Retention time of alert violations and incidents changing

Hi folks!

Below, I’ll refer to “violations” and “incidents.” Keep in mind that these terms are for the legacy alerting experience. The newer systems that are now available use different terminology, which I detail in this post.

In order to improve system performance and reliability for all of our users, we are making a small change to violation and incident retention.

API calls and UI displays that were returning up to 15-month old violations and incidents will now return anything that is 6 months old or newer. Our data shows that these objects, once they reached 6+ months old, were rarely accessed. We will no longer be retaining these objects past 6 months.

In addition, API calls requesting a list of violations will now impose a default time range. When a time range is not specified, 31 days of data will be returned. You can still input a value in the start_date field to show violations of up to 6 months old.

Here is how that would look, if you were using the API Explorer:

Keep in mind that you can also gather violation details by using NRQL to query the NrAiIncident event type. Retention for this event is 13 months. Documentation on NrAiIncident can be found at this link. Note that the term “incident” in the event name refers to new incidents, which correspond to legacy violations.