes
      • No

    • State:

      • Open
      • Clear
      • Closed

    • Insights:

      • Part of an incident
      • Runbooks available
      • Enrichment

    • Impacted applications:

      Find impacted applications to filter by.


    • Grouping insights:

      • Temporal Temporal
      • Scope-based Scope-based
      • Topological Topological

    • Trigger alert

      • Yes
      • No

  • Expand Other properties and complete the fields as follows:

    • AND and OR: when adding conditions, you can join multiple condition types by using the AND and OR operators. The AND operator means that alerts are matched only if all of the individual conditions are true. The OR operator means that alerts are matched if any of the individual conditions are true. The default behavior for alert filter conditions is AND.

    • Property: select from alert attributes that are predefined for Cloud Pak for AIOps and common to most alerts.

      • If you want to minimize the scope to a singular key within the alert's details, enter a string value that matches a key from an alert's details. For example, if you enter "field1" in the Property field, it is understood as "details.field1". Then, enter the string value in the Value field. Note: The permitted characters for the "details" field are A to Z, a to z, 0-9, and "_" (underscore).

      • You can also access more properties of alert.sender, alert.resouce, and alert.type by typing your custom property in the Property field. For example, to filter alerts where the alert.sender.customProperty = "custom", type sender.customProperty and select "Property: sender.customProperty". The only permitted special character for custom properties is "_" (underscore).

        For more information, see Examples of policy conditions mapped to alert JSON.

        Custom property filter
        Figure. Custom property filter

    • Operator: select a comparison operator from this list. The range of comparisons available is determined by your selection in the Property field.

    • Value: the fields (or free-form string value) that appear here are dependent on the options that are selected in the Property and Operator lists.

  • Click Reset filter to clear changes that have been applied to a filter, or select Clear all from the list of options (three vertical dots). From the options list you can also Delete filter and Edit filter settings.

Advanced mode

  • The Advanced tab allows you to create custom filter conditions. The filter language is based on a version of the PostgreSQL WHERE clause. For more information about the filter language syntax, see Advanced filter language syntax.

    Advanced filter conditions
    Figure. Advanced filter conditions

  • When entering a filter on the Advanced tab, the syntax is validated as you construct the expression. The editor does not allow you to apply or save a malformed expression. A green checkmark Syntax correct indicates that the syntax is correct.

    Malformed expression
    Figure. Malformed expression

  • As you type, example values are suggested based on supported alert and incident properties. For more information about properties that can be searched on with data types, see Issue resolution API reference (Swagger). However, you are not required to use these values. Custom properties can be used (suggestions are not provided). Note, alert or incident insight properties are not supported.

    When a filter is saved in advanced mode, it cannot be converted back to basic mode. The Basic tab is no longer displayed when editing an advanced filter.

    Advanced filter
    Figure. Advanced filter

    Warning: Excessive use of regular expressions with the Like operator can impact on performance.

  • Click Apply to apply your filter condition.

  • Click Reset filter to clear changes that have been applied to a filter, or select Clear all from the list of options (three vertical dots). From the options list you can also Delete filter and Edit filter settings.

To update an existing filter

  • After you have modified the existing filter criteria, click Save.

  • A Filter updated message is displayed to confirm that your changes have been saved.

Note: An asterisk (*) is displayed next to the filter name if there are unsaved changes to the selected filter. An asterisk is also displayed when another user has modified the current filter. Unsaved filters are only applied to the already fetched alerts. Click Reset filter in the filter side panel to get the latest changes to the filter and have them applied to the alert list.

To create or save a new filter

  • Click the three vertical dots in the Filter conditions side panel to open the list of options.

  • To modify an existing filter and save it under a new name, select Save as a new filter.

    Filters side panel
    Figure. Filters side panel

    1. Enter a Filter name and Description.

    Filters side panel
    Figure. alerts save as new filter

    Note: Filter names must be unique across different categories of filters, whether a normal filter or a restriction filter set by an administrator. If a chosen filter name is already in use for any type of filter, an error message is displayed to say the filter name exists.

    Select who can use this filter from the following options:

    • Only me

    • Specified users, user groups, or both: to manage access, you can select users, user groups, or both. Any selections that you make includes yourself. After you select the users or user groups who can use the filter, you must specify their level of access:

      • Can use: users can see the filter in the drop-down list and apply it to the list of alerts.
      • And edit: users can use, edit, and save the filter.
      • And manage: users can use, edit, and manage the filter name, description, and access control.

    • Everyone: also specify whether everyone can Use this filter or Edit this filter.

    1. Click Save as new filter.

  • To create a new blank filter, select Create filter. This is equivalent to Save as a new filter > All alerts.

To save as new restriction filter

If you are an administrator who has manage profiles privileges enabled, you can set Role Based Access Control (RBAC) functionality that allows you to see and click the Save as a new restriction filter option, thus applying certain restriction filters, incidents in this case.

  • After you have applied the filters, click the three vertical dots in the Filter conditions side panel to open the list of options.

  • Select Save as new restriction filter from the dropdown.

    Filters side panel
    Figure. Filters side panel

    The Save a new restriction filter dialog that opens is slightly different from the regular Save a new filter dialog window also in terms of fields to complete, as shown below.

    Filters side panel
    Figure. alerts save as new restriction filter

  • Click Save as new restriction filter.

    Notes:

    • A Role Based Access Control (RBAC) restriction filter can be applied to a user that filters the data they see, but they can also apply their own filter conditions on top of that RBAC filter.

    • Free-form string values that are applied on top of a saved filter, either by using the search text field or the filter conditions side panel, are case-insensitive. However, saved filters applied to the incident list are case-sensitive.