Understanding and Utilizing Opsgenie's Alert Activity Logs

In the realm of Opsgenie, the Alert Activity Log serves as a comprehensive record, detailing every event associated with a specific alert. This log is instrumental in tracing the alert's journey, from its inception to its final routing. Here's a detailed breakdown of the information contained within these logs and how to interpret them for effective incident management.

Components of the Alert Activity Log

The Alert Activity Log encapsulates:

• Notifications dispatched, including the recipient and timestamp.
• Notifications that were suppressed, accompanied by the reasons for suppression.
• The integration responsible for generating the alert, along with the specific action invoked.
• Designated teams to which the alert was directed.
• Global and team-specific policies that were applied.
• Employed routing rules.
• Invoked escalations.

Tracing the Alert's Pathway

The Activity Log is invaluable for retracing the alert's trajectory, encompassing every team, escalation, routing rule, and policy that played a role in its routing. This is particularly beneficial when:

• An anticipated escalation, policy, or routing rule isn't applied. The log can help pinpoint discrepancies, such as a misconfigured policy altering the alert's responder field, leading to unexpected routing.
• Alerts seem to have inappropriate responders. It's advisable to scrutinize the policies to ensure no extraneous responders are being appended or omitted. A frequent oversight involves the removal of the {{responders}} dynamic field, which eliminates all responders associated with the alert.
• A team routing rule directs an alert straight to a schedule, bypassing any set escalations. In such cases, the log might display:

  Added as recipient due to team[support team via routing rule (Default Routing Rule)] >> sch[support team_schedule].

It's imperative to recognize that escalations are invoked only when explicitly referenced by a routing rule. When an escalation is activated, the log will manifest as:

Added as recipient due to team[support team via routing rule (Default Routing Rule)] >> esc[support team_escalation] >> sch[support team_schedule].

Efficiently Navigating the Activity Log

To swiftly locate specific events within the log, utilize the search functionality (CTRL + F) with the following keywords:

• Escalations: “esc”
• Schedules: “sch”
• Policies: “policy/policies”
• Routing Rules: “routing rule”

Troubleshooting with the Activity Log

The Activity Log is the primary resource when notifications appear misdirected. Here are some diagnostic phrases and their implications:

Scenario: A user wasn't alerted.

Search Phrases and Resolutions:

• “is disabled”: Indicates a disabled notification method, escalation, or schedule.
  • Resolution: Enable the pertinent notification method or schedule.
• “user has no active rules”: The targeted user lacks active notification rules.
  • Resolution: Implement or activate notification rules for the user.
• “No on-call user exists”: The routed schedule lacks active users.
  • Resolution: Incorporate users to the specified schedule.
• “does not target anyone”: The routing rule is set to "No One".
  • Resolution: Modify the routing rule to target a user or escalation.
• “Skipped notifying. User has seen this alert”: Notifications cease once a user views an alert.
  • Resolution: Engage with alerts requiring immediate action.

Scenario: Team-based alert policies weren't applied.

Search Phrases and Resolutions:

• “doesn't have an owner team”: The alert lacks an owner team, preventing team-based policy application.
  • Resolution: Assign the integration to a team or include a team in the {{responder}} field within the integration settings.

Conclusion

Opsgenie's Alert Activity Log is an indispensable tool, offering a granular view of alert interactions. By understanding and effectively navigating this log, teams can ensure efficient and accurate incident management, optimizing their response strategies.