`system/cases`

Purpose

The system/cases dataset models each case (ticket/incident) end-to-end, from creation and acknowledgement through resolution. This includes information such as priority, category, assignee, timestamps, and contributing alert indicators, so teams can track backlog health, measure MTTA/MTTR, enforce SLAs, analyze noisy alerts, and balance on-call workload.

Schema description

Full JSON path	Field data type	Field data example	description
`case.id`	String	`"CASE-9b7e12"`	Case identifier (unique).
`case.title`	String	`"High error rate in payments API"`	Human-readable case title. (templated)
`case.caseDetailUrl`	String (URL)	`"https://app.coralogix.com/#/cases/CASE-9b7e12"`	URL to the case detail page.
`case.description`	String / Null	`"Error rate > 5% for 10 minutes"`	Case description/summary. (templated)
`case.assignee`	Object / Null	`{ "userEmail":"oncall@acme.io" }`	Current assignee (if any).
`case.assignee.userEmail`	String	`"oncall@acme.io"`	Assignee’s email address.
`case.state`	Enum	`"ACTIVE"`	Lifecycle state: `CREATED`
`case.status`	Enum	`"ACKNOWLEDGED"`	Operational status: `OPEN`
`case.casePriority`	Enum	`"P1"`	Priority assigned to the case.
`case.category`	Enum	`"AVAILABILITY"`	Case category.
`case.createdAt`	String (date-time)	`"2025-09-02T11:43:12Z"`	Case creation time (UTC).
`case.updatedAt`	String / Null (date-time)	`"2025-09-02T12:15:44Z"`	Last update time (UTC), if set.
`case.acknowledgedAt`	String / Null (date-time)	`"2025-09-02T11:50:01Z"`	When the case was acknowledged (UTC), if set.
`case.resolutionDetails`	Object / Null	`{ "resolvedBy":"USER","resolvedAt":"2025-09-03T08:30:00Z" }`	Resolution info when the case is resolved.
`case.resolutionDetails.resolvedBy`	Enum	`"SYSTEM"`	Who resolved the case: `SYSTEM`
`case.resolutionDetails.resolvedAt`	String (date-time)	`"2025-09-03T08:30:00Z"`	Resolution timestamp (UTC).
`case.indicators`	Array	`[ { "instanceId":"ai-1", "alertDefinitionId":"ad-1", ... } ]`	Alert indicators associated with the case.
`case.indicators[].instanceId`	String	`"ai-1"`	Alert instance identifier.
`case.indicators[].alertDefinitionId`	String	`"ad-1"`	Source alert definition ID.
`case.indicators[].title`	String	`"CPU usage high"`	Indicator/alert title.
`case.indicators[].alertType`	Enum	`"METRIC_THRESHOLD"`	Alert type enumerator.
`case.indicators[].alertPriority`	Enum	`"P2"`	Priority of the alert.
`case.indicators[].groupingType`	Enum	`"COMPOSITE_ALERT"`	Grouping semantics: `COMPOSITE_ALERT`
`case.indicators[].groupings`	Object (map)	`{ "service":"payments", "host":"ip-1-2-3-4" }`	Grouping key/value map for the alert instance.
`case.indicators[].labels`	Object (map)	`{ "env":"prod", "team":"SRE" }`	Labels key/value map for the alert instance.
`case.indicators[].state`	Enum	`"TRIGGERED"`	State of the alert instance: `TRIGGERED`
`case.indicators[].triggeredAt`	String (date-time)	`"2025-09-02T11:41:00Z"`	When the alert instance triggered (UTC).
`case.indicators[].resolvedAt`	String / Null (date-time)	`null`	When the alert instance resolved (UTC), if set.
`case.indicators[].alertQuery`	Object / Null	`{ "queryString":"service='payments'", "type":"ALERT_QUERY_LUCENE" }`	Underlying query used by the alert (if available).
`case.indicators[].alertQuery.queryString`	String	`"service='payments' AND status:5xx"`	Query text used in the alert.
`case.indicators[].alertQuery.type`	Enum	`"ALERT_QUERY_LUCENE"`	Query type: `ALERT_QUERY_TYPE_UNSPECIFIED`
`case.groupings`	Object (map)	`{ "service": ["payments","auth"], "region": ["us-east-1"] }`	Dataset-level grouping keys mapped to lists of values.
`case.labels`	Object (map)	`{ "env": ["prod"], "team": ["SRE"] }`	Dataset-level labels mapped to lists of values.

`cases` Schema

{ case

Top-level Case object describing a ticket/incident with metadata, indicators, and labels.

id

type: string
Case identifier (unique).

title

type: string
Human-readable case title. (templated)

caseDetailUrl

type: string
URL to the case detail page.

description

type: string | null
Case description/summary. (templated)

{ assignee

type: object | null
Current assignee (if any).

userEmail

type: string
Assignee's email address.

}

state

Enum: CREATED, ACTIVE, RESOLVED
Lifecycle state of the case.

status

Enum: OPEN, ACKNOWLEDGED, CLOSED
Operational status of the case.

casePriority

Enum: P1, P2, P3, P4, P5
Priority assigned to the case.

category

Enum: SECURITY, AVAILABILITY
Case category.

createdAt

type: string (format: date-time)
Case creation time (UTC).

updatedAt

type: string | null (format: date-time)
Last update time (UTC), if set.

acknowledgedAt

type: string | null (format: date-time)
When the case was acknowledged (UTC), if set.

{ resolutionDetails

type: object | null
Resolution metadata when the case is resolved.

resolvedBy

Enum: SYSTEM, USER
Who resolved the case.

resolvedAt

type: string (format: date-time)
Resolution timestamp (UTC).

}

{ indicators

type: array
Alert indicators that contributed to or are associated with the case.

{ items

instanceId

type: string
Alert instance identifier.

alertDefinitionId

type: string
Source alert definition ID.

title

type: string
Indicator/alert title.

alertType

Enum: LOGS_IMMEDIATE, LOGS_THRESHOLD, LOGS_ANOMALY, LOGS_RATIO_THRESHOLD, LOGS_NEW_VALUE, LOGS_UNIQUE_COUNT, LOGS_TIME_RELATIVE_THRESHOLD, METRIC_THRESHOLD, METRIC_ANOMALY, TRACING_IMMEDIATE, TRACING_THRESHOLD, FLOW, SLO_THRESHOLD, UNKNOWN
Type of the alert that triggered the indicator.

alertPriority

Enum: P1, P2, P3, P4, P5
Priority of the alert.

groupingType

Enum: COMPOSITE_ALERT, COMBINATION_ALERT, NONE
Grouping semantics for the alert.

{ groupings

type: object
Map of grouping keys to string values.

}

{ labels

type: object
Map of label keys to string values.

}

state

Enum: TRIGGERED, RESOLVED
Current state of the alert instance.

triggeredAt

type: string (format: date-time)
When the alert instance triggered (UTC).

resolvedAt

type: string | null (format: date-time)
When the alert instance resolved (UTC), if set.

{ alertQuery

type: object | null
Underlying query used by the alert (if available).

queryString

type: string
Query text used in the alert.

type

Enum: ALERT_QUERY_TYPE_UNSPECIFIED, ALERT_QUERY_PROMQL, ALERT_QUERY_LUCENE
Query language/type.

}

{ groupings

type: object
Map of key ➜ list of values (e.g., { "service": ["payments","auth"] }).

}

{ labels

type: object
Map of key ➜ list of values (e.g., { "env": ["prod"] }).

}

Previous alerts.history

Next engine.queries

system/cases

Purpose

Schema description

cases Schema

`system/cases`

`cases` Schema