Alert Escalation Behavior
Who this is for
Admins and Owners who want to ensure critical alerts reach the right people if the first notification is missed.
What you will complete
Understand how escalation works, configure escalation on a specific alert rule, and verify the escalation chain is set up correctly.
Before you begin
- Admin or Owner role required.
- At least one alert rule must be created.
- At least two notification channels should be configured for escalation to be meaningful. See KB-10-01.
What is escalation?
Escalation is the behavior where an alert that remains firing for a specified number of minutes — without being acknowledged or snoozed — triggers a second (or higher-priority) notification, potentially to a different channel or recipient.
Example scenario:
- CPU critical alert fires → notification sent to Slack channel
- Alert remains unacknowledged for 30 minutes → escalation fires → PagerDuty or email notification sent to the on-call engineer
This prevents critical alerts from being silently missed when the primary notification channel is not monitored.
How escalation is configured
Escalation is an optional field on each alert rule. When creating or editing a rule, you can set:
Escalation Minutes: The number of minutes the alert must remain in Firing state (without acknowledgement or snooze) before escalation triggers.
If this field is left empty, no escalation occurs — the alert fires its primary notification and waits.
Step-by-step: enable escalation on a rule
- Go to Alerts → Rules tab.
- Click the Edit (pencil) button on the rule you want to configure.
- Find the Escalation Minutes field.
- Enter the number of minutes before escalation should fire. Common values:
- 15 minutes — for critical rules that must be acknowledged quickly
- 30 minutes — for warning rules
- 60 minutes — for lower-priority alerts
- Click Save.
What escalation triggers
When an alert escalates:
- All active notification channels in your organization receive a new notification.
- The notification is labeled as an escalation (not just a repeat).
- The escalation appears as a new event in the Alert Events log.
Escalation and snooze
Snoozing an alert resets the escalation timer. If you snooze an alert for 1 hour, the escalation clock restarts when the snooze expires (if the alert is still firing).
Acknowledging an alert does not reset the escalation timer — it only marks the alert as seen. If escalation is configured, it will still fire unless the alert is also snoozed or resolves.
What success looks like
- On a test alert (set an artificially low threshold), the alert fires and the primary notification arrives.
- After the configured escalation minutes pass without acknowledgement, a second notification arrives with the escalation label.
- The Alert Events log shows both the initial firing event and the escalation event with timestamps.
Common errors and fixes
"Escalation did not fire even after the configured minutes passed" Cause: The alert was snoozed or the metric self-resolved before escalation triggered. Fix: Check the Alert Events log. If the alert shows "Snoozed" or "Resolved" before the escalation window, escalation correctly did not fire.
"Escalation keeps firing repeatedly" Cause: Escalation fires once per escalation interval. If the interval is short (e.g., 5 minutes) and the alert stays firing, escalation fires repeatedly. Fix: Increase the escalation minutes, or ensure the alert is acknowledged or snoozed after the first escalation.
"I receive escalation notifications but I am the only person in the org" Cause: Escalation sends to all active notification channels — even if they all go to you. Fix: This is expected behavior if all channels point to the same person. Escalation is most useful with multiple channels (Slack for the team, email for on-call, PagerDuty for urgent).