Search Alerts

The Alert Browser provides powerful search capabilities to help you quickly find specific alerts using both OPSQL (OpsRamp Query Language) and filter-based searches.

Search Methods

1. OPSQL Search

OPSQL is OpsRamp’s query language that allows for complex, structured searches across alert data.

Basic OPSQL Syntax

field operator "value"

Common OPSQL Operators

• = : Equals
• != : Not equals
• > : Greater than
• < : Less than
• >= : Greater than or equal
• <= : Less than or equal
• LIKE : Pattern matching (use % as wildcard)
• IN : Match any value in a list
• AND : Combine conditions (both must be true)
• OR : Combine conditions (either can be true)

OPSQL Examples

Find critical alerts:

severity = "Critical"

Find alerts from last 24 hours:

createdTime >= "2024-01-01T00:00:00Z"

Find alerts for specific resource:

resourceName LIKE "%database%"

Complex query with multiple conditions:

severity IN ("Critical", "Major") AND 
status = "Open" AND 
createdTime >= "2024-01-01T00:00:00Z"

Find alerts by source:

source = "Nagios" OR source = "Zabbix"

2. Filter-Based Search

The filter panel provides an intuitive interface for building searches without writing OPSQL.

Available Filters

Status Filters:

• Open
• Acknowledged
• Suppressed
• Closed

Severity Filters:

• Critical
• Major
• Minor
• Warning
• Info

Time Range Filters:

• Last 15 minutes
• Last hour
• Last 4 hours
• Last 24 hours
• Last 7 days
• Custom range

Resource Filters:

• Resource name
• Resource type
• Resource group
• Location

Source Filters:

• Monitoring tool
• Integration name
• Collection method

Using Filters

1. Single Filter: Select one or more values from any filter category
2. Multiple Filters: Combine filters from different categories (AND logic)
3. Clear Filters: Use “Clear All” to remove all applied filters
4. Save Filters: Save frequently used filter combinations

Advanced Search Features

Saved Searches

Create and save frequently used searches for quick access:

1. Build your search using OPSQL or filters
2. Click “Save Search”
3. Provide a name and description
4. Access saved searches from the dropdown menu

Search History

The system maintains a history of recent searches:

• Access via the search history dropdown
• Rerun previous searches with one click
• Clear history when needed

Quick Search

Use the quick search bar for simple text-based searches:

• Searches across alert names, descriptions, and resource names
• Supports partial matching
• Ideal for quick lookups

Search Best Practices

1. Start Broad, Then Narrow

Begin with general criteria and add more specific filters:

-- Start with severity
severity = "Critical"

-- Add time range
severity = "Critical" AND createdTime >= "today"

-- Add resource criteria
severity = "Critical" AND createdTime >= "today" AND resourceName LIKE "%web%"

2. Use Time Ranges Effectively

Always consider time ranges to improve performance:

-- Good: Includes time range
severity = "Critical" AND createdTime >= "2024-01-01"

-- Avoid: No time limits (can be slow)
severity = "Critical"

3. Leverage Pattern Matching

Use wildcards for flexible searching:

-- Find all database-related alerts
resourceName LIKE "%database%" OR alertName LIKE "%database%"

-- Find alerts from specific environment
resourceName LIKE "prod-%"

4. Combine Status and Severity

Focus on actionable alerts:

status = "Open" AND severity IN ("Critical", "Major")

Common Search Scenarios

On-Call Searches

-- High priority open alerts
status = "Open" AND severity IN ("Critical", "Major")

-- Recent critical alerts
severity = "Critical" AND createdTime >= "last_4_hours"

Maintenance Searches

-- Alerts for specific resource group
resourceGroup = "Database Servers"

-- Alerts from specific monitoring tool
source = "Nagios"

Reporting Searches

-- All alerts from last week
createdTime >= "last_7_days"

-- Resolved alerts by team
status = "Closed" AND assignedTeam = "Database Team"

Troubleshooting Searches

-- Alerts for specific application
resourceName LIKE "%myapp%" OR alertName LIKE "%myapp%"

-- Escalated alerts
escalationLevel > 0

Performance Tips

1. Use Time Ranges: Always include time range filters for better performance
2. Index-Friendly Fields: Search on indexed fields like severity, status, and createdTime first
3. Avoid Leading Wildcards: Use name LIKE "value%" instead of name LIKE "%value"
4. Limit Results: Use the results limit when exploring large datasets

Troubleshooting Search Issues

No Results Found

• Check spelling and syntax
• Verify date formats (use ISO format: YYYY-MM-DDTHH:MM:SSZ)
• Ensure field names are correct
• Try broader search criteria

Slow Performance

• Add time range filters
• Reduce the number of OR conditions
• Use more specific criteria
• Consider using saved searches for complex queries

Syntax Errors

• Check quotation marks around string values
• Verify operator syntax
• Ensure proper parentheses grouping
• Use the filter interface to build queries, then copy the generated OPSQL

Next Steps

• Learn about Alert Column Settings to customize your view
• Use Alert Views to save search configurations
• Explore the Alert Side Panel for detailed alert information