To understand the root cause of an alert you receive from the ThousandEyes platform, use the details of the alert to interpret what thresholds triggered it. You can look up the details of an alert from the Alert List widget in a dashboard, or from Alerts > Alert List.

Looking Up Alerts from a Dashboard

The Dashboards screen is available as the default page when you log in to the ThousandEyes platform. If your dashboard includes the Alert List widget, click the name of the active alert in the Alert Source column (see figure below). This will take you to the Views screen for the affected test, where you can view details of the test anomaly that triggered the alert. See Getting Started with Views for more information about how to understand test views.

Looking Up Alerts from the Alert List

Current and past alerts can be viewed on the Alerts > Alert List page. The Alert List page has two tabs, with lists arranged chronologically by Start time by default (though you may sort by other columns as well):

• Active Alerts: List of alerts currently active for any test within your account group. The tab refreshes every two minutes.

• Alerts History: List of alerts no longer active from tests in your account group.

To quickly understand what an active alert is telling you:

1. When you receive an alert from the ThousandEyes platform, go to Alerts > Alert List in the platform.

2. Use the search bar to find a specific alert. For more information on searching for alerts, see Active Alerts.
3. Having located the alert, use the Impacted Tests column to see the test that is associated with the alert rule that was triggered. You can also see related metrics that help show why this alert rule was triggered.

4. Expand an active alert by clicking anywhere on the row of the alert rule. A side panel will open.
5. Click the stack icon to the right of an impacted alert trigger (e.g., agent or monitor) to view the test results in a separate tab for that specific alert trigger. The test results offer a timeline view of the alert activity.

Active Alerts

The following sections describe how to understand and use all the elements of the Active Alerts and Alerts History screens, for a deeper understanding of alerts and their test implications.

On the Active Alerts tab, you will find:

• Search: Type search criteria into the field marked "Filter by test name or scope…" at the top to search for matching alerts. The number of results are shown to the right of the search field. The text you enter can match Alert ID, Alert Rule Name, Alert Type, Test ID, Test Name, Test Type, or Severity. If you enter more than one search criterion, select either All or Any in the dropdown next to the search field to specify whether the results returned should match all (AND) or any (OR) of the selected criteria. You must hit Return/Enter (not Space) between search criteria to create multiple search terms. When you search on the Alert Rule Name, the results include alerts with names that fit any of the following:

  • Match at least 75% of keywords in the search text.

  • Contain the search text as a phrase.

  • Match the search text exactly.

  Note: The search field acts exactly the same in the Alerts History tab.
• Alert Rule: Name of the alert rule currently active. For a quick overview of the alert criteria, click the info icon that appears next to the alert name on hover. A tooltip appears that identifies the test type, test direction, and alert condition(s) triggered.
• Start ([your_timezone]): The date and time when the alert first triggered, set to your timezone. For more information about timezones, see Working with Time Zone Settings.

• Scope: The objects that the alert covers, and their number. These are set by alert type, as listed below:

  Objects	Alert Type
  Agents	Agent to Server
  Agents	Agent to Agent
  Agents	Path Trace
  Agents	DNS Trace
  Agents	DNSSEC
  Agents	HTTP Server
  Agents	Page Load
  Agents	Web Transaction
  Agents	FTP Server
  Agents	Endpoint End-to-End (Server)
  Agents	Endpoint Path Trace
  Agents	Endpoint
  Agents	Application
  Agents	API
  Locations	Network Outage
  Locations	Application Outage
  Networks	SIP Server
  Networks	RTP Stream
  Devices	Device
  Devices	Interface
  Endpoints	Endpoint HTTP Server
  Servers	DNS Server
  Monitors	BGP

  Note: The Scope column in the details dialog for each alert may display a different object. For example, an alert with a scope of Network or Server in the Active Alerts screen will display agents in the Scope column of the details dialog. This is because the data for these tests ultimately comes from agents.

• Impacted Tests: The name of the test the alert applies to.

• Severity: Shows the severity of the alert. Find more information about alert severity in Alert Rule Severity.

• Action: Clicking the clock icon in this column on any given alert allows you to suppress the alert. See real-time alert suppression windows for more information.

For more detailed information about a specific alert, click anywhere in the alert rule row; a side panel will open.

Side panel

The side panel offers metadata about the alert rule along the top, including Start date and time, Scope, Impacted Tests (if applicable) and Severity.

The table underneath offers detailed information about each alert trigger within the scope of the alert (alert triggers could be, for example, agents, monitors or catalog providers affected, depending on the test type). The table shows different columns of information depending on the test type: for example, a Prefix column appears on a BGP test alert but does not appear on an alert where agents are affected. Conversely, a Server column will appear on an HTTP server test alert, but not on a BGP test alert.

Note: You can adjust the column widths to view all relevant data within the columns.

As with the Alert List, a search field at the top allows you to search the affected alert triggers. You can search by Scope, Metrics at start, and Current metric. Note: the Metrics at start displays the alert condition triggered, while the Current metric displays the alert status.

Next to each affected alert trigger is a stack icon. This is a link to the test and the test round in which the alert trigger matched the triggering criteria for the alert rule. Clicking this link opens a new tab which takes you to the relevant Views screen, test, and test round.

At the bottom left of the side panel you will find the Alert ID, which you can copy for use within other areas of the platform, such as custom webhooks and API calls. The copy icon appears on hover.

The bottom right offers selectable page view parameters, where you can choose to view up to 50 items per page, move to the next or previous page, or move to a specific page.

Alerts History

The Alerts History tab provides much the same information, and presented in the same way, as the Active Alerts tab, with some notable exceptions, described below.

The Alerts History tab lists previously triggered alerts which are currently in a "cleared" or "inactive" state or are "disabled".

• Search: The search field within Alerts History acts in exactly the same way as the search field in Active Alerts. See Active Alerts for information.

• Date and time selector: Click the date and time field on the top right to narrow your results to a specific time frame.

  The selector defaults to the Fixed Time Interval view when first opened (then to the view last used thereafter). You can select the relevant dates on the calendar itself, type in new dates and times in the date and time fields at the bottom, or select a predetermined time span from the left column (including Today, Yesterday, This Week, Previous Week, This Month and Previous Month). When you’re finished selecting dates, click Apply to view the results.

  Select the Relative Time Interval view to see a wider range of time spans, from the last one hour to the last 90 days. Note: the Relative Time Interval ranges always look backwards from today. The time spans in the Fixed Time Interval view are not fixed to today’s date, such as Previous Week and Previous Month.
• Alert Rule: Name of the alert rule no longer active. The table includes a column for Duration that shows how long the alert was active before clearing. Clicking the Alert Rule row will open up the side panel for more information about the alert.

• Side panel: The side panel works and presents information about cleared alerts in the same way as it does for active alerts. See Active Alerts for information. The only difference is that the Duration is presented at the top alongside Start, Scope, Impacted Tests and Severity.