Manage incidents for SQL-based alerting policies

Preview

This product or feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA products and features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

Anincident is a record of when the condition of an alerting policy ismet. Typically, Cloud Monitoring opens an incident and sends anotification when the condition of the alerting policy is met. However,incidents aren't created under the following circumstances:

  • The policy is snoozed or disabled.
  • The number of alerting policies or incidents exceeds existinglimits for alerting.

For each incident, Monitoring creates anIncident details page that lets you manage the incident, andthat reports incident information that can help you troubleshoot thefailure.For example, theIncident details page shows lists of SQL queryresult summaries and related incidents.

This document describes how you can find your incidents. It also describeshow you can use theIncident details page to manageincidents for SQL-based alerting policies,which evaluate the results of a SQL query run against data fromgroups of log entries.

This feature is supported only for Google Cloud projects.ForApp Hubconfigurations, select the App Hub host project or management project.

Before you begin

To get the permissions that you need to view and manage incidents, ask your administrator to grant you the following IAM roles on your project:

For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

For more information about Cloud Monitoring roles,seeControl access with Identity and Access Management.

View incidents

To view incidents in your project, use the Google Cloud console,the gcloud CLI (Public Preview), or the Monitoring API(Public Preview).

Google Cloud console

To list the incidents in your Google Cloud project, do the following:

  1. In the Google Cloud console, go to the Alerting page:

    Go toAlerting

    If you use the search bar to find this page, then select the result whose subheading isMonitoring.

  2. In the toolbar of the Google Cloud console,select your Google Cloud project. ForApp Hubconfigurations, select the App Hub host project or management project.

    TheAlerting page displays information about your alerting policies,snoozes, and incidents:

    • TheSummary pane lists the number of open incidents.
    • TheIncidents table displays the most recent openincidents. To list the most recent incidents in the table,including those that are closed, clickShow closed incidents.

  3. To view the details of a specific incident, select theincident in the list.

    TheIncident details page opens. For more information abouttheIncident details page, see theInvestigate an incident section of this document.

Find older incidents

TheIncidents table on theAlerting page shows the mostrecent open incidents. To view older incidents, do one of thefollowing:

  • To page through the entries in theIncidents table, click Newer or Older.

  • To open a page that lets you list and filter your incidents, clickSee all incidents. TheIncidents page opens. Fromthat page, do the following:

    • Show all incidents, including closed incidents. To show allincidents, clickShow closed incidents.
    • Filter incidents. For information about adding filters, seeFilter incidents.
    • Acknowledge or close an incident, or snooze its alerting policy.To access these options,click More options in theincident's row, and make a selection from the menu. For moreinformation, seeManage incidents.

Filter incidents

To restrict the incidents that the table shows, add filters. If youadd multiple filters, the table displays only incidents that satisfyall the filters.

To filter the table of incidents, do the following:

  1. On theIncidents page, click Filter table and then select a filterproperty. Filter properties include the following:

    • State of the incident
    • Name of the alerting policy
    • When the incident was opened or closed

  2. Select a value from the secondary menu or enter a value in the filterbar.

    TheIncidents table then lists the filter.

gcloud

You can use the gcloud to get incidents and listincidents.

Get incident

Before using any of the command data below, make the following replacements:

  • ALERT_NAME: The resource name of the alert. For example,projects/my-project/alerts/my-alert-id.

Execute thegcloud alpha monitoring alerts describe command:

Linux, macOS, or Cloud Shell

Note: Ensure you have initialized the Google Cloud CLI with authentication and a project by running eithergcloud init; orgcloud auth login andgcloud config set project.
gcloudalphamonitoringalertsdescribeALERT_NAME

Windows (PowerShell)

Note: Ensure you have initialized the Google Cloud CLI with authentication and a project by running eithergcloud init; orgcloud auth login andgcloud config set project.
gcloudalphamonitoringalertsdescribeALERT_NAME

Windows (cmd.exe)

Note: Ensure you have initialized the Google Cloud CLI with authentication and a project by running eithergcloud init; orgcloud auth login andgcloud config set project.
gcloudalphamonitoringalertsdescribeALERT_NAME
 The command returns a response with alert details such asalert state, attached labels, and the source alerting policy. Note that the labels in the responseare subject to change while this feature is in preview. Theresponse looks similar to the following:
{  "name": "projects/my-project/alerts/my-alert-id",  "state": "OPEN",  "open_time": "2025-06-11T09:53:46Z",  "resource": {    "type": "sql_alert"  },  "policy": {    "name": "projects/my-project/alertPolicies/POLICY_1",    "displayName": "test-policy"  },  "summaryText": "The row count SQL Condition for \"test-policy\" is above the threshold of 1."}

List incidents

You can list incidents in your project and filter the results usingthe gcloud CLI.

Before using any of the command data below, make the following replacements:

  • PROJECT_ID: The identifier of the project.

Execute thegcloud alpha monitoring alerts list command:

Linux, macOS, or Cloud Shell

Note: Ensure you have initialized the Google Cloud CLI with authentication and a project by running eithergcloud init; orgcloud auth login andgcloud config set project.
gcloudalphamonitoringalertslist

Windows (PowerShell)

Note: Ensure you have initialized the Google Cloud CLI with authentication and a project by running eithergcloud init; orgcloud auth login andgcloud config set project.
gcloudalphamonitoringalertslist

Windows (cmd.exe)

Note: Ensure you have initialized the Google Cloud CLI with authentication and a project by running eithergcloud init; orgcloud auth login andgcloud config set project.
gcloudalphamonitoringalertslist
 The command returns a response with alert details such asalert state, attached labels, and the source alerting policy. Note that the labels in the responseare subject to change while this feature is in preview. Theresponse looks similar to the following:
{  "alerts": [    {      "name": "projects/my-project/alerts/my-alert-id",      "state": "OPEN",      "open_time": "2025-06-11T09:53:46Z",      "resource": {        "type": "sql_alert"      },      "policy": {        "name": "projects/my-project/alertPolicies/POLICY_1",        "displayName": "test-policy"      },      "summaryText": "The row count SQL Condition for \"test-policy\" is above the threshold of 1."    }  ]}
You can also use the following optional flags to filter, sort, or modify the output:

  • --filter: Provide a filter expression to filter alerts by time or by label. For example, filter by time with--filter='close_time>="2025-09-10T00:00:00Z"', or filter by label with--filter='resource.labels.key="value"'.

  • --sort-by: A comma-separated list of fields to sort the output by. For example,--sort-by=open_time.

  • --uri: Command outputs a list of resource URIs instead of the default output.

  • --limit: Set this flag to2 or greater to limit the number of alerts returned. Don't use this flag in conjunction with the--filter flag.

Monitoring API

You can use the Monitoring API to get incidents and listincidents.

Get incident

To get details on a single incident with the Monitoring API,use thealerts.get method.

Before using any of the request data, make the following replacements:

  • PROJECT_ID: The identifier of the project.
  • ALERT_ID: The ID of the alert.

HTTP method and URL:

GET https://monitoring.googleapis.com/v3/projects/PROJECT_ID/alerts/ALERT_ID

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "x-goog-user-project:PROJECT_ID" \
     "https://monitoring.googleapis.com/v3/projects/PROJECT_ID/alerts/ALERT_ID"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred"; "x-goog-user-project" = "PROJECT_ID" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://monitoring.googleapis.com/v3/projects/PROJECT_ID/alerts/ALERT_ID" | Select-Object -Expand Content
The command returns a response with alert details such asalert state, attached labels, and the source alerting policy. Note that the labels in the responseare subject to change while this feature is in preview. Theresponse looks similar to the following:
{  "name": "projects/my-project/alerts/my-alert-id",  "state": "OPEN",  "open_time": "2025-06-11T09:53:46Z",  "resource": {    "type": "sql_alert"  },  "policy": {    "name": "projects/my-project/alertPolicies/POLICY_1",    "displayName": "test-policy"  },  "summaryText": "The row count SQL Condition for \"test-policy\" is above the threshold of 1."}

List incidents

To list incidents in your project and filter the results withthe Monitoring API, use thealerts.listmethod.

Before using any of the request data, make the following replacements:

  • PROJECT_ID: The identifier of the project.

HTTP method and URL:

GET https://monitoring.googleapis.com/v3/projects/PROJECT_ID/alerts

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "x-goog-user-project:PROJECT_ID" \
     "https://monitoring.googleapis.com/v3/projects/PROJECT_ID/alerts"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred"; "x-goog-user-project" = "PROJECT_ID" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://monitoring.googleapis.com/v3/projects/PROJECT_ID/alerts" | Select-Object -Expand Content
The command returns a response with alert details such asalert state, attached labels, and the source alerting policy. Note that the labels in the responseare subject to change while this feature is in preview. Theresponse looks similar to the following:
{  "alerts": [    {      "name": "projects/my-project/alerts/my-alert-id",      "state": "OPEN",      "open_time": "2025-06-11T09:53:46Z",      "resource": {        "type": "sql_alert"      },      "policy": {        "name": "projects/my-project/alertPolicies/POLICY_1",        "displayName": "test-policy"      },      "summaryText": "The row count SQL Condition for \"test-policy\" is above the threshold of 1."    }  ]}
Curl users can add the--data-urlencode flag followed by a filter expression to filteralerts by time or label. See the following examples:

List alerts that were opened in the last hour:

--data-urlencode "filter=(open_time>=\"`date -u -d "1 hour ago" +"%Y-%m-%dT%H:%M:%SZ"`\")"

List & filter alerts that are open from the last day:

--data-urlencode "filter=(open_time>=\"`date -u -d "1 DAY ago" +"%Y-%m-%dT%H:%M:%SZ"`\" AND state=open)"

List & filter alerts that were opened between two periods:

--data-urlencode "filter=(open_time>=\"`date -u -d "2 DAY ago" +"%Y-%m-%dT%H:%M:%SZ"`\" AND open_time<=\"`date -u -d "1 DAY ago" +"%Y-%m-%dT%H:%M:%SZ"`\")"

List & filter alerts by user label. In this example, filter by a user label with the nameapp and the valuemy-gke-app:

--data-urlencode "filter=(policy.user_labels.app=\"my-gke-app\")"
Powershell users can use the following example to add a time-based filter to your requesturl:
$baseUrl = "https://monitoring.googleapis.com/v3/projects/my-project/alerts"$filterValue = (Get-Date).AddHours(-1).ToString("yyyy-MM-ddTHH:mm:ssZ")$filter = 'open_time >= "' + $filterValue + '"'$encodedFilter = [System.Uri]::EscapeDataString($filter)$url = $baseUrl + "?filter=" + $encodedFilter

Note: Incidents aren't always created when a condition is met. For moreinformation, seeIncident isn't created when condition is met.

Investigate an incident

TheIncident details page contains information that may help youidentify the cause of an incident.

Explore query results

TheTotal slot time consumed per day pane shows the amount of timethat your reserved BigQuery slots spent runningthe SQL queries for the alerting policy over the last 24 hours.

TheSQL query results pane shows a list of query result summaries fromeach time Log Analytics ran the SQL query from the alerting policy's condition.By default, the list is filtered to show only queries that matched thecondition of the alerting policy.

  • To view the query and the table of query results from a specific time thatLog Analytics ran the query, click a value from theQuery run timecolumn.
  • To toggle between showing only query results that matched the condition of thealerting policy and all queries that Log Analytics ran from the alerting policy,clickShow only queries matching alert conditions.

View supplementary information

TheDocumentation section shows the documentation template fornotifications that you provided when creating the alerting policy.This information might include a description of what the alertingpolicy monitors as well as tips for mitigation. For more information, seeAnnotate notifications with user-defined documentation.

If you didn't configure documentation for your alerting policy,then theDocumentation pane shows "No documentation is configured."

Explore related incidents

To help you discover underlying issues across your application, you canexplore incidents related to other alerting policy conditions.

TheRelated incidents section shows a list of other incidentsthat were created when the condition of the alerting policy was met.

Manage incidents

Incidents are in one of the following states:

  •  Open: The condition of the SQL-based alerting policy was met, and theincident is still open. If the same condition is met again andthere is already an incident open, then a new incident isn'topened.

  •  Acknowledged:The incident is open and has manually been marked as acknowledged.Typically, this status indicates that the incident is beinginvestigated.

  •  Closed: You have manually closed the incident, or it was automatically closedafter the auto-close period expired.

Acknowledge incidents

We recommend that you mark an incident as acknowledged when you begininvestigating the cause of the incident.

To mark an incident as acknowledged, do the following:

  1. In theIncidents table of theAlerting page,clickSee all incidents.

  2. On theIncidents page, find the incident that you want toacknowledge, and then do one of the following:

    • Click More options and then selectAcknowledge.
    • Open the details page for the incident and then clickAcknowledge incident.

Snooze an alerting policy

To prevent Monitoring from creating incidents and sendingnotifications during a specific time period, snooze the related alerting policy. When you snooze an alerting policy, incidents related to the alertingpolicy remain open but don't cause further notifications. The incidentsclose based on the alerting policy auto-close duration.

To create a snooze for an incident that you are viewing, do the following:

  1. On theIncident details page, clickSnooze Policy.

  2. Select the snooze duration. After you select the snooze duration, the snoozebegins immediately.

You can also snooze an alerting policy from theIncidents page byfinding the incident that you want to snooze, clicking More options, and then selectingSnooze.You can snooze alerting policies during outages to prevent furthernotifications during the troubleshooting process.

Close incidents

You can let Monitoring close an incident for you, oryou can close the incident.

Monitoring automatically closes an incident when theauto-close duration for the alerting policy expires. By default, the auto-closeduration is 7 days. The minimum auto-close durationis 30 minutes.

The auto-close duration specifies the time that must elapse, without a repeatof the cause of the incident, before the incident closes. For thisreason, when an incident is open and its cause reoccurs, theincident can stay open longer than the auto-close duration.

To close an incident, do the following:

  1. In theIncidents table of theAlerting page, clickSee all incidents.

  2. On theIncidents page, find the incident that you want toclose, and then do one of the following:

    • Click View more and then selectClose incident
    • Open theIncident details page for that incidentand then clickClose incident.

If you see the messageUnable to close incident, try again in a fewminutes. You can't close a new incident immediately because the conditionsthat caused the incident are still considered active by the alertingsystem.

Data retention and limits

For information about limits and about the retention period of incidents,seeLimits for alerting.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.