Skip to main content

Alerts Database

The alerts database stores parsed alert messages from Lark and auto-generated daily recommendations.

Tables

lark_alerts (~8,474 rows)

Parsed alert messages from the BYOC Online Alarm Lark channel.

Date range: Jan 19 -- Mar 13, 2026 (Pacific time).

Schema

CREATE TABLE lark_alerts (
    message_id        VARCHAR(64)   NOT NULL,
    created_at        DATETIME      NOT NULL,   -- Pacific time (PST/PDT)
    created_at_utc    DATETIME      NULL,       -- UTC timestamp
    cluster_name      VARCHAR(256)  NULL,
    admin_email       VARCHAR(256)  NULL,
    region            VARCHAR(64)   NULL,
    account_name      VARCHAR(128)  NULL,
    cluster_id        VARCHAR(128)  NULL,
    alert_status      VARCHAR(16)   NULL,       -- 'Firing' or 'Resolved'
    alert_name        VARCHAR(256)  NULL,
    alert_detail      VARCHAR(2048) NULL,
    admin_console_url VARCHAR(1024) NULL,
    dashboard_url     VARCHAR(1024) NULL,
    silence_url       VARCHAR(1024) NULL,
    raw_content       STRING        NULL
) ENGINE=OLAP
DUPLICATE KEY(message_id, created_at)
PARTITION BY RANGE(created_at)
DISTRIBUTED BY HASH(cluster_id) BUCKETS 8;

Timestamp Convention

  • created_at is in US/Pacific (PST/PDT). This is the primary time column used for partitioning and queries.
  • created_at_utc is the same instant in UTC. The offset is 7 or 8 hours depending on DST.
  • Recommendations and daily aggregations use created_at (Pacific calendar day).

Message ID Prefixes

PrefixSource
om_Lark MCP ingestion (original Lark message IDs)
wh_Grafana webhook receiver (SHA256-derived)

alert_recommendations

Auto-generated daily recommendations per alert type. Populated by daily_alert_pipeline.py after each day's alerts are ingested.

Columns include: report_date, alert_name, severity, fired_count, resolved_count, cluster_count, cluster_names, recommendation, is_noisy, noisy_note.

lark_alerts_utc_backup

One-time backup created during the UTC migration. Not used in production.

Data Quality Notes

  • ~311 rows have NULL alert_status. These come from "Create Silence" footer blocks in Lark cards that the parser could not classify. Filter with WHERE alert_status IS NOT NULL for clean analysis.
  • Some RESOLVED cards encode alert names in a Lark table image that cannot be parsed. These get alert_name = '(resolved -- alert name in Lark table image)'.