Alert Management
The Alert Management page is the central hub for monitoring and responding to network alerts. It provides a real-time overview of alert status across your infrastructure, tools for acknowledging and resolving alerts, a full history of past events, and a pending review queue for alerts configured with manual approval workflows.
To create new alert rules, see Creating Alert Rules.
Summary Tiles
The top of the page displays seven summary tiles providing an at-a-glance view of your alert landscape:
| Tile | Description |
|---|---|
| Critical Alerts | Count of currently active alerts with Critical severity. Displayed with a red indicator. |
| Warning Alerts | Count of currently active alerts with Warning severity. Displayed with a yellow indicator. |
| Info Alerts | Count of currently active alerts with Info severity. Displayed with a blue indicator. |
| Acknowledged | Count of active alerts that have been acknowledged by an operator but not yet resolved. Displayed with a green indicator. |
| Active Rules | Count of enabled alert rules, with the total rule count shown below (e.g., "1 Active Rules / 8 total"). |
| 24h Resolved | Count of alerts that were resolved (either automatically or manually) in the last 24 hours. |
| Pending Review | Count of alerts awaiting manual approval before notifications are sent. Only applicable for rules configured with Manual Approval or Manual with Auto-Escalation notification modes. |
Tabs
The page is organized into four tabs:
Active Alerts
The default view showing all currently firing alerts. Each alert card displays:
- Alert name — The rule name that triggered the alert (e.g., "High BPS 192.168.100.132").
- Severity badge — Color-coded severity label: CRITICAL (red), WARNING (yellow), or INFO (blue).
- Current value — The current metric value that triggered the alert (e.g., "Current: 1.73 Mbps").
- Threshold — The configured threshold value (e.g., "Threshold: 100.00 bps").
- Duration — How long the alert has been active. Shows "Ongoing" for alerts that have not yet resolved, or the total duration for resolved alerts.
- Timestamp — When the alert first fired (e.g., "1/27/2026, 7:22:43 PM").
Alert Actions
Each active alert has two action buttons on the right:
| Action | Icon | Description |
|---|---|---|
| View | 👁️ | Opens the alert detail view with the full metric history, threshold visualization, and related context. |
| Acknowledge | ✓ | Marks the alert as acknowledged, indicating an operator is aware and investigating. Acknowledged alerts remain active but move to the "Acknowledged" count in the summary tiles. |
Severity Filter
Use the Severity dropdown to filter the active alerts list by severity level. Options include All, Critical, Warning, and Info.
Click Refresh to re-fetch the latest alert status.
Alert Rules
The Alert Rules tab lists all configured alert rules (the count is shown in the tab label, e.g., "Alert Rules (8)"). From here you can:
- View each rule's configuration — metric source, threshold or baseline settings, evaluation parameters, and notification channels.
- Enable / Disable rules without deleting them. Disabled rules stop evaluating but retain their configuration.
- Edit a rule to modify thresholds, evaluation settings, filters, or notification channels.
- Delete rules that are no longer needed.
- Test a rule to trigger a test alert and verify that notification channels are working correctly.
Click + Create Alert Rule to open the alert builder. See Creating Alert Rules for detailed documentation.
Alert History
The Alert History tab provides a searchable, filterable log of all past alert events — both fired and resolved. Each history entry includes:
- Alert name and severity — Which rule fired and at what severity.
- Fired timestamp — When the alert was triggered.
- Resolved timestamp — When the alert was resolved (automatically or manually).
- Duration — Total time the alert was active.
- Peak value — The highest (or lowest, depending on operator) metric value observed during the alert.
- Resolution type — Whether the alert resolved automatically (metric returned to normal) or was manually resolved by an operator.
Alert History is useful for post-incident review, trend analysis (e.g., "how often does this device hit high CPU?"), and reporting. Historical data is retained indefinitely.
Pending Review
The Pending Review tab shows alerts that are awaiting manual approval before their notifications are sent. This tab is only relevant for rules configured with Manual Approval or Manual with Auto-Escalation notification modes.
For each pending alert, you can:
- Approve — Send the notification to the configured channels (webhook, Slack, email, syslog).
- Dismiss — Suppress the notification without sending it. The alert is still recorded in history.
- Review details — View the full alert context before deciding whether to notify.
For rules using Manual with Auto-Escalation, a countdown shows the remaining time before the notification is automatically sent if no action is taken.
Manual approval is useful for alerts that may require human judgment before notifying external teams — for example, an AI Analysis alert that flags a potential anomaly you want to verify before paging the on-call engineer, or a baseline deviation alert in a staging environment where deviations are sometimes expected.
Alert Lifecycle
Alerts in WhiteOwl follow a defined lifecycle:
Rule Evaluates → Threshold Breached → Consecutive Breaches Met → Alert Fires
│
┌───────────────────────┤
│ │
(Automatic) (Manual Approval)
│ │
Notification Sent Pending Review
│ │
│ Approve / Dismiss
│ │
├───────────────────────┘
│
Active Alert
│
┌─────────┴─────────┐
│ │
Acknowledged Auto-Resolves
(operator action) (metric returns
│ to normal)
│ │
└─────────┬───────────┘
│
Resolved
│
Alert History
- Firing — The alert is active and the metric is currently breaching the threshold.
- Acknowledged — An operator has seen the alert and is investigating. The alert remains active.
- Resolved — The metric has returned to within acceptable levels (auto-resolved) or an operator has manually resolved it.
- Suppressed — While an alert is active for a given rule, duplicate alerts are not created. A new alert instance is only created after the previous one resolves.