Violation event attributes

A condition opening an incident generates an event, which passes important information downstream.

For more about the definition of violations and other terms, see alerts concepts.

What is a violation event?

The violation of a condition generates a violation event. This event has various attributes (metadata) attached to it and different attributes can be used by different features.

Important

The violation event is a concept used to determine alerting features. While you can query some of its associated attributes via NerdGraph, you cannot directly query the violation event.

This table shows violation event attributes. The violation event data type is collected in NrAiIncident.

You may be wondering why we're using NrAiIncident as the name for the violation event data type. Although we currently refer to these events as "violations," they'll be called "incidents" in our new, upcoming naming scheme. This name prepares for and reflects our future intentions.

All attributes are available for use in a description. Read about attributes available for muting rules.

Attribute	Description
`accountId`	The ID of the account where the violation occurred. Available for muting rules.
`aggregationDuration`	The active condition's aggregation window.
`closeCause`	If applicable, what caused the incident to close. Available values: `CONDITION_DELETED`, `POLICY_DELETED`, `EVALUATOR`, `EXPIRED`, `CONDITION_MODIFIED`, `LOSS_OF_SIGNAL`, `USER`, `TARGET_REMOVED`, `INCIDENT_WORKFLOW_INTEGRATION`, and `CONDITION_DISABLED`.
`closeTime`	If applicable, the timestamp when the incident was closed.
`closeViolationsOnExpiration`	If true, open violations on the signal are closed if the signal is lost. Default is false. To use this field, an `expirationDuration` must be specified.
`conditionId`	The ID of the condition that triggered the violation. Available for muting rules.
`conditionName`	The name of the condition that triggered the violation. Available for muting rules.
`degradationTime`	The timestamp when the targeted metric started to breach the active condition’s threshold.
`description`	The contents of the active condition’s `Violation Description` field. NRQL or Infrastructure conditions only.
`entity.guid`	The targeted entity's globally unique identifier, if available. Available for muting rules.
`entity.name`	The targeted entity's name, if available.
`entity.type`	The targeted entity's type, if available.
`evaluationOffsetSeconds`	The active condition's evaluation offset. A time delay (in seconds) to ensure data points are placed in the correct aggregation window. If you use the Delay/timer setting in the UI, it clears `evaluationOffsetSeconds` and uses Delay/timer instead.
`evaluationType`	The reason the violation was opened. Available values: `Threshold` (the condition threshold was breached) `Expiration` (the entity's signal was lost)
`event`	The record's event type. Available values: `Open` and `Close`.
`expirationDuration`	The active condition's signal loss time window.
`incidentID`	The unique identifier of the violation.
`muted`	Shows whether the active condition was muted at the time of the violation event.
`mutingRuleID`	The unqiue identifier of the muting rule that caused the violation to be muted.
`nrqlEventType`	The type of data targeted by a NRQL condition. In this context, this refers to any NRQL-queryable data type. Available for muting rules.
`nrqlQuery`	The full string of the NRQL query. Can be used for sub-string matching on attributes in the `WHERE` clause. Available for muting rules.
`openTime`	The timestamp when the violation was opened.
`operator`	The violation threshold's operator, such as `=`, `<`, or `>`. For signal loss violations, this is an empty string.
`policyId`	The ID of the policy that triggered the violation. Available for muting rules.
`policyName`	The name of the policy that triggered the violation. Available for muting rules.
`priority`	The level of the violation: `warning` or `critical`.
`recoveryTime`	The timestamp when the active condition's targeted metric stops breaching the threshold.
`runbookUrl`	The runbook URL for the condition that triggered the violation. Available for muting rules.
`tags.*`	Arbitrary key-value metadata, or tags, associated with the violation. `tags.` is the prefix and `*` is the metadata/tag name. For details on how to use this, see the documentation for muting rules or description. Available for muting rules.
`targetName`	The name of the violation’s target. This can be an entity or a query. Available for muting rules.
`threshold`	The active condition's threshold value.
`thresholdDuration`	The active condition's threshold time window.
`thresholdOccurrences`	Shows whether `for at least` or `at least once in` occurrence values are being used in the active condition's threshold. Available values: `all` or `any`.
`timestamp`	The event's wall clock time using an epoch timestamp.
`title`	The incident's title.
`type`	The incident's type. Available value: `Incident`.
`valueFunction`	The active condition's aggregation function. Used in APM, browser, and mobile alert condition types.
`violationTimeLimitSeconds`	The active condition's violation time limit setting.
violationUuId	Deprecated. Do not use.