diff --git a/solutions/observability/incident-management/create-manage-rules.md b/solutions/observability/incident-management/create-manage-rules.md index bd9b91ac47..38145a9d81 100644 --- a/solutions/observability/incident-management/create-manage-rules.md +++ b/solutions/observability/incident-management/create-manage-rules.md @@ -64,7 +64,6 @@ From the action menu you can also: * Run rule (without waiting for next scheduled check) * Update API keys - ## View rule details [observability-create-manage-rules-view-rule-details] Click on an individual rule on the **{{rules-app}}** page to view details including the rule name, status, definition, execution history, related alerts, and more. @@ -102,3 +101,15 @@ To temporarily suppress notifications for *all* rules, create a [maintenance win To import and export rules, use [{{saved-objects-app}}](/explore-analyze/find-and-organize.md). Rules are disabled on export. You are prompted to re-enable the rule on successful import. + +## Add resources for investigating alerts [observability-create-manage-rules-add-investigation-resources] + +When creating or editing a rule, add the following resources to help you get started with investigating alerts: + +* {applies_to}`stack: ga 9.1` **Investigation guide**: Investigation guides can help you respond to alerts more efficiently and consistently. When creating them, you can include instructions for responding to alerts, links to external supporting materials, and more. When the rule generates an alert, the investigation guide can be accessed from the **Investigation guide** tab on the alert's details page. + + ::::{tip} + Use Markdown to format and structure text in your investigation guide. + :::: + +* {applies_to}`stack: ga 9.1` **Related and suggested dashboards**: Link to dashboards that provide useful insights about your environment, active events, and any other information that might be relevant during your investigations. When the rule generates an alert, linked dashboards can be accessed from the **Related dashboards** tab on the alert's details page. From the tab, you can also review and add suggested dashboards (available for custom threshold rules only). diff --git a/solutions/observability/incident-management/view-alerts.md b/solutions/observability/incident-management/view-alerts.md index 5f2cfccb33..88da30bd03 100644 --- a/solutions/observability/incident-management/view-alerts.md +++ b/solutions/observability/incident-management/view-alerts.md @@ -65,6 +65,22 @@ To view the alert in the app that triggered it: * From the alert detail flyout, click **View in app**. * From the **Alerts** table, click the {icon}`eye` icon. +## Review related alerts [observability-view-alerts-find-related-alerts] +```{applies_to} +stack: ga 9.1 +``` + +Check related alerts to find other alerts that might be related to the same incident. You can add these alerts to a case and investigate them as a group instead of analyzing them individually. + +To find related alerts, go to the **Related alerts** tab from an alert's details page. Within the table, alerts are ordered from most to least relevant. To only view alerts that were created around the same time as the current alert (+/- 30 minutes), apply the **Triggered around the same time** filter. + +The relevancy of alerts is determined by how closely they match the current alert and other similiarites that they might share: + +1. Alerts in the space are filtered down to only include alerts that were created about one day before or after the current alert. +2. Data from the new subset of alerts is compared against the current alert to identify matching values and similarities. Data such as the time at which alerts were generated or recovered, tags added to the alerts, group values, and more are evaluated. +3. Alerts are scored based on how closely they match the current alert. Alerts with a score above a certain threshold are considered relevant and are included in the list of related alerts. + + ## Understand alert statuses [observability-view-alerts-understand-statuses] There are four common alert statuses: