This article covers the Alerting page in the Kentik portal.

Notes:
For an introduction to Kentik's alerting system, see Policy Alerts Overview.
For a list of all portal locations involved in managing alerts and mitigations, see Alerting Pages.

*The Alerting page lists recent alerts generated by alert policies.*

Alerting Page

The Alerting page lists current and historical alerts from Kentik's alerting system, including alert time, severity, and state, and the dimensions/metric values defined in the alert conditions. It also provides access to the Alert Policies Page, where you can manage and configure alert policies and system responses to alerts (e.g., notifications and mitigations).

Alerting Page UI

The Alerting page includes the following UI elements:

Favorite: A star to the left of the page title, allowing you to add it to the Favorites tab (see Portal Search Tabs).
Alerting Overview (button): Opens the Alerting Overview page.
Manage Alert Policies (button): Opens the Alert Policies Page.
Actions (button): Opens the Page-wide Actions Menu.
Alerting breakdowns: Cards with bar charts showing alert breakdowns by category (state, severity, type, policy, see Alerting Breakdowns).
- Breakdowns cover the time range selected in the Filters tab (see Alerts List Filters).
- Hover over a bar to open a popup with additional information.
Show/Hide Filters (filter icon): Toggles the expanded/collapsed Filters pane.
Group By: A drop-down to choose a property for grouping alerts, e.g., by alert state, ack state, severity, type, policy, or primary dimension.
Search (field): Shows lozenges for any filters applied via the Filter pane, and allows text input for further filtering. Click the X next to the field to clear entered text. Click X in a lozenge to clear the corresponding filter.
Filters (pane): Controls for filtering the Alerts list (see Alerts List Filters).
Alert controls: Apply actions to all selected alerts (controls activate when at least one alert is selected):
- Action buttons: Click to apply actions such as Acknowledge Alert (see Alert Controls).
- Selection count: Shows the number of selected alerts.
Alerts list: A table listing your organization’s alerts (see Alerts List).

Page-wide Actions Menu

This menu opens with the Actions button at the top right of the Alerting page. It includes:

Export: Prepares a report (notification appears when ready to download).
- Visual report (PDF): See Portal Export Options.
- Data table (CSV): Opens the Export Alerting Data Dialog.
Subscribe: Opens the Subscribe dialog to create an alert subscription. See Subscription Tab UI for details, noting that this dialog also includes the Share, Selected View, and Lookback fields.
Unsubscribe: Opens the Unsubscribe dialog to remove an alert subscription. Select the subscription to unsubscribe from the dropdown and click Unsubscribe.
Note: The Unsubscribe option appears only if you’re subscribed to one or more alert subscriptions.

Export Alerting Data Dialog

The Export Alerting Data dialog appears when you select Actions » Export » Data Table on the Alerting page. It has the following UI elements:

Columns to Export: Choose the columns to export to the CSV file (currently visible columns or all columns).
Data To Export: Select the rows to export to the CSV file (currently loaded rows or the first 200, 500, 1000, or 2000 rows).
Export (button): Closes the dialog and starts the alerting data export.
Note: A notification appears at the top of your screen when the report is ready to download.

Alerting Breakdowns

Cards across the page display bar charts representing a different breakdown of alerts over the selected Time Range (see Filter Categories). Hovering on any bar opens a popup showing the kind and count of alerts. Clicking any bar adds a corresponding filter lozenge to the Search field (see Alerting Page UI), showing only alerts matching the clicked state, severity, type, or policy.

Notes: Adding a breakdown filter:
Replaces any existing breakdown filter.
Can change the Filters pane settings, which won’t revert when the breakdown filter is removed.

*Bar charts show the breakdown of different kinds of alerts in various categories.*

Each category has a breakdown chart with bars representing various alert properties:

State: Red bars represent active alerts, green bars represent cleared alerts.
Severity: Bars represent alerts by their severity level (see General Threshold Settings):
- Critical (dark purple)
- Severe (plum)
- Major (red)
- Warning (orange)
- Minor (yellow)
Type: Bars represent alerts by type: Protect, Cloud, Traffic, or NMS.
Policies: Bars represent individual policies that triggered during the selected time range, arranged in descending order based on alert count. Hover on a bar to view the name, type, ID, and alert count for the policy.

Alerts List Filters

Use the Filters pane to filter the alerts listed on the Alerting page.

Alert Filters Pane

The Filters pane at the left of the Alerts list includes filters to narrow the list based on the Filter Application Rules. It has the following general controls:

Reset to default (button): Resets the Filters pane to its default settings (only available when filters are specified).
Collapse (button): Collapses the Filters pane. Expand it by clicking the funnel icon (see Alerting Page UI).

The pane also includes controls that apply/remove filters in various Filter Categories to narrow the list of alerts.

Note: All filters from a category are combined into a single lozenge in the Search field. Click the X in the lozenge to remove all filters from that category.

Filter Categories

Filter criteria for the Alerts list fall into the following categories:

Time Range: Specify a time range for the listed alerts (see Time Range Filter).
Type (checkboxes): Filter alerts by type (NMS, Traffic, Cloud, or Protect; see Policy Types).
Alert State (checkboxes): Filter alerts by Alert State (Active or Cleared).
Ack State (checkboxes): Filter alerts by Ack State (Ack Required, Acked, Not Acked, or Acked by Me).
Severity (checkboxes): Filter alerts by severity (Critical, Severe, Major, Warning, or Minor), as determined by the alert policy threshold that triggered the alert.
Alert ID (text field): Filter alerts by Kentik-assigned ID number (no partial matches).
Sites (selection field): Include only alerts for the selected sites.
Policies (selection field): Include only alerts for the selected policies.
Show Tenant Alerts: When enabled:
- Allows My Kentik Portal tenant alerts to be displayed in the Alerts list.
- Displays the Tenants selection field.
  Note: To show tenant alerts, click Customize at the top right of the Alerts list to display the Customize Columns Popup and select Tenant.
Tenants (selection field): Include only alerts for the selected tenants (active only when Show Tenant Alerts is enabled).
Dimension Value (text field): Include alerts where the dimension in the alert policy matches the entered text (see About Keys).

Filter Application Rules

Kentik applies the following rules to filter categories and criteria:

Alerts are displayed only if they match at least one selected criterion in all selected categories.
Alerts are not evaluated for matches in categories with no selected criteria.

Time Range Filter

The Time Range control filters alerts in the Alerts list to those active within a specified time range (UTC). Options include the last hour, last 8 hours, last 24 hours (default), last 7 days, last 14 days, last 30 days, last 90 days, or a custom time range (see Custom Time Range Settings). Select a time range and click Apply to apply the filter or Cancel to exit without saving.

Note: You can change the start and end time values before applying the filter.

Alerts List

The Alerts list is a filterable table (see Alerts List Filters) that shows information about alerts triggered by your organization's alert policies. Each row represents an alert. Click a row to open the Alert Details Drawer for more details.

*Individual alerts are selected with the checkbox at the left of their row.*

Alerts List Columns

The columns shown in the Alerts list are customizable via the Customize Columns Popup. The available columns are:

Select All (in header row): Click the checkbox to select all alerts. Click it again to deselect all alerts.
Select (in alert rows): Click a checkbox to select individual alerts. Once alerts are selected, the Alert Controls appear at the top left of the list.
Alert State: The alert’s current state (see Alert State).
Severity: The severity level (Critical, Severe, Major, Warning, or Minor) as determined by the alert policy threshold.
Type: The alert policy type: Protect, Traffic, Cloud, or NMS (see Policy Types).
Policy: The alert policy name.
Policy ID: The unique policy ID.
Tenant: If enabled, includes alerts from the tenant (see Tenants and Packages). Active only when you enable Show Tenant Alerts in the Alerts List Filters.
Dimensions: The key definition’s dimensions and their values for the keys that triggered the alert (see About Keys and Dimensions Reference). For example, if the key definition is Dest IP, Device the dimensions column might show Dest IP:1.10.1.174 and Device:s414_ida9_nektie_com.
Note: If a dimension value is blue, you can click it to go to its Details page (see Core Details Pages).
Metric: The volume of traffic matching the key (see About Keys). The top-X ranking is based on the volume of matching traffic measured in the primary metric (see Data Funneling).
Mitigation ID: The unique mitigation ID. Click to open the Mitigations page in a new tab, filtered for that ID.
Alert ID: The unique alert ID. Click to open the alert’s Alert Details Page in a new tab.
Time: The time of the following (in UTC where applicable):
- Event start time that triggered the alarm state.
- Alert clearance time (if applicable).
- Event duration.
Silence State: Indicates whether the alert’s notifications are paused ("Silenced" plus the expiration date of the pause) or not ("Not Silenced").
Ack State: The alert’s acknowledgement state, e.g., “Ack Required” (see Ack State).
Note: If the state is "Acked," the column also displays the alert’s acknowledgement time and user.
Action menu: A vertical dots icon at the right of each alert row, which opens a menu for actions to take on that alert (see Alert-specific Actions).

Note: Alert policies don't generate alerts when in error states. If you don’t see alerts when expected, check the Policy Status on the Alert Policies page (see General Policy Settings).

Alert Controls

When one or more alerts are selected, the following controls appear above the Alerts list:

Acknowledge Alert (button): Click to acknowledge that you’ve seen the alert (see Acknowledging Alerts).
Clear Alert (button): Click to change the Alert State from Active to Cleared. You can do this regardless of the alert’s Ack State or if the conditions that triggered the alarm are still present.

Note: Either button may be greyed out if the selected alerts have already been acknowledged and/or cleared.

Customize Columns Popup

Choose up to 11 columns to include in the Alerts list using the Customize Columns popup. To access, click the Customize button at the top right of the list.

The popup includes the following UI elements:

Choose columns: Check the boxes next to the columns to include them in the table.
Order columns: Drag the handles next to the checkboxes to reorder the columns.

When finished, click outside to close the popup and return to the Alerts list.

Alert-specific Actions

Actions can be applied to an individual alert from the following locations:

Action menu: In the Alerts List, click the vertical dots icon for an alert to open a list of actions.
Take Action: Buttons that appear in the following areas of the portal:

Available Actions

Available actions vary depending on the alert’s state or your location in the portal, and may include:

View Details: Opens the alert’s Alert Details Page in a new tab.
Ack Alert: Opens the Acknowledge Alert Dialog to confirm you’ve seen the alert.
Remove Ack: Change the ack state back to “Not Acked” or “Ack Required” (as per alert policy).
Clear Alert (Take Action section only): Manually change Alert State from “Active” to “Cleared”, regardless of Ack State or trigger conditions being met.
Silence Notifications: Pause alert notifications for seven days.
Unsilence Notifications: Lift the pause on alert notifications.
Suppress Alert: Clear the alert and prevent policy from alerting on same key for seven days (see About Alert Suppressions).
Add Comment (Action menu only): Add alert comment (see Alert Comments).
Note: A Comments field appears above the Take Action section in all other areas.
Open Dashboard: Go to the dashboard specified the in Policy Dashboard setting (see General Policy Settings).
Edit Policy (Take Action section only): Go to the Edit Policy page for the alert policy (see Policy Settings Pages).
Debug Alert: Open the Alert Debug Dialog for this alert.

Alert State

There are two possible states for alerts in Kentik:

Active: The alert conditions are still present; displayed as a red lozenge.
Cleared: The alert has been manually cleared or the conditions are no longer present; displayed as a green lozenge.

Note: You can narrow the Alerts list based on state using the Alert State filters (see Alerts List Filters).

Ack State

Any alert can be acknowledged ("acked") by users with access to Kentik’s Alerting or DDoS Defense pages. The following alert ack states are available:

Ack Required: The alert requires acknowledgement and hasn’t been acknowledged.
Acked: The alert has been acknowledged.
Not Acked: The alert hasn’t been acknowledged.
Acked by Me (Filters pane only): Filters the Alerts list for alerts you’ve acknowledged.

Alert ack state is available in the following places in the Kentik portal:

Alerting Page:
- Alerts List: Ack State column
- Alert Details Drawer: Alert Overview section
- Alert Details Page Sidebar: Alert Overview section
DDoS Defense Page:
- “Attacks Active Within the Last 24 Hours” table

Alert Comments

When acknowledging an alert in the Acknowledge Alert Dialog, you can add a comment visible by other users.

All Alerts: Alert comments appear in the Alert Details Drawer and Alert Details Page Sidebar:
- Ack statement: The comment appears under the traffic chart, along with the user name who acked the alert.
- Comments pane: Comments are displayed as cards in chronological order. You can add another comment in the Comment field below any existing comments (see Comments Pane).
Auto-acknowledged Alerts Only: Alert comments also appear in the Auto-acknowledgements Page.

Note: For step-by-step procedures, see Add an Alert Comment, Edit an Alert Comment, and Remove an Alert Comment.

Acknowledge Alert Dialog

Access the Acknowledge Alert dialog from these portal locations:

Click Acknowledge Alert above the Alerts list (see Alert Controls).
Choose Ack Alert from the Action menu at the right of each Alerts list row (see Alert-specific Actions).
Click Ack Alert in the Take Action pane of the Alert Details Drawer.
Click Ack Alert in the Alert Details Page Sidebar.

Ack Alert Dialog UI

The Acknowledge Alert dialog has the following UI elements:

Cancel (buttons): Click the X at top right or Cancel at bottom to close the dialog without acknowledging the alert.
Acknowledgement info: A statement identifying you as the person that acknowledged the alert (see Acknowledging Alerts).
Comment: A field to input a comment for the alert (see Alert Comments).
Acknowledge additional occurrences (auto-ack): A checkbox to enable auto-acknowledgement for this alert. When checked, the Duration controls are shown.
Silence notifications for this alert: A checkbox to silence notifications for this alert for the specified duration (see Silence Alert Notifications). When checked, the Duration controls are shown.
Note: This option is not active when the alert has already been silenced.
Duration: Specify a duration for auto-acknowledgement and/or silencing notifications. The method is chosen by radio button:
- For: Specify a duration forward from the present in either hours or days (whole numbers only).
  - Hours: The duration must be between 1 and 24 hours.
  - Days: The duration must be between 0 and 7 days for Member-level users, or up to 365 days for Admin-level users.
- Until: Specify a future date-time at which the duration will expire.
  - Click the field to open the calendar.
  - Enter a date-time at least 1 hour and up to 7 days from the present for Member-level users, or up to 365 days for admin-level users.
Confirm: Click to acknowledge the alert, save changes, and exit the dialog.

Note: You cannot set separate time durations for the “auto-ack” and “silence” features. The selected duration applies to both.

Acknowledging Alerts

Acknowledging alerts informs other users that you are aware of them. When you acknowledge (ack) an alert, your Full Name from your user profile (see General Settings) appears with ack state “Acked” in these locations of the portal:

Alerting Page: Ack State column of Alerts list. In Details drawer.
DDoS Defense Page: Ack State column of Attack table. In Details drawer.
Alert Details Page: Ack State column of Alert Overview sidebar.

You can acknowledge an alert type (Protect, Cloud, Traffic, NMS) regardless of Acknowledgement Required being enabled in the policy threshold. Each alert can be acknowledged by one user at a time, but if removed (see Remove an Alert Ack) another user can acknowledge the same alert (see Acknowledge an Alert).

Auto-acknowledgement

Auto-acknowledgement allows you to set a duration for automatic acknowledgement of all instances of a given alert (triggered by a policy threshold and based on the same key). The minimum duration is one hour, and the maximum is seven days for member-level users or one year for admin-level users. The duration is set when you Auto-acknowledge an Alert and can be managed on the Auto-acknowledgements page.

Silence Notifications

To silence notifications for a given alert for seven days, click Silence Notifications in one of the following locations:

Alerting Page:
- In the Alert-specific Actions menu for the alert.
- In the Alert Details Drawer, under Take Action.
Alert Details Page:
- Under Take Action.

You can also silence an alert’s notifications for a custom duration when you acknowledge the alert (see Custom Silence Alert).

Alert Debug Dialog

The Alert Debug dialog provides context to understand why an alert was triggered by a policy threshold (see About Alert Thresholds). Accessible to all user levels, alert types, and states, it’s accessed via the Debug Alert button (see Alert-specific Actions).

Debug Dialog UI

The Debug Alert dialog includes the following UI elements:

Title bar: Displays “Debug [policy type] Alert,” where policy type is Protect, Traffic, Cloud, or NMS.
Close: Click the X in the upper right to close the dialog.
Policy: The policy name that triggered the alert (top left).
Alert ID: The unique alert ID (top right).
Alert triggers: The dimensions that triggered the alert, e.g. Dest IP (see Alert Details Drawer).
Lookback: Use the dropdown to adjust the time range back from the present (between 30 minutes and 15 days).
Note: If the alert was triggered before the start of the selected time range, the start of the range will be adjusted to include the start of the alert.
Graph: A dot chart covering the selected Lookback range, with plots as listed in Debug Graph.

Debug Graph

The Debug graph is a dot plot for alert data. Hover over a dot to open a popup with a timestamp and additional information, or dim all dots of a different type (e.g., baseline dots dim when hovering over a match).

Dots representing alert-related events are plotted against the Lookback time range. The chart includes:

Time: Horizontal axis showing the time range set with the Lookback control (see Debug Dialog UI).
Values: Vertical axis with measurement and units determined by the policy dimensions and metrics.
Triggering event: Vertical red line showing the alert trigger time.
Matches: Purple dots representing matches between the evaluated traffic and policy thresholds (see About Matches).
Baseline: Brown dots representing baseline values, if baselining is enabled (see Policy Baseline Settings).
Baseline Fallback: Green dots representing fallback baseline values if baselining is enabled but no baseline exists (see Threshold Configuration).
Static Threshold: Horizontal red dashed line representing the policy’s static threshold (see Threshold Conditions).
Policy Min Traffic: Horizontal purple line representing the minimum traffic threshold (see Building Your Dataset). Keys with traffic below this amount won't be plotted.
Legend: Combinations of dots and labels showing data types and their colors. Hover over a combination to dim all other data types, or click a combination to dim plots of that type.

Alert Details Drawer

The Alert Details drawer slides out from the right of the Alerting page when you click anywhere in the Alerts List row for an alert.

Alert Details Drawer UI

The information in the drawer varies depending on the alert type and available information:

Policy: The name of the alert policy that triggered the alert (see Alert Policies).
View in Metrics Explorer (NMS only): Opens Metrics Explorer with the alert policy’s settings pre-populated in the Query sidebar.
Lookback (NMS alerts only): A dropdown to set the visualization time range.
- Options: Alert +/- 1 hour (default), Alert +/- 24 hours, Last hour, Last day, Last 7 days, Last 14 days, and Last 30 days.
- The graph shows between 1 and 24 hours before the alert was triggered until the current time.
Visualization: A visualization is available for most alerts, appropriate to the alert type:
- Threshold alerts: A traffic representation with context (baseline and thresholds) for why the alert triggered.
- NMS alerts: An Up/Down Visualization.
Ack statement: Displays who acked the alert and at what time. If a comment was added, it will display here in addition to in the Comments Pane.
Alert Overview: Displays key alert information (see Alert Overview).
Target (not present for NMS alerts): Shows the key dimension (target) that matched the threshold conditions, along with the values, from the Dimensions and Metric columns of the Alerts list (plus any secondary metrics).
Triggering Event: The alert policy conditions that triggered the alert (see Triggering Event).
Triggered Threshold: A summary of the policy’s Triggered Threshold, including dimensions, primary and secondary metrics, conditions, and activation/clearance times.
Mitigation Details: Information about automatically triggered the mitigations (if defined by the alert policy) including ID, start date/time, platform, and method.
Comments: A field to add comments and view Alert Comments already added (see Comments Pane).
Take Action: Buttons for additional alert-related actions (see Alert-specific Actions).
Warning: If the policy has changed since alert activation, a sidebar warning might appear in the affected sections.

Alert Overview

The Alert Overview section in the Details drawer offers the following information:

ID: The system-generated unique ID for the alert. Click it to open the Alert Details Page in a new tab.
Severity: The alert’s severity level (Critical, Severe, Major, Warning, or Minor). Severity is determined by the alert policy threshold that triggered the alert.
Alert State: The state of the alert (Active or Cleared). See Alert State.
Ack State: The acknowledgement state of the alert (Ack Required, Acked, or Not Acked). See Ack State.
Start Time: The start of the period evaluated for the alert.
Event End Time: The end of the period evaluated for the alert, calculated based on the counter reset time on the policy for threshold alerts.
Clear Time: The end of the period evaluated for the alert or "Currently Active" if the alert is ongoing.

Triggering Event

The Triggering Event section in the Details drawer depends on the alert type.

NMS Triggering Event

An NMS alert’s Triggering Event section provides:

Metrics: The metrics that triggered the alert as displayed in the Metric column (see Alerts List Columns).
Dimensions: The dimensions that triggered the alert as displayed in the Dimensions column (see Alerts List Columns).
Context: The policy’s selected measurement (see Measurement Pane Parameters) and the affected device name (see NMS Device Details Page).

Threshold Triggering Event

A threshold alert’s Triggering Event section shows:

The triggered policy’s Threshold Conditions
The traffic value that triggered the alarm (displayed as a table).

Triggered Threshold

The Triggered Threshold section in the Details drawer provides the following about the policy threshold that triggered the alert (when applicable):

Dimensions: The dimensions used to evaluate traffic for the threshold (see Data Funneling).
Primary and Secondary Metrics: The metrics used to evaluate traffic for the threshold Data Funneling).
Conditions: Match criteria (see Threshold Conditions).
Activates: The required number of matching conditions within the specified time period (see Threshold Frequency).
Clears: Time after which the counter resets if conditions aren’t met (see Threshold Frequency).

Mitigation Details

The Mitigation Details section in the Details drawer provides the following about any mitigations triggered by the policy’s threshold (see Mitigation Overview):

ID: The system-generated unique ID for the mitigation. Click it to open the Mitigations List filtered for this ID.
Started: The date and time the mitigation was initiated.
Platform: The platform on which the mitigation was exec (see Platforms and Methods).
Method: The individual configuration that ran on the mitigation platform (see Platforms and Methods).

Comments Pane

The Comments pane allows you to add and manage comments for a single alert. It’s found in both the Alert Details Drawer and Alert Details Page Sidebar, and includes the following UI elements:

Comment count: The number of comments, in parentheses next to the heading.
Comment card: Each alert comment added shows as a separate card with the following elements:
- Ack statement: Displays the user who acked the alert and when.
- Edit (only for the original commenter): Allows modifying the comment. Click Save to update the comment or Cancel to exit without saving changes.
- Remove (only for the original commenter): Opens a confirmation dialog to remove the selected comment.
- Comment: The original comment.
Add Comment: A field to add a comment to the alert (see Add an Alert Comment).

Take Action Pane

The Take Action pane of the Details drawer is described in Alert-specific Actions.

Alert Details Page

The Alert Details Page shows details about an individual threshold alert.

Note: The NMS Alert Details page is slightly different (see NMS Alert Details Page).

*The Details page for a non-Protect alert*

Alert Details Page Access

Access the Details page for an individual threshold alert from the following locations:

Alerts List: Either:
- Click the alert’s ID in the Alert ID column or;
- Click the vertical dots icon at the right and choose View Alert Details.
Alert Details Drawer (via the Alerting Page or DDoS Defense DDoS Defense Page): Either:
- Click the ID under Alert Overview or;
- Click View Details under Take Action.
DDoS Defense Page (alert type: Protect only): In the “Attacks Active Within the Last 24 Hours” table:
- Click the alert’s ID in the Alert ID column, or;
- Click the vertical dots icon at the right and choose View Details.

Note: Depending on your browser settings, Details pages may open in a new tab or window.

Alert Details Subnav

The subnav of an alert’s Details page includes the following elements:

Breadcrumbs: Indicates your current location within the Kentik portal. Click Alerting to return to the Alerting page.
Share: Opens the Share dialog (see Sharing via the Share Dialog).
Actions: Choose Export from the dropdown to download a visual report (PDF) of the page’s visualizations and tables. A notification appears when the PDF is ready to download.

Alert Details Main Display

The main display area of the Details page for a threshold policy alert has several panes that provide actionable details.

Title Pane

The Title (top-most) pane contains the following information:

Alert name: The alert name, as defined in its policy.
Description: A brief summary of the situation this alert policy addresses.

Threshold Statistics Pane

The Statistics pane illustrating the situation that generated the alert. Its elements vary depending on the alert type and the dimensions in the key definition:

Alert State: The alert state (Cleared or Active) and how long ago it was reached.
Dimensions: The names and values of key dimensions that triggered the alert (e.g., a device and a destination IP address.
Statistics: Statistics illustrating the situation that generated the alert (e.g., baseline flows/s, actual flows/s, and actual Kpackets/s).
Note: Comparison of the actual value to the triggering value is defined in the alert policy. For example, if policy threshold condition is "flows/s value is greater than 200% of baseline" then the statistics will include not only the actual flow/s but also the percent difference to the baseline flows/s.

Threshold Data Pane

The Data pane shows charts and tables for the condition that caused the alert. Its structure depends on the type of alert:

Cloud and traffic alerts: Includes a time series chart of the traffic that caused the alert (displays metrics selected in the policy).
Protect alerts: Six tabs displaying charts and tables showing different aspects of the traffic covered by the alert (see Protect Data Tabs).

For all alerts, the following elements are present:

View in Data Explorer: A link below each chart to Data Explorer, with the alert’s key pre-populated in the Query sidebar.
Why Was This Triggered: A description of the policy threshold conditions and their actual values.
Note: For Protect alerts, this appears on the Insights tab.
History: A table detailing recent or active alerts with matching dimensions. Click the ID column link to go to the alert’s Details page or click Ack Alert to open the Acknowledge Alert Dialog.

Protect Data Tabs

The Data pane on a Protect (DDoS) alert’s Details page displays tabs with different visualizations.

The following tabs are included in the Data pane for a Protect alert:

Alert: A time series chart showing the traffic that triggered the alert (based on volume metrics defined in the policy). Below, it details the trigger conditions and state changes.
Ingress Interfaces: A chart showing traffic volume for the affected interfaces, along with device and site details.
Traffic Patterns: A chart and table characterizing traffic volumes, sources, services, and directionality.
Source Countries: A chart showing unique source IPs of the attack traffic, and a table ranking the corresponding countries.
Source Services: A chart showing originating services for the traffic and a table ranking them.
Packet Size Distribution: A bar chart showing packet sizes, and a table ranking them by traffic volume.

Note: The charts start 30 minutes before the alert's start time and end with the current time (if active) or its end time.

Alert Details Page Sidebar

The right sidebar of an alert’s Details page provides additional details.

Ack statement (if the alert’s been acknowledged): Displays who acked the alert and when. If a comment was added, it’ll display here and in the Comments Pane.
Alert Overview: Key information about the alert (see Details Page Alert Overview).
Mitigation Details: Info about the mitigation automatically triggered by this alert, if defined by the alert policy (see Mitigation Details).
Policy: Information about the alert policy:
- Edit Policy: Links to the Edit Policy page for the alert (see Policy Settings Pages).
- Name: The policy name that triggered the alert (see Alert Policies).
- Last Edited: How long ago the policy was edited.
- Alerts for Policy: The number of alerts generated from this policy in the last 7 days.
Comments: A field to view and add comments (see Comments Pane).
Take Action: Buttons for additional alert-specific actions (see Alert-specific Actions).
Warning: If the policy’s changed since the alert started, a warning appears in the affected sidebar sections.

Notes:
Sidebar info can vary between Protect and non-Protect alerts.
For NMS alerts, see NMS Alert Details Sidebar.

Details Page Alert Overview

The Alert Overview section in the Details page sidebar includes:

Copy Alert ID: Copies the alert’s ID to your clipboard.
ID: The unique alert ID.
Severity: The alert’s severity level (Critical, Severe, Major, Warning, or Minor). Severity is determined by the alert policy threshold that triggered the alert.
Alert State: The alert’s state: Active (red) or Cleared (green). See Alert State.
Ack State: The alert’s acknowledgement state (Ack Required, Acked, or Not Acked). See Ack State.
Start Time: The start of the period evaluated for the alert.
Event End Time: The end of the period evaluated for the alert, calculated based on the counter reset time from the threshold policy settings. Only present when the alert is cleared.
Clear Time: The end of the period evaluated for the alert. Displays “Currently Active” if the alert is ongoing.

NMS Alert Details Page

Access the NMS Alert Details page as described in Alert Details Page Access. While similar to a typical Alert Details Page, there are some differences.

NMS Alert Details Display

The main display area is divided into a set of panes, as described in Alert Details Main Display. Below, we’ll cover the contents of those panes for an NMS alert.

NMS Statistics Pane

The fields across the top of the page provide NMS-specific statistics, including the measurement, metric, and dimensions specified on the policy that generated the alert.

NMS Data Pane

The Data pane shows charts and tables related to the condition that caused the alert, varying by alert type as follows:

NMS Up/Down: Includes an up/down chart that details the alert status over time (see Up/Down Visualization).
NMS Threshold: Includes a line chart detailing the alert’s activity over the time specified in the Lookback dropdown at top right.

The View in Metrics Explorer link above the chart takes you to Metrics Explorer, where the alert policy settings are pre-populated in the Query sidebar. The pane also includes a History table, which details recently-triggered or currently active alerts.

Up/Down Visualization

This time-based chart type displays a series of bars on a horizontal time axis, each representing a segment of the current time range. The color of each bar indicates the state of the policy’s data sources (devices, interfaces, or BGP neighbors) at that point: green = up, red = down, and gray = unknown. Hover over any bar to open a popup displaying the timestamp and state during that segment.

Up/Down visualizations have a Lookback dropdown for choosing the timeframe covered:

NMS Details drawer: Last hour, Last day, Last 7 days, Last 14 days, and Last 30 days.
NMS Details page: Alert +/- 1 hour, Alert +/- 24 hours, Last hour, Last day, Last 7 days, Last 14 days, and Last 30 days.

In the NMS Details drawer, if an event occurred during a segment, its bar will be slightly elevated an icon will appear above it:

Red Bell: An alert was triggered.
Green Checkmark: The alert was cleared (according to policy settings).

NMS Alert Details Sidebar

The right sidebar on the Details page for an NMS alert provides different details than for non-NMS alerts. It includes:

Alert Overview: Information about the alert (see Details Page Alert Overview).
Device: The device being alerted on (if applicable), with various device details including site, model, location, IP address, manufacturer, and serial number.
- View Details: Link to the NMS Device Details Page for that device.
Policy: Info about the alert policy:
- Edit Policy: Links to the alert’s Edit Policy page (see Policy Settings Pages).
- Name: The policy name that triggered the alert (see Alert Policies).
- Last Edited: How long ago the policy was edited.
- Alerts for Policy: The number of alerts generated from this policy in the last 7 days.
Take Action: Buttons for additional alert-related actions (see Alert-specific Actions).
Comments: A field to view and add comments (see Comments Pane).
Warning: If the policy’s changed since the alert started, a warning appears in the affected sidebar sections.

© 2014-25 Kentik