Alert Drill-Down View

The Alert drill-down view is your primary workspace for understanding how and why an alert fired. It goes beyond the raw notification by bringing together real-time charts, query logic, trigger conditions, and schedules in a single place.

You will use the Alert drill-down view when:

• A notification has fired and you want to confirm what triggered it
• You need to investigate whether the alert indicates a real issue or a false positive
• You want to see historical patterns alongside live system behavior
• You are preparing to refine or duplicate an alert and need to review its current setup

By monitoring the live chart, you can compare actual system behavior with thresholds or anomaly bands. The query and conditions show exactly what rules are evaluated, and the schedule and notifications explain when the alert is active.

In practice, the Alert drill-down view helps you to:

• Validate alerts during active incidents
• Investigate possible root causes by reviewing the triggering conditions
• Decide whether to acknowledge, adjust, or escalate the alert
• Copy the configuration using Code Preview if you want to manage alerts as code
• Adjust your alerts to be more accurate according to their existing behaviour, changing/adding thresholds to reduce alert fatigue or increase alert sensitivity for critical alerts.

Once you have reviewed an alert, typical next steps include:

• Acknowledging or resolving the alert as part of an incident
• Editing or duplicating the alert if the configuration needs refinement
• Exporting the configuration through Code Preview to use in automation workflows

The Alert drill-down view gives you clarity and control at the moment it matters most: when an alert fires and you must quickly determine if it is noise, risk, or a critical issue to act on.

Each Alert drill-down screen is organized into the following sections:

Header

• Alert name: Title of the alert, shown with a status badge (for example, Alerting).
• Alert type: Shown beneath the name (for example, Logs – Threshold, Metrics – Anomaly, Tracing – Threshold).
• Labels: Custom labels associated with the alert (for example, security, latency_limit, product_data).
• Actions: Icons to view as code, edit, duplicate, or delete the alert, and to select the time window (for example, Last 6 hours).

Description

A free-text field explaining the purpose of the alert (for example, Use this alert in cases).

Overview

The Overview section displays the chart that represents the live evaluation of the alert. This is not just a graph, it shows the actual values used by the alert engine to determine whether conditions are met.

• Alert state view: Shows when the alert was Okay, Alerting, or Suppressed.
• Thresholds or anomaly bands: Visual markers of the alert conditions (such as static thresholds, deviation bands, or unique count limits).
• Timeline: A horizontal bar beneath the chart highlights alert states in red (Alerting), green (Okay), and gray (Suppressed).

What the chart represents for each alert type

• Logs alerts:
  • Immediate: Triggered = Red, Not triggered = Green
  • Threshold: Log hit count in the defined time window
  • Ratio / Time Relative: Calculated ratio between the two queries
  • Unique Count: Number of unique values
  • Dynamic: The distance to the estimated value.
  • New Value: 1 if a new value appeared, 0 if resolved
• Metrics alerts:
  • PromQL:
    • Triggered: Last value over threshold
    • Resolved: Last value
  • Dynamic: The distance to the estimated value.
  • SLO / Budget / Burn Rate: Burn rate or error budget values (single or dual window)
• Tracing alerts:
  • Immediate: Trigger/resolve signal
  • More Than: Number of spans exceeding threshold
  • Flow: Triggered = Red, Not triggered = Green

Suppressed and snoozed states

Some periods may show as suppressed (gray or hatched). This happens when alerts are:

• Snoozed manually
• Muted automatically by activity analysis
• Suppressed by schedule because they fall outside active hours

Why this matters

The chart lets you validate alert behavior:

• Confirm if thresholds or anomalies are truly being breached
• See exactly why an alert is in Alerting, Okay, or Suppressed state
• Validate that the logic is behaving as expected before adjusting conditions

Query

Shows the query logic used to evaluate the alert, in Lucene, PromQL, or other supported query languages.

• Queries may compare averages, counts, or ratios across variables.
• Some alerts include multiple queries (for example, Ratio Threshold alerts).

Condition

Lists the trigger conditions for different severity levels.

Examples:

• P1: When the number of logs within 10 minutes is more than 1.
• P2: When CPU usage > 80%.
• Anomaly alerts may include Percentage deviation.
• Unique count alerts show the max unique values allowed.
• Time-relative alerts can include trigger on infinity or undetected values handling.

Some conditions include advanced controls such as:

• Delay alert evaluation: A buffer period before the condition is checked.
• Replace missing values with 0: For handling gaps in data.
• Auto retire undetected values: Rules for deactivating unused conditions.

Schedule

Shows when the alert is active.

• Days of the week
• Active hours

Actions

You can:

• Duplicate : Creates a copy of the current alert, which you can then edit and save as a new alert.
• Edit : Opens the alert in edit mode so you can adjust queries, conditions, notifications, or schedules.
• Delete : Permanently deletes the alert. This action cannot be undone.

Code Preview

Code Preview opens a side panel that displays the full definition of the alert in YAML (Coralogix Operator) or Terraform (HCL) format. This gives you direct visibility into how the alert is structured behind the scenes.

From this view you can:

• Copy the configuration for later use in automation or infrastructure-as-code workflows.
• Switch between YAML and Terraform formats using the toggle at the top of the panel.
• Collapse or expand sections of the code to navigate more easily.