Search queries for alerts

Watch Searching Alerts Within Opsgenie on Youtube for a helpful explanation of searching alerts within Opsgenie.

Fields

You can use field:value combination with most of alert fields.

Condition	Description
createdAt : 1470394841148	Unix timestamp in milliseconds format. (1470394841148 -> Fri, 05 Aug 2016 11:00:41.148 GMT)
createdAt : 15-05-2020	DD-MM-YYYY time format.
lastOccurredAt : 1470394841148	Unix timestamp in milliseconds format. (1470394841148 -> Fri, 05 Aug 2016 11:00:41.148 GMT)
snoozedUntil : 1470394841148	Unix timestamp in milliseconds format. (1470394841148 -> Fri, 05 Aug 2016 11:00:41.148 GMT)
alertId : b9a2fb13-1b76-4b41-be28-eed2c61978fa	Id of the alert.
tinyId : 28	Short id assigned to the alert. Be careful, using this field is not recommended because it rolls.
alias : host_down	Alias of the alert to be retrieved. Using alias will only retrieve an open alert with that alias if it exists.
count : 5	If any source attempts to create a new alert where there is an open alert with the given alias, the count value of the open alert will be increased by one instead of creating another alert.
message : Server apollo average	string
description : Monitoring tool is reporting that the	string
source : john.smith@opsgenie.com	string
entity : entity1	string
status : open	open \| closed
owner : john.smith@opsgenie.com	Opsgenie Username
acknowledgedBy : john.smith@opsgenie.com	Opsgenie Username
closedBy: john.smith@opsgenie.com	Opsgenie Username
recipients : john.smith@opsgenie.com	Opsgenie Username
isSeen : true	true \| false
acknowledged : true	true \| false
snoozed : false	true \| false
teams : team1	Name of the team.
integration.name : "API Integration"	Name of the integration.
integration.type : API	Type of the integration.
tag : EC2	string
actions : start	string
details.key : Impact	string
details.value : External	string

Condition Operators

In addition of : exact match operator; you can also use <, <=, > and >= operators.

Examples
count > 5
count <= 4
lastOccurredAt < 1470394841148

Logical Operators

Combine multiple value(s) by using AND and OR operators. Just don't forget to wrap them with ( ) parentheses.

Example	Description
message: (lorem OR ipsum)	message field contains "lorem" or "ipsum"
description: (lorem AND ipsum)	description field contains both "lorem" and "ipsum"

Also you can combine multiple condition(s) by using AND and OR operators.

Examples
message: lorem AND count >= 3
message: (lorem OR ipsum) AND count >= 3
status: open AND (count >= 3 OR entity:lipsum) Expand

Use the NOT search query to disqualify search results for a certain value.

Examples	Description
NOT message: lorem	message field does not contain lorem
NOT status: open	status of alert results are not open, i.e, closed or resolved

Asterisk (*) Wildcard Usage

Asterisk character can be used as a substitute for any of a class of characters in a search. It is often used in place of when you do not know what the real character is or you do not want to type the entire name. If you are looking for an alert that you know "message" field starts with "lorem" but you cannot remember the rest of the field, type the following:

Examples
message: lorem*
lorem*

Wildcards are not supported for teams and users. This means that you can't use an asterisk (*) while searching alerts with a team name or user name. Enter the full name of your team or user to get the correct results.

Null Queries

Null queries can be used to list alerts which contain, or do not contain, a field. Please note that, a field is considered null, if it is not set or if it is blank.

Null query supported fields: source, entity, tag, actions, owner, teams, acknowledgedBy, closedBy, recipients, details.key, details.value, integration.name, integration.type.

Examples
owner : null
teams is null
details.key is not null
tag !: null

Last modified on Mar 29, 2021

Cached at 6:49 AM on Apr 12, 2021 |

Was this helpful?

It wasn't accurate

It wasn't clear

It wasn't relevant

Additional Help

Ask the Community