In the KUMA web interface, go to the Settings → Other → Alerts section.
In the Alerts window, go to the Settings tab and manage the following settings:
In the Alert status drop-down list, select the status that an alert must have to be filled with events. The default setting is New. You can select multiple values. The New value cannot be removed from the selection. Available values:
New means the created correlation events continue to be linked to the alert only if the alert status is New.
In incident means the created correlation events continue to be linked to the alert only if the alert status is In incident. If the status of the alert changes to In incident, it can revert to the New status if the alert is unlinked from the incident. In that case, the filling of the alert with events stops.
Example: the alert has the In incident status. While in the In incident status, no new events were received. If you unlink the alert from the incident, the alert will be filled with events. If, while the alert was linked to the incident, more events were received and a new alert was created, the last created alert is filled with events.
Assigned means the created correlation events continue to be linked to the alert only if the alert status is Assigned.
In the Alert filling time (hours), specify the duration for which the alert will be filled with events. The value must be an integer. The time is counted from the moment the alert is created. Default value: 336 hours (2 weeks). The minimum value is 1 hour.
If both Alert status and Alert filling time are configured, the filling of the alert with events is stopped by the condition that changes first. That is, it happens after the specified duration expires or the status changes. However, if alert reverts to the status that enables filling, such an alert is not filled. For example, filling is configured for the New status. When the alert changes to the In incident status, filling stops. Then the alert is unlinked from the incident and the alert reverts to the New status. In this case, no new events are added to the alert.
In the Storage drop-down list, select the storage where the alert events are stored. Only one storage can be specified. The list shows storage resources, instead of running services.
When the Storage setting is changed, existing alerts are not filled with events from the new storage. Instead, a new alert is created with the events of the new storage.
Alerts created before specifying a storage do not contain events. After the Storage is specified, empty alerts are not filled, and a new alert is created for new events.