With Keep’s introduction of CEL (Common Expression Language) for alert filtering, users gain the flexibility to define more complex and precise alert filtering logic. This feature allows the creation of customizable filters using CEL expressions to refine alert visibility based on specific criteria.

Introduction

CEL-based filtering offers a powerful method for users to specify conditions under which alerts should be shown. Through a combination of logical, comparison, and string operations, alerts can be filtered to meet the exact needs of the user, improving the focus and efficiency of alert management.

How It Works

  1. CEL Expression Creation: Users craft CEL expressions that define the filtering criteria for alerts.
  2. Preset Definition: These expressions can be saved as presets for easy application to different alert streams.
  3. Alert Filtering: When applied, the CEL expressions evaluate each alert against the defined criteria, filtering the alert stream in real-time.

Practical Example

For instance, a user could create a CEL expression to filter alerts by severity and source, such as severity == 'critical' && service.contains('database'), ensuring only critical alerts from database services are displayed.

Core Concepts

  • CEL Expressions: The CEL language syntax used to define alert filtering logic.
  • Presets: Saved CEL expressions that can be reused across different alert streams.
  • Real-Time Filtering: The dynamic application of CEL expressions to incoming alerts.

Creating a CEL Expression

There is generally two ways of creating a CEL expression in Keep

Importing from an SQL query

  1. Click on the “Import from SQL” button
  1. Write/Paste your SQL query and hit the “Convert to CEL” button

Which in turn will generate and apply a valid CEL query:

Manually creating CEL query

Use the CEL Language Definition documentation to better understand the capabilities of the Common Expression Language This is an example of how to query all the alerts that came from Sentry

If the CEL syntax you typed in is invalid, an error message will show up (in this case, we used invalid '' instead of ""):

Save Presets

You can save your CEL queries into a Preset using the “Save current filter as a view” button

You can name your Preset and configure whether it is “Private” (only the creating user will see this Preset) or account-wide available.

The Preset will then be created and available for you to quickly navigate and used

Best Practices

  • Specificity in Expressions: Craft expressions that precisely target the desired alerts to avoid filtering out relevant alerts.
  • Presets Management: Regularly review and update your presets to align with evolving alerting needs.
  • Testing Expressions: Before applying, test CEL expressions to ensure they correctly filter the desired alerts.
Alerts correlationsExtraction