Early access

Alert reasoning is in early access, rolling out to selected teams, and may change. To request access, contact your Coralogix account representative or Support.

When a Case is triggered by an alert that evaluates a metric, **Alert reasoning** shows how the alert engine evaluated that metric and lets you compare it against the raw metric. This helps you tell a real signal from a data-quality issue, such as a scrape failure, suppression, or late-arriving data, without leaving the Case to pull the metric in Explore.

It answers the question investigators ask first: can I trust this signal before I act on it?

## Why this matters

A Case opens at 2am for a latency alert, and the chart shows a spike. The on-call engineer has to decide fast: page the owning team, or stand down. Until now, the only way to check whether the spike was real was to leave the Case, open Explore, pull the same metric, and eyeball it. That costs minutes on every Case and invites two expensive mistakes:

- **Escalating a data gap.** A scrape failure or late-arriving data can look just like a spike, so a team gets paged for a problem that never happened.
- **Dismissing a real incident.** A genuine spike gets written off as data noise, and a real outage is missed.

Alert reasoning puts the answer inside the Case. Turn it on and compare the engine's reading against the raw metric. If **Engine Value (Evaluated then)** has a gap where the spike appears while the recomputed line and the raw metric stay steady, the alert fired on missing data, not an incident, and you can resolve the Case with confidence. If the lines agree, the signal is trustworthy and you can act immediately. Either way, you reach a decision in seconds, without leaving the Case.

## What you need

- Access to Cases.
- A Case triggered by an alert that performs a metric evaluation: a metric alert, a logs-to-metric alert, or a tracing-to-metric alert. Alert reasoning does not appear for pure log or flow alerts, which have no metric step.
- Early access enabled for your team.

## Turn on Alert reasoning

Open a Case and stay on the **Triage** tab. In the alert chart section, turn on the **Alert reasoning** toggle in the top right, next to **Case Timeframe**. It adds two charts below the existing alert chart: the evaluation chart and the **How this alert was evaluated** panel, and the original alert chart stays in place. Turn the toggle off to hide the reasoning charts.

## Read the evaluation chart

The top chart shows how the alert evaluated across the **Case timeframe**. Colored bands under the chart mark the alert state over time:

- **Alerting**: the alert was firing.
- **OK**: the condition was healthy.
- **No Data**: the engine had no data to evaluate.
- **Suppressed**: evaluation was suppressed.

An **Inspected Hour** window highlights the part of the timeline you are examining. On an open Case the chart keeps updating as new data arrives.

## Compare what the engine saw

The **How this alert was evaluated** panel plots three series over the evaluated range, so you can see where the engine's view and the underlying metric diverge:

- **Engine Value (Evaluated then)**: the value the engine computed at the time it evaluated.
- **Engine value (recomputed now)**: the same evaluation recomputed now, after all data has arrived.
- **Raw metric**: the underlying metric series.

Where **Engine Value (Evaluated then)** drops out while the other lines continue, the engine had no data when it evaluated: a **data gap**. Gaps are often why an alert fired, missed, or flapped for a reason that is not a real incident. The panel header shows the exact range it evaluated. The evaluated range looks back one hour from the evaluation point.

## Open the queries in Metrics Explorer

Select **View query** to open the **Queries** drawer, which lists the **PromQL** query behind each chart series. Select **Open in Metrics Explorer** on a query to open it in Metrics Explorer, where you can adjust it, change the timeframe, and explore related metrics. The drawer is built from the saved queries, so it still works even if a chart failed to load. Sometimes the comparison chart cannot load all three evaluation series; when that happens, the view highlights it, and you can open the queries in Metrics Explorer to see the full results. Select **View metric** to focus the chart on the underlying metric.

## Review the alert details

With Alert reasoning off, the panel shows the standard **Alert details**: the alert **Description**, its **Entity Labels**, and the **Query** the alert runs, in PromQL. Use these to confirm exactly what the alert measured.

## Limitations

- Alert reasoning appears only for alerts that perform a metric evaluation. It is hidden for pure log and flow alerts.
- For alerts with more than one query, such as ratio or composite alerts, the view focuses on the primary query in this version.
- The comparison chart cannot always load all three evaluation series. When results are incomplete, the view highlights it, and you can open the queries in Metrics Explorer to see them.
- This is an early-access feature. Behavior and wording may change as it is calibrated on real Cases.

## Related resources

- [Working with Cases](https://coralogix.com/docs/user-guides/cases/working-with-cases/index.md)
- [Cases overview](https://coralogix.com/docs/user-guides/cases/overview/index.md)
- [Alerting](https://coralogix.com/docs/user-guides/alerting/introduction-to-alerts/index.md)