Skip to content

alerts.history

Purpose

The alerts.history dataset serves to track the complete history of alert events. It records the lifecycle of alerts, including when they are triggered, their status, priority, and other related metadata. This dataset is vital for monitoring, auditing, and analyzing alert patterns across your environment. It enables users to track alert activity over time, review historical alerts, and ensure that alerts are being managed effectively.

Schema description

Full JSON pathField data typeField data exampledescription
alert.alertDataUrlString (URL)"https://coralogix.com/#/insights?id=76c411be-gg4d-4fb1-a987-5fce042deaaf"Link to the incident page for this alert.
alert.groupingKeyString"cpu.usage[host=db-01]"Used as the deduplication key.
alert.groupsArray\[{"keyValues":{"resource":{"attributes":{"Team":"SRE"}},"coralogix":{"metadata":{"subsystemName":"payments-api"}}}}]List of alert groups associated with the alert (including priority and key-values).
alert.groups.keyValuesObject{"resource":{"attributes":{"Team":"SRE"}},"coralogix":{"metadata":{"subsystemName":"payments-api"}}}Key-value pairs associated with the alert group.
alert.groups.keyValues.resourceObject{"attributes":{"Team":"SRE"}}Resource section of the group key-values.
alert.groups.keyValues.resource.attributesObject{"Team":"SRE"}Resource attributes map.
alert.groups.keyValues.resource.attributes.TeamString"SRE"Team name extracted from resource attributes.
alert.groups.keyValues.coralogixObject{"metadata":{"subsystemName":"payments-api"}}Coralogix-specific metadata container.
alert.groups.keyValues.coralogix.metadataObject{"subsystemName":"payments-api"}Additional metadata for the alert group.
alert.groups.keyValues.coralogix.metadata.subsystemNameString"payments-api"Subsystem/service name tied to the alert.
alert.idString"a1b2c3d4e5"Unique identifier of the alert (use to construct alert URLs).
alert.priorityString"P1"Priority level of the alert group.
alert.statusString"Triggered"Current status of the alert (e.g., Triggered).
alert.timestampNumber (ns since epoch)1753910400000000000Timestamp indicating when the alert was triggered.
alertDef.alertVersionIdString"v-2025-08-01-3"Version ID associated with the alert definition.
alertDef.createdTimeNumber (ns since epoch)1753305600000000000Timestamp when the alert definition was created.
alertDef.descriptionString"CPU usage exceeds 85% for 5 minutes"Textual description of the alert definition.
alertDef.entityLabelsArray\["host","region"]Labels associated with the alert definition.
alertDef.groupByKeysArray\["host","region"]Keys by which the alert is grouped.
alertDef.idString"alertdef-123"Unique identifier of the alert definition.
alertDef.incidentSettingsObject{"notifyOn":"Triggered"}Configuration related to incident settings.
alertDef.incidentSettings.notifyOnString"Triggered"Notification setting for the alert definition.
alertDef.nameString"CPU Usage Alert"Name of the alert definition.
alertDef.priorityString"P1"Priority level of the alert definition.
alertDef.retriggeringPeriodNumber (minutes)5Time after which the alert can be retriggered.
alertDef.statusString"Active"Current status of the alert definition.
alertDef.typeString"metricThreshold"Type of the alert definition.
alertDef.updatedTimeNumber (ns since epoch)1753910400000000000Timestamp when the alert definition was last updated.

How the data in this dataset can be used

Alert lifecycle analysis

By querying the alert.timestamp, alert.status, and alertDef.priority fields, users can track the lifecycle of alerts — such as how long they remain in a triggered state before being resolved. This can help identify bottlenecks or delays in the incident response process.

Example query:

source system/alerts.history
| groupby alert_id aggregate
    min_if(status == "Triggered", timestamp) as triggered_time,
    min_if(status == "Resolved", timestamp) as resolved_time,
    any_value(alertDef.priority) as priority
| create duration_ms from resolved_time - triggered_time
| filter duration_ms != null

Historical audit and compliance

The alerts.history dataset can be used for compliance audits to ensure alerts are triggered and resolved according to organizational policies. You can track historical alert data, verify response times, and confirm that critical alerts are handled with appropriate urgency.

Example query:

source system/alerts.history
| filter timestamp > 1755456429914000000
| filter alertDef.priority == "P1"
| groupby alertDef.name aggregate count() as alerts

alerts.history schema

{ alert
Represents the alert details, including timestamp, ID, status, and group information.
alertDataUrl

Link to the incident page (e.g., https://coralogix.com/#/insights?id=76c411be-gg4d-4fb1-a987-5fce042deaaf).

groupingKey

Used as the deduplication key.

{ groups
List of alert groups associated with the alert (including priority and key-values).
[ groups[n]
keyValues
Key-value pairs associated with the alert group; e.g., "team": "{{alert.groups[0].keyValues.resource.attributes.Team}}" or "service":"{{alert.groups[0].keyValues.coralogix.metadata.subsystemName}}"
{ resource
{ attributes
Team
}
}
{ coralogix
{ metadata
subsystemName
}
}
]
}
id

Unique identifier of the alert. Use it to create an alert URL in your notification; e.g., "alert_url": "https://teamname-prod.app.eu2.coralogix.com/#/alerts/{{alert.id}}"

priority

Priority level of the alert group (e.g., "P1").

status

Current status of the alert (e.g., "Triggered").

timestamp

The timestamp indicating when the alert was triggered.

}
{ alertDef
Defines the alert configuration, including name, description, groupings, incident settings, and priority.
alertVersionId

The version ID associated with the alert definition.

createdTime

The timestamp when the alert definition was created.

description

A textual description of the alert definition.

entityLabels

Labels associated with the alert definition (e.g., host, region).

groupByKeys

List of keys by which the alert is grouped (e.g., host, region).

id

The unique identifier of the alert definition.

{ incidentSettings
Configuration related to incident settings (e.g., retriggering period).
notifyOn

Notification setting for the alert definition (e.g., "Triggered").

}
name

Name of the alert definition (e.g., "CPU Usage Alert").

priority

Priority level of the alert definition (e.g., P1).

retriggeringPeriod

Time in minutes after which the alert can be retriggered.

status

Current status of the alert definition.

type

Type of the alert (e.g., "metricThreshold").

updatedTime

The timestamp when the alert definition was last updated.

}