Keep

Platform

Alerts Severity and Status

Keep is an open-source alert management and automation tool that provides everything you need to create and manage alerts effectively.

Introduction

Key concepts

Use cases

Alert grouping

Presets

Extraction

Mapping

Examples

Comparison

Getting started

Keep with Internet URL

Authentication

Secret Manager

Docker

Kubernetes

Openshift

AWS ECS

Overview

Providers

Alerts

Workflows

Workflow builder

Settings

A Provider is a component of Keep that enables it to interact with third-party products. It is implemented as extensible Python code, making it easy to enhance and customize.

Fingerprints are unique identifiers associated with alert instances in Keep. Every provider declares the fields fingerprints are calculated upon

Fingerprints

Adding a New Provider

Adding a new Provider

AppDynamics provider allows you to get AppDynamics `alerts/actions` via webhook installation

AppDynamics Provider

AppDynamics

Azure AKS provider to view kubernetes resources.

Azure AKS

Axiom Provider is a class that allows to ingest/digest data from Axiom.

Axiom Provider

Azure Monitoring provider allows you to get alerts from Azure Monitoring via webhooks.

Azure Monitoring Provider

Azure Monitoring

CloudWatch provider enables seamless integration with AWS CloudWatch for alerting and monitoring, directly pushing alarms into Keep.

CloudWatch Provider

CloudWatch

Console provider is sort of a mock provider that projects given alert message to the console.

Console Provider

Console

Datadog provider allows you to query Datadog metrics and logs for monitoring and analytics.

Datadog Provider

Datadog

Discord provider is a provider that allows to send notifications to Discord

Discord Provider

Discord

Elastic provider is a provider used to query Elastic Search (tested with elastic.co)

Elastic Provider

Elastic

GCP Monitoringing provider allows you to get alerts from Azure Monitoring via webhooks.

GCP Monitoring Provider

GCP Monitoring

GitLab provider is a provider used for creating issues in GitLab

GitLab Provider

Grafana Oncall Provider is a class that allows to ingest/digest data from Grafana On-Call.

Grafana Oncall Provider

Grafana Provider allows either pull/push alerts from Grafana to Keep.

Grafana Provider

HTTP Provider is a provider used to query/notify using HTTP requests

HTTP Provider

ilert provider allows you to create, update, and resolve incidents in ILert for effective incident management and response.

ilert Provider

ilert

Jira provider is a provider used to query data and creating issues in Jira

Jira Provider

Kibana provider allows you get alerts from Kibana Alerting via webhooks.

Kibana Provider

Kibana

Kubernetes provider to perform rollout restart or list pods action.

The LinearB provider enables integration with LinearB's API to manage and notify incidents directly through webhooks.

LinearB Provider

LinearB

Mailchimp Provider

Mailchimp

Template Provider is a template for newly added provider's documentation

Mock Provider

Mock

MySQL Provider is a provider used to query MySQL databases

MySQL Provider

MySQL

New Relic Provider enables querying AI alerts and registering webhooks.

New Relic Provider

New Relic

Ntfy.sh allows you to send notifications to your devices

Ntfy.sh Provider

Ntfy.sh

Openshift provider to perform rollout restart action on specific resources.

OpsGenie Provider is a provider that allows to create alerts in OpsGenie.

Opsgenie Provider

Pagerduty Provider is a provider that allows to create incidents or post events to Pagerduty.

Pagerduty Provider

The Pagertree Provider facilitates interactions with the Pagertree API, allowing the retrieval and management of alerts.

Pagertree Provider

PostgreSQL Provider is a provider used to query POSTGRES databases

PostgreSQL Provider

PostgreSQL

Pushover Provider

Pushover

Redmine Provider

Redmine

Resend Provider

Resend

Sentry provider allows you to query Sentry events and to pull/push alerts from Sentry

Sentry Provider

Sentry

SignalFX provider allows you get alerts from SignalFX Alerting via webhooks.

SignalFX Provider

SignalFX

SIGNL4 offers critical alerting, incident response and service dispatching for operating critical infrastructure. It alerts you persistently via app push, SMS text and voice calls including tracking, escalation, collaboration and duty planning. Find out more at [signl4.com](https://www.signl4.com/)

SIGNL4 Provider

The Site24x7 Provider allows you to install webhooks and receive alerts in Site24x7. It manages authentication, setup of webhooks, and retrieval of alert logs from Site24x7.

Site24x7 Provider

Enhance your Keep workflows with direct Slack notifications. Simplify communication with timely updates and alerts directly within Slack.

Slack Integration

Snowflake Provider

Snowflake

StatusCake allows you to monitor your website and APIs and send alert to keep

StatusCake Provider

StatusCake

Splunk provider allows you to get Splunk `saved searches` via webhook installation

Splunk Provider

Splunk

Squadcast provider is a provider used for creating issues in Squadcast

Squadcast Provider

The `SSH Provider` is a provider that provides a way to execute SSH commands and get their output.

SSH Provider

Teams Provider is a provider that allows to notify alerts to Microsoft Teams chats.

Teams Provider

Telegram Provider is a provider that allows to notify alerts to telegram chats.

Telegram Provider

Trello provider is a provider used to query data from Trello

Trello Provider

Trello

Twilio Provider is a provider that allows to notify alerts via SMS using Twilio.

Twilio Provider

UptimeKuma allows you to monitor your website and APIs and send alert to keep

UptimeKuma Provider

UptimeKuma

Websocket

Zabbix provider allows you to pull/push alerts from Zabbix

Zabbix Provider

Zabbix

Zenduty Provider

Zenduty

At Keep, we view alerts as workflows, which consist of a series of steps executed in sequence, each with its own specific input and output. To keep our approach simple, Keep's syntax is designed to closely resemble the syntax used in GitHub Actions. We believe that GitHub Actions has a well-established syntax, and there is no need to reinvent the wheel.

Basic Syntax

Foreach syntax add the flexability of running action per result instead of only once on all results.

Foreach Syntax

Foreach

Keep uses [Mustache](https://mustache.github.io/) syntax to inject context at runtime, supporting functions, dictionaries, lists, and nested access.

Content Syntax

Working with context

What is a Condition?

❓ What is a Condition

Threshold

🎯 Threshold

Assert

The 'stddev' condition implements standard deviation logic. It takes a list or a list of lists, along with a standard deviation threshold ('compare_to'), and returns all values that are farther away from the mean than the standard deviation.

stddev

🎯 Stddev (Standard Deviation)

In Keep's context, functions extend the power of context injection. For example, if a step returns a list, you can use the `keep.len` function to count and use the number of results instead of the actual results.

What is a Function?

all(iterable)

diff

diff(iterable)

len(iterable)

split

string(string, delimeter)

first

first(iterable)

utcnow

to_utc

datetime_compare

encode

encode(string)

The purpose of throttling is to prevent any action from being triggered too many times, thus generating too many alerts.

What is a Throttle?

The action will trigger once the alert is resolved.

One Until Resolved

Breakdown of the alert and further explanations can be found in the bottom of this page.

Severity Level	Description
CRITICAL	Requires immediate action.
HIGH	Needs to be addressed soon.
WARNING	Indicates a potential problem.
INFO	Provides information, no immediate action required.
LOW	Minor issues or lowest priority.

Status	Description
FIRING	Active alert indicating an ongoing issue.
RESOLVED	The issue has been resolved, and the alert is no longer active.
ACKNOWLEDGED	The alert has been acknowledged but not resolved.
SUPPRESSED	Alert is suppressed due to various reasons.
PENDING	No Data or insufficient data to determine the alert state.

Provider	Severity Mapping	Status Mapping
CloudWatch	N/A	ALARM -> FIRING, OK -> RESOLVED, INSUFFICIENT_DATA -> PENDING
Prometheus	“critical” -> CRITICAL “warning” -> WARNING, “info” -> INFO, “low” -> LOW	“firing” -> FIRING, “resolved” -> RESOLVED
Datadog	“P4” -> INFO, “P3” -> WARNING, “P2” -> HIGH, “P1” -> CRITICAL	“Triggered” -> FIRING, “Recovered” -> RESOLVED, “Muted” -> SUPPRESSED
PagerDuty	“P1” -> CRITICAL, “P2” -> HIGH, “P3” -> WARNING, “P4” -> INFO	“triggered” -> FIRING, “acknowledged” -> ACKNOWLEDGED, “resolved” -> RESOLVED
Pingdom	N/A	“down” -> FIRING, “up” -> RESOLVED, “paused” -> SUPPRESSED
Dynatrace	“critical” -> CRITICAL, “warning” -> WARNING, “info” -> INFO	“open” -> FIRING, “closed” -> RESOLVED, “acknowledged” -> ACKNOWLEDGED
Grafana	“critical” -> CRITICAL, “high” -> HIGH, “warning” -> WARNING, “info” -> INFO	“ok” -> RESOLVED, “paused” -> SUPPRESSED, “alerting” -> FIRING, “pending” -> PENDING, “no_data” -> PENDING
New Relic	“critical” -> CRITICAL, “warning” -> WARNING, “info” -> INFO	“open” -> FIRING, “closed” -> RESOLVED, “acknowledged” -> ACKNOWLEDGED
Sentry	“fatal” -> CRITICAL, “error” -> HIGH, “warning” -> WARNING, “info” -> INFO, “debug” -> LOW	“resolved” -> RESOLVED, “unresolved” -> FIRING, “ignored” -> SUPPRESSED
Zabbix	“not_classified” -> LOW, “information” -> INFO, “warning” -> WARNING, “average” -> WARNING, “high” -> HIGH, “disaster” -> CRITICAL	“problem” -> FIRING, “ok” -> RESOLVED, “acknowledged” -> ACKNOWLEDGED, “suppressed” -> SUPPRESSED

Overview

Development

Deployment

Platform

Providers

Workflows

Keep API

Keep CLI

Alerts Severity and Status

Alert Severity

Alert Status

Provider Alert Mappings

Overview

Development

Deployment

Platform

Providers

Workflows

Keep API

Keep CLI

​Alert Severity

​Alert Status

​Provider Alert Mappings

Alert Severity

Alert Status

Provider Alert Mappings