Getting started with Alerts

Alerts are critical enablers in the proactive journey of IT support teams. They allow teams to detect issues and help them prioritize their efforts to improve the digital employee experience (DEX).

How can alerts help you detect and diagnose issues?

Nexthink Alerts notifies you about issues that require swift action by filtering the noise so you can identify situations that require actual user intervention.

Use alerts to identify situations where something has unexpectedly changed or occurred.

Detecting global issues impacting your environment

Detect issues Nexthink identifies based on the cross-organization statistics that impact your environment with Alerts cloud insights:

Learn about binary reliability and performance, and detect anomalies such as abnormal CPU usage.
Quickly identify impacted binary versions and find the recommended version.

For example, the system triggers an alert when more than 50 devices use a certain binary configuration—binary version on a given operating system version—that consumes more memory than other configurations across many organizations.

Refer to the Alerts overview and Understanding cloud insights documentation to learn how to monitor and use alerts for diagnostic purposes.

Detecting issues impacting single or multiple devices/users

Proactively monitor issues according to your needs, whether at the device level, focusing on a single user or device, or addressing widespread incidents affecting multiple devices or sudden performance degradation.

Detect the number of devices or users with issues

Detect whether a certain number of devices or users experienced an issue.

For example, the system triggers an alert when more than 20 devices had a boot time of over 60 seconds, within the past 24 hours.

Detect frequent issues across devices

Monitor the values of any metric across multiple devices to detect whether an aggregated metric value has breached the defined threshold, or shifts by a specific percentage.

For example, the system triggers an alert when the number of crashes of any binary increases by 100% in relation to a predefined norm, like the average of a metric value over the last 7 days.

Detect a specific device or user with issues

Monitor issues on a single device or for a specific user to subsequently trigger alerts if applicable. Send separate notifications for each device or user.

For example, the system triggers an alert for each device that had at least 2 system crashes within the last 24 hours and creates a ticket in the ITSM software on behalf of the user.

Nexthink limits the total number of objects that trigger the same alert to 500, avoiding alert flooding and keeping the required relevancy of individual alerts.

Refer to the Detecting issues impacting multiple devices and Detecting issues impacting a single device or user documentation for more information.

In addition, review the Alerts FAQ to learn how to investigate devices associated with an existing alert, using NQL.

What is the difference between an alert and a monitor?

An alert is a special type of event triggered when specific conditions are met for the performance metrics of different features of your IT infrastructure, such as system crashes, load times, or failed connections.

The system sends alerts as emails or webhook notifications to inform your IT teams about issues within your organization. Triggered alerts are visualized in the timeline on the Alerts overview page.

A monitor is a component of the Alerts and Diagnostics module that you configure to evaluate metrics against defined conditions, and trigger alerts to identify specific issues.

With monitors, the Nexthink platform offers anomaly detection capabilities for IT environments and allows you to notify users accordingly.

Refer to the Managing Alerts documentation to learn more about monitors, monitor types and monitor creation.

When to use alerts and when to use data exporters?

Use data exporters to report on a large number of objects that meet specific condition criteria expressed with an NQL query, or if you expect that the system might trigger more than 500 alerts at the same time.
Use alerts to detect issues requiring immediate assistance or action. For other reports or events that do not need swift action, such as Report all devices with low disk space, use a Data Exporter.

Additionally, use the data export scheduling option to export data regularly.

What types of alert detection modes are available?

Nexthink alerts detect critical issues based on the following detection modes:

Metric threshold triggers an alert when the value of one or more metrics reaches a user-defined threshold.
Metric change triggers an alert when the value of the metric reaches the reference baseline value as the average of the metric values retrieved over the past 7 days. This option is only available for built-in monitors.
Metric seasonal change triggers an alert when the value of the metric reaches the expected average value of the last 7 days at the same time of the day. The monitor triggers an alert when the value falls outside of the expected range, calculated using standard deviations. This option is only available for built-in monitors.
Global detection triggers an alert when a specified number of devices use a particular binary version or binary configuration that performs worse than other versions or configurations across organizations using Nexthink. Adjust the threshold for this alert within your organization. This option is only available for system monitors.

Refer to the Customizing built-in monitors documentation for more information about detection types.

How does the system trigger and close an alert?

Each NQL query-based monitor evaluates the metric(s) in regular intervals, according to the schedule defined in the specific monitor. During each evaluation it determines whether to trigger a new alert, close the open alert or keep the alert status open.

Triggering alerts

The system triggers the alert when the condition criteria defined in the monitor are breached during scheduled evaluation. Once the system triggers the alert, it remains in an Open state until the metric values stabilize and the alert is closed during one of the subsequent evaluations.

Closing alerts

The system closes the alert when a monitored metric no longer breaches defined conditions.

If the monitor tracks metric threshold, the system closes the alert when a monitored metric no longer breaches the threshold.
If the monitor tracks metric change, the system closes the alert when that metric value drops down to the baseline.

If the monitor query does not return any data during evaluation, the alert automatically closes according to the following rules:

For alerts that track aggregated metrics across multiple devices, the alert closes if there are three consecutive days of no data returned.
For alerts triggered for a single device or user, the alert closes if the monitor query continuously returns no data during the period specified in the during past parameter of the query.

Sending alert notifications

If you have configured notifications for your alert, the system sends them only when the alert is triggered and when the alert is closed.

If the alert was triggered in a previous evaluation and already has an Open status, the system does not send a notification if the metric still meets the detection criteria in the current evaluation.

Refer to the Responding to Alerts documentation to learn how to react and respond to alert notifications.

Granting permissions for Alerts

Refer to the Roles documentation for a detailed description of Permissions, View domain options and Data privacy granularity settings.

To enable proper permissions for Alerts as an administrator:

Select Administration > Roles from the main navigation panel.
Create a New Role or edit an existing role by hovering over it.
In the Permissions section, scroll down to the Alerts section to enable appropriate permissions for the role.

View domain impact on Alerts permissions

The table below shows what users with full and limited view domain access can do, assuming the necessary permissions are enabled.

Permission

Full access

Limited access

Manage all alerts

View all alert dashboards