Global and Location Alert Conditions
Last updated
Last updated
There are two different types of alert conditions in an alert rule: global alert conditions and location alert conditions. It is important to note that these conditions are not, in fact, triggered based on physical location, but on the conditions they meet. A global alert is a triggering event, where all the conditions set out in the alert have been met and the alert becomes active. A location alert is a qualifying event, where only a portion of the conditions are met, but still qualify them as belonging to the global event.
In the example below, a global alert is triggered on the HTTP connect response alert if the following conditions are met:
Any location conditions are met by 10% of agents associated with 8 tests for 2 of 2 times in a row.
The location conditions are:
Connect Time is greater than or equal to 150 ms.
Response Time is greater than or equal 100 ms.
Once the global alert condition has been triggered, any agent which meets the location alert conditions in a single round will be included as “active” in the alert as long as the global alert remains active. When an agent no longer meets the location alert conditions, it will no longer show as “active” but will remain associated with the alert.
For example, in the image below, you can see that for the HTTP connect response alert the Panama City agent triggered the global alert first at 11:25 (see Start column). While it was still active, the Copenhagen, Palermo, and Seoul agents also met the location alert conditions at 11:40, but then became inactive once their response times decreased to below the local alert conditions (as seen in the Current metric column). The alert remains active until Panama City - or the last remaining active agent - no longer meets the location alert conditions.
A location alert is included within a global alert when a single alert trigger meets the location alert conditions for at least one round, regardless of the thresholds set for the global alert. An alert trigger is the element that a specific test type is set to examine, and includes:
For Cloud and Enterprise Agent tests, the alert is triggered by agents.
For Endpoint Agent tests, the alert is triggered by visited sites or by Endpoint Agents.
For BGP tests, the alert is triggered by BGP monitors.
For device tests, the alert is triggered by interfaces.
For Internet Insights tests, the alert is triggered by affected tests or by catalog providers.
It is important to note that location alerts trigger and clear independently from the global alert. If you see multiple location alerts triggered under a global alert, you cannot assume that all the listed location alerts met the initial alert criteria from a per-round basis. They could have been added for meeting the condition for only one round. To verify which location alerts initially triggered the global alert condition, it is best to check the test data.
It is also important to note that the only location alerts that will be displayed in the UI at the start of an active global alert will be the location alerts active at the time of trigger. This can lead to scenarios where a flapping alert trigger was involved in the evaluation criteria of a location alert being triggered, but has since cleared before the global alert becomes active. For example, imagine alert criteria that states "Any 2 agents have an error 3 out of 3 rounds." And the following occurs:
Agent A - meets condition in rounds 1, 2, 3
Agent B - meets condition in rounds 2 and 3
Agent C - meets condition in round 1
In the scenario listed above, 2 agents meet the criteria 3 out of 3 rounds: round 1 is agent A and C, rounds 2 and 3 are agents A and B. At the global alert trigger, only agents A and B will be listed in the location alerts, since agent C cleared before the global alert triggered, even though agent C contributed to the trigger of the alert. This will only happen when the alert conditions have multiple agents that need to meet an alert criteria multiple rounds in a row.