alerts.history
Purpose
The alerts.history dataset serves to track the complete history of alert events. It records the lifecycle of alerts, including when they are triggered, their status, priority, and other related metadata. This dataset is vital for monitoring, auditing, and analyzing alert patterns across your environment. It enables users to track alert activity over time, review historical alerts, and ensure that alerts are being managed effectively.
Schema description
| Full JSON path | Field data type | Field data example | description |
|---|---|---|---|
alert.alertDataUrl | String (URL) | "https://coralogix.com/#/insights?id=76c411be-gg4d-4fb1-a987-5fce042deaaf" | Link to the incident page for this alert. |
alert.groupingKey | String | "cpu.usage[host=db-01]" | Used as the deduplication key. |
alert.groups | Array\ | [{"keyValues":{"resource":{"attributes":{"Team":"SRE"}},"coralogix":{"metadata":{"subsystemName":"payments-api"}}}}] | List of alert groups associated with the alert (including priority and key-values). |
alert.groups.keyValues | Object | {"resource":{"attributes":{"Team":"SRE"}},"coralogix":{"metadata":{"subsystemName":"payments-api"}}} | Key-value pairs associated with the alert group. |
alert.groups.keyValues.resource | Object | {"attributes":{"Team":"SRE"}} | Resource section of the group key-values. |
alert.groups.keyValues.resource.attributes | Object | {"Team":"SRE"} | Resource attributes map. |
alert.groups.keyValues.resource.attributes.Team | String | "SRE" | Team name extracted from resource attributes. |
alert.groups.keyValues.coralogix | Object | {"metadata":{"subsystemName":"payments-api"}} | Coralogix-specific metadata container. |
alert.groups.keyValues.coralogix.metadata | Object | {"subsystemName":"payments-api"} | Additional metadata for the alert group. |
alert.groups.keyValues.coralogix.metadata.subsystemName | String | "payments-api" | Subsystem/service name tied to the alert. |
alert.id | String | "a1b2c3d4e5" | Unique identifier of the alert (use to construct alert URLs). |
alert.priority | String | "P1" | Priority level of the alert group. |
alert.status | String | "Triggered" | Current status of the alert (e.g., Triggered). |
alert.timestamp | Number (ns since epoch) | 1753910400000000000 | Timestamp indicating when the alert was triggered. |
alertDef.alertVersionId | String | "v-2025-08-01-3" | Version ID associated with the alert definition. |
alertDef.createdTime | Number (ns since epoch) | 1753305600000000000 | Timestamp when the alert definition was created. |
alertDef.description | String | "CPU usage exceeds 85% for 5 minutes" | Textual description of the alert definition. |
alertDef.entityLabels | Array\ | ["host","region"] | Labels associated with the alert definition. |
alertDef.groupByKeys | Array\ | ["host","region"] | Keys by which the alert is grouped. |
alertDef.id | String | "alertdef-123" | Unique identifier of the alert definition. |
alertDef.incidentSettings | Object | {"notifyOn":"Triggered"} | Configuration related to incident settings. |
alertDef.incidentSettings.notifyOn | String | "Triggered" | Notification setting for the alert definition. |
alertDef.name | String | "CPU Usage Alert" | Name of the alert definition. |
alertDef.priority | String | "P1" | Priority level of the alert definition. |
alertDef.retriggeringPeriod | Number (minutes) | 5 | Time after which the alert can be retriggered. |
alertDef.status | String | "Active" | Current status of the alert definition. |
alertDef.type | String | "metricThreshold" | Type of the alert definition. |
alertDef.updatedTime | Number (ns since epoch) | 1753910400000000000 | Timestamp when the alert definition was last updated. |
How the data in this dataset can be used
Alert lifecycle analysis
By querying the alert.timestamp, alert.status, and alertDef.priority fields, users can track the lifecycle of alerts — such as how long they remain in a triggered state before being resolved. This can help identify bottlenecks or delays in the incident response process.
Example query:
source system/alerts.history
| groupby alert_id aggregate
min_if(status == "Triggered", timestamp) as triggered_time,
min_if(status == "Resolved", timestamp) as resolved_time,
any_value(alertDef.priority) as priority
| create duration_ms from resolved_time - triggered_time
| filter duration_ms != null
Historical audit and compliance
The alerts.history dataset can be used for compliance audits to ensure alerts are triggered and resolved according to organizational policies. You can track historical alert data, verify response times, and confirm that critical alerts are handled with appropriate urgency.
Example query:
source system/alerts.history
| filter timestamp > 1755456429914000000
| filter alertDef.priority == "P1"
| groupby alertDef.name aggregate count() as alerts
alerts.history schema
Link to the incident page (e.g., https://coralogix.com/#/insights?id=76c411be-gg4d-4fb1-a987-5fce042deaaf).
Used as the deduplication key.
Unique identifier of the alert. Use it to create an alert URL in your notification; e.g., "alert_url": "https://teamname-prod.app.eu2.coralogix.com/#/alerts/{{alert.id}}"
Priority level of the alert group (e.g., "P1").
Current status of the alert (e.g., "Triggered").
The timestamp indicating when the alert was triggered.
The version ID associated with the alert definition.
The timestamp when the alert definition was created.
A textual description of the alert definition.
Labels associated with the alert definition (e.g., host, region).
List of keys by which the alert is grouped (e.g., host, region).
The unique identifier of the alert definition.
Notification setting for the alert definition (e.g., "Triggered").
Name of the alert definition (e.g., "CPU Usage Alert").
Priority level of the alert definition (e.g., P1).
Time in minutes after which the alert can be retriggered.
Current status of the alert definition.
Type of the alert (e.g., "metricThreshold").
The timestamp when the alert definition was last updated.