Monitor entity health
Learn how Splunk Observability Cloud derives entity health state from active alerts mapped to an entity.
Entity health is intended to show whether a resource currently has active alerts that require attention. This model is based on alert severity, not on a separate calculated health score. To learn more about entities, see Entities in Splunk Observability Cloud.
What entity health means
Entity health state represents the highest severity of any active alert mapped to an entity. For example, if an entity has at least one critical alert, its health state is critical.
How health state is determined
Health state is derived from active alerts associated with an entity and indicated by color:
- Red (Critical): At least one critical alert is active.
- Yellow (Warning): At least one warning alert is active and no critical alert is active.
-
Gray (Healthy): No warning or critical alerts are active.
This model focuses on alert severity rather than on detector configuration details, service state, or a broader rollup of performance indicators.
Alert-to-entity mapping
By default, Splunk Observability Cloud maps alerts to entities automatically.
Users can adjust these associations when needed. For example, users can exclude specific alerts from affecting entity health or make bulk updates if an automatically chosen mapping does not match their intended resource relationships.
How entity health relates to the entity model
Entity health builds on the same entity model used elsewhere in Splunk Observability Cloud. An entity can be a physical or logical resource, and health state reflects the alert activity associated with that resource.
Because entities can provide resource context even when they do not emit telemetry directly, an entity can still participate in health workflows when relevant alerts are associated with it.