Standard Alerts

Standard alerts work by returning the results from an aggregate query; when the query returns an aggregate result with one or more rows, the alert is triggered. Standard alerts have the following attributes and behaviour:

Standard alerts execute a live query and returns the results from the query to act as the content (and data) for the alert.
An alert is triggered against the query only when the query returns one or more results, and therefore the alert is triggered against a query result set of the aggregate query.
If you want the alert to output the events that went into the query result, see Sending Aggregate Results to Actions.
All the values within the result set from the query are available when triggering an action.
Additionally to only return the results from an aggregate query, events matching an aggregate query can also be sent to Actions. See Sending Aggregate Results to Actions.
Standard alerts must be throttled to prevent the query triggering a configured action too often or too frequently. See Setting Alert Throttle Period.
The environment variable ENABLE_ALERTS must be set to the true on every host in the cluster.
Standard alerts do not support Join Query Functions.

Data Analysis 1.113.0-1.117.0

Data Analysis Overview

LogScale User Interface

Repositories & Views

Parsing Data

Searching Data

Writing Queries

Dashboards & Widgets

Automation

Query Language Syntax

Query Functions

Template Language

Keyboard Shortcuts

Standard Alerts

Enter search term