Monitoring Alert Execution through the humio-activity Repository
The humio/activity package provides a wealth of information about activity within LogScale and should be installed to help monitor alerts.
Examine the category field in the humio-activity repo to track progress and any errors generated when executing alerts.
Alert marks standard alerts
FilterAlert marks filter alerts
The status field indicates either a
Success or
Failure. Repeated
entries with a failure indicate an error should be investigated.
There are three different Success
scenarios for Legacy Alerts:
LogScale successfully polled the alert query, found events to trigger on, and successfully triggered at least one of the associated actions
LogScale successfully polled the alert query, found events to trigger on, but the alert was throttled
LogScale successfully polled the alert query, but found no events to trigger on
For filter alerts, the following scenarios indicate
Success:
LogScale successfully polled the alert query, found events to trigger on, and successfully triggered at least one of the associated actions
LogScale successfully polled the alert query, but found no events to trigger on
The subCategory then indicates whether the event relates to the execution of the Alert, Query, or Action.
Checking the severity field will indicate the level of the event:
Infoentries are used to indicate when an alert has been triggered or other informational messages. No action is required.Warningindicates an issue either with the alert, reading the result, or triggering actions, or where an alert has not been triggered due to throttling. In some cases, the warning resolves on its own. But if the message persists, it may require action.Errorindicates an error, for example running the query or trigger. Requires action.
The following additional fields in each event contain more detailed information for each alert invocation or error; for a full example event, see Alert Raw Event Example:
| Field | Description |
|---|---|
| actionId | ID of the triggered action; only set for the invocation of a specific action |
| actionIds | List of action ids for when an alert trigger has been triggered |
| actionInvocationId | Unique id for the invocation of an action, can be used to correlate logs, same commenas for actionId |
| actionInvocationIds | List of action invocation ids for when an alert has been triggered |
| actionName | Name of the action that generated an error or would have been triggered |
| actionName | Name of the triggered action; only set for the invocation of a specific action |
| alertId | ID of the alert |
| alertName | Name of the alert |
| alertTime | The timestamp when the alert was triggered. |
| dataspace | Name of the repository or view |
| eventId | The eventId when an alert trigger on an event |
| events | The number of the events returned by the query; by default all queries return a maximum of 200. Where no events were returned by the query the value will be 0. |
| eventsToTriggerOn | When polling a filter alert query |
| exceptionMessage | A detailed error message that will include errors at the cluster-level that may have contributed; for example permission, API, or network issues |
| externalQueryId | The external id of the running query |
| lastAlertTime | The timestamp of the last time the alert triggered |
| message | The error or warning message for the alert |
| query | The alert query executed |
| queryProcessedEvents | The number of events processed to return the final result set. |
| queryTimeMillis | Time taken in milliseconds to execute the query. This value can be used to help indicate the load of the query (and therefore any optimization or refinement), or to find outliers during execution. |
| status |
Indicates whether the alert was successful (value
Success) or failed (value
Failure).
An individual failure may be triggered for multiple reasons,
but repeated failures over a period of time may indicate a
problem that needs investigation.
|
| suggestion | A guide to the warning or error and how to resolve or identify more information |
| user | The user the query runs on behalf of (run-as-user) |
| viewId | ID of the view for the alert |
Alert Errors and Resolutions
When investigating errors to identify issues, make use of the message and suggestion fields to provide guidance on why an issue has occurred. The list below describes each message type.
Filter alert errors and solutions
The following table contains errors and resolutions for filter alerts.
Table: Filter alert errors and solutions
| Message | Severity | Description | Solution |
|---|---|---|---|
| Polling alert query resulted in an error | Error | The alert query produced an error. This can be due to many different reasons. |
Look at the message in the exceptionMessage and
consult documentation based upon that for possible solutions.
|
| Starting alert query resulted in an error | Error | The query returned an error when starting. This is usually because of an error in the query. |
Look at the message in the exceptionMessage
field and consult documentation based upon that for possible
solutions. Contact LogScale
Support for assistance if needed.
|
| An event from the alert query does not contain @id or @ingesttimestamp | Error | The alert query has removed the @id or @ingesttimestamp fields. This is needed for the alert to be able to run. | Check the alert query definition and edit it so that it preserves @id and @ingesttimestamp , if needed. For more information about how to do this, see Editing an Alert. |
| Triggering on event did not succeed within retry limit, it will not be retried further | Error |
There was an action error and the value in the configurable
FILTER_ALERTS_MAX_CATCH_UP_LIMIT parameter has been
reached. It will not attempt to trigger the action further.
| Check the specific errors or warnings from invoking actions. If needed, contact LogScale Support for assistance. |
| Could not start alert query since it is blocked | Error | The alert query cannot run since it is blocked. | Either rewrite the alert query so it is no longer blocked, or check with the system administrator and remove the query from the blocklist. If using LogScale Cloud, this error can occur if the cluster is in a maintenance window. |
| Alert is too far behind. Will skip events that are older than the catch up limit | Error |
Data older than X hours based on the configured value in the
FILTER_ALERTS_MAX_CATCH_UP_LIMIT parameter will not
be considered in alert results.
| Look at other logs from the alert to see if there are any errors or warnings, or check whether there are other problems with LogScale. |
| There has been a query warning that some events are unavailable for more than ${limit}. These events will now be skipped | Error | Some events have been unavailable for more that the configured amount of time for the cluster. If there were events that may have produced results, these events were skipped during query execution. | Look at the query warning. Run query manually, if needed. Check cluster performance. |
| The alert is broken | Error | The alert configuration prevents the alert from running. | Edit the alert, check all fields and queries, and save it again. For more information about how to do this, see Editing an Alert. |
| The alert is not assigned to run on any node | Error | The alert is not assigned to run on any nodes. Alerts are distrubted evenly among the nodes in a cluster, so that each one runs on a single node. Reassignment of nodes on which alerts run occurs automatically when new cluster nodes are added or old cluster nodes are removed. | If the alert does not run on another node after 15 minutes, contact LogScale Support. |
| Cannot run ${triggerType.toLowerCase}. ${triggerType} was saved by a user that does not exist anymore. Change the alert to run as a different user or on behalf of the organization. | Error | The user attempting to execute the query no longer exists in the system. | Save the alert as a user that exists in the system, or change the alert to run on behalf of the organization. For more information about how to do this, see Editing an Alert. |
| Cannot run ${triggerType.toLowerCase}. ${triggerType} was saved by a user that no longer has read permission on the view. Grant the user permission again, or change the alert to run as a different user or on behalf of the organization. | Error | The configured user no longer has read access to the view or repository. | grant the user read permissions on the repository or view that the alert is running in, or save the alert with a user that has such permissions or to run on behalf of an organization. |
| Alert has changed, restarting query | Info | The alert query was edited while running, so the query will restart automatically. | None. This message is informational. |
| Polling encountered a cancelled query | Info | The query was cancelled before execution could complete. | The cancelled query will be restarted automatically. If the problem persists, contact the system administrator. |
| Alert found results, but no actions were invoked since the alert is throttled | Info | The alert found results, but no actions were invoked since the alert is throttled. | None. This message is informational. |
| Alert found no results and will not trigger | Info | The alert query, as configured, found no events that matched its requirements and no actions will trigger. | None. This message is informational. |
| Alert query polled | Info | The alert query ran. | None. This message is informational. |
| Query started | Info | The query started successfully. | None. This message is informational. |
| $message The alert will trigger with the old information from the database | Info | The database shown in the errorMessage has not been updated recently. | Contact the system administrator to update the database. |
| Some events are delayed in ingest. The alert will trigger for available events | Info | Some events are still in the ingest phase and cannot be queried. The alert will trigger for all available events. | None. This message is informational. If the message continues, contact the system administrator. |
| Query output cleaned for security reasons. $message The alert will trigger for available events | Info | The query results contains specific characters that could be misused. These have been removed. | None. This message is informational. For self-hosted solutions, it is possible to turn off this funcionality. |
| The alert was deleted | Info | The alert was deleted and will not run. | It is not possible to recover a deleted alert. If you want it to run, you must create the alert again. |
| The organization of the alert was deleted | Info | The organization for which the alert was created has been deleted. | Recreate the alert for another organization. |
| The view of the alert was deleted | Info | The view with which the alert was associated has been deleted and the job cannot run. | Add the alert to another view. |
| The alert was disabled | Info | The alert was disabled and cannot run. | If you want the alert to run, enable it again. For more information about how to do this, see Editing an Alert. |
| License has expired | Info | The license has expired and must be renewed to continue. | Contact LogScale Support for assistance. |
| The alert has no associated actions | Info | The alert has no associated actions. Because a successful alert must trigger at least one action, the alert is stopped. | Edit the alert to add actions and save it. For more information about how to do this, see Editing an Alert. |
| The organization is being transferred | Info | The organization is being transferred to a new cluster, and alerts are stopped during the transfer process. | If not resolved after 15 minutes, contact Logscale Support for more information. |
| The alert was assigned to run on node $vhost | Info | The alert was assigned to run on a another node in the cluster. | None. This message is informational. |
| The view is not connected to any repository | Info | The alert contains a view that is not connected to any repository. | Edit the view to connect it to a repository, or edit the alert to use another view that is connected to a repository. |
| Alert is behind. Will stop live query and start running historic queries to catch up | Info | The alert execution is behind. The system will stop live queries and start running historic queries to catch up. |
None. This message is informational. If the
isLiveQuery field never reverts to true, contact
the system administrator.
|
| Alert triggering on event | Info | The alert is triggering actions. | None. This message is informational. |
| Alert triggered on event and invoked at least one action | Info | The alert triggered and invoked at least one action and will be throttled. This indicates a successful alert. | None. This message is informational. |
| Problem invoking action. If all actions fail, they will be retried | Warning | There was a problem invoking the alert's actions and all actions failed. In order to be successful, at least one action must trigger on an alert. The alert is not considered to have triggered and will not be throttled. | Check the logs for the invoked actions if unsure which action failed. Check if there are any problems with the action targets, such as e-mail server down, pager service down, and so on. |
| Starting alert query in previous run has not finished. The alert will not be polled in this run | Warning | The alert query starting did not finish in the previous run, so it cannot be polled in the current run. | None. This message is informational. If the problem continues, you can disable the alert, wait one minute, and enable the alert. NOTE: If you do this you may lose results. |
| Starting the alert query has not finished. The alert will not be polled in this run | Warning | Query is submitted but has not finished initial loading. | None. This message is informational. |
| Discarding values for field-based throttling. The alert might trigger again before the throttle period expires | Warning |
Maximum amount of field values for throttling has been reached.
Once exceeded, the older values are discarded and can produce
alerts again even though they are within the throttling period.
The values for field-based throttling are set in the following
field based on the alert type:
ALERT_MAX_THROTTLE_FIELD_VALUES_STORED. For more
information about field-based throttling, see
Field-Based Throttling.
| If possible, use a field that produces a smaller amount of different values. |
| Unknown action | Warning | The alert contains an unknown action. | Edit the alert, remove the action, and add a different action. |
| Did not start historic query to catch up since ingest is too far behind | Warning | Data is behind because ingest has not caught up. So the historic query on older data cannot run. | Look at other logs from the alert to see if there are any errors or warnings, or check whether there are other problems with LogScale. |
| Polling alert query in previous run has not finished. The alert will not be polled in this run | Warning | The alert query did not finish in the previous run, so it cannot be polled in the current run. | None. This message is informational. If the problem continues, you can disable the alert, wait one minute, and enable the alert. NOTE: If you do this you may lose results. |
| Query uses functionality scheduled to change in an automation breaking way | Warning | The query contains some functionality that may break the alert after a coming release. | Look at the warning in the warning field, check the release notes for guidance about what has changed and how to adjust, and edit the query accordingly. |
| Query uses deprecated functionality | Warning | The query contains some functionality that has been deprecated in a release. | Look at the warning in the warning field, check the release notes for guidance about what has changed and how to adjust, and edit the query accordingly. |
| Some events are currently not available. The alert will trigger for available events | Warning | It is not possible to collect results for some events because the events were not available when the query ran. The alert will trigger for all other available events. | If the problem continues, contact Logscale Support. |
| $message The alert will trigger without information from the database | Warning | The database shown in the errorMessage does not exist or is not available. | Contact the system administrator for assistance. |
| Problem with file used in `match`. $message The alert will trigger for available events | Warning | Error in CIDR data in CSV file that will be skipped when parsing the data in the alert query. | Check the CSV file and fix the column containing CIDR data. |
| $message The alert will trigger for available events | Warning | Not enough resources to run query. (Ask engine team for more details if needed.) | Contact the system administrator for assistance. |
| Filter alert received too many events. It will only trigger on ${state.triggerLimit} per ${FilterAlertJobImpl.QueryBucketSpan} | Warning | The alert resulted in too many events and cannot trigger all events. The query is likely too broad. | If this was unexpected, rewrite the alert query to produce fewer results. For more information about how to do this, see Editing an Alert. |
| Filter alert did not trigger. Trigger limit of ${state.triggerLimit} per ${FilterAlertJobImpl.QueryBucketSpan} has already been reached | Warning | The alert resulted in too many events and cannot trigger all events. The query is likely too broad. | If this was unexpected, rewrite the alert query to produce fewer results. For more information about how to do this, see Editing an Alert. |
| Alert failed triggering on event | Warning | There was a problem triggering the alert's actions. In order to be successful, at least one action must trigger on an alert. The alert is not considered to have triggered and will not be throttled. | Check the logs for the actions if unsure which action failed. Check if there are any problems with the action targets, such as e-mail server down, pager service down, and so on. |
| Unknown query warning. The alert will trigger for available events | Warning | The alert encountered an unknown query. This occurs if, for example, if LogScale is being upgraded. The alert will trigger for the available events but not for any events that might be the result of the unknown query. | Look at the warning in the warning field for more information. |
Legacy alert errors and solutions
The following table contains errors and resolutions for legacy alerts.
Table: Legacy alert errors and solutions
| Message | Severity | Description | Solution |
|---|---|---|---|
| Alert is broken and will not run | Error | The alert configuration prevents the alert running. | Edit the alert and save it again. For more information about how to do this, see Editing an Alert. |
| Could not submit alert query since the search interval is too short | Error | Could not submit the alert query since the search interval is too short. | Edit the query to expand the search interval and save it. For more information about how to do this, see Editing an Alert. |
| Polling alert query resulted in an error | Error | The alert query produced an error. This can be due to many different reasons. |
Look at the message in the exceptionMessage and
consult documentation based upon that for possible solutions.
|
| Could not submit alert query | Error | There can be several reasons that it is not possible to submit the query. |
Look at the exceptionMessage and consult
documentation based upon that for possible solutions. Contact
LogScale Support for
assistance if needed.
|
| Alert has changed, restarting query | Info | The alert query was edited while running, so the query will restart automatically. | None. This message is informational. |
| Alert found results, but no actions were invoked since the alert is throttled | Info | The alert found results, but no actions were invoked since the alert is throttled. | None. This message is informational. |
| Alert triggered and invoked at least one action and will be throttled | Info | The alert triggered and invoked at least one action. The alert will be throttled. | None. This message is informational. |
| Alert triggering | Info | The alert is triggering actions. | None. This message is informational. |
| Alert found no results and will not trigger | Info | The alert query, as configured, found no events that matched its requirements and no actions will trigger. | None. This message is informational. |
| Alert encountered a cancelled query | Info | The alert encountered a cancelled query during execution. | None. This message is informational. The alert query will be restarted automatically. If this happens frequently, review the alert configuration and contact LogScale Support, if needed. |
| Query started | Info | The query started successfully. | None. This message is informational. |
| Polling alert query resulted in warnings that are normally treated as errors. The alert will still trigger if the result contains events | Info | Polling the alert query resulted in warnings that are normally treated as errors. The alert will still trigger actions if the result contains events. | This message is informational and does not require action. However, consider whether the specific messages in the errors field should be fixed. |
| Problem invoking action. If all actions fail, they will be retried | Warning | There was a problem invoking the alert's actions. In order to be successful, at least one action must trigger on an alert. The alert is not considered to have triggered and will not be throttled. | Check the logs for the invoked actions if unsure which action failed. Check if there are any problems with the action targets, such as e-mail server down, pager service down, and so on. |
| Problem invoking actions. The alert is not considered to have triggered and will not be throttled | Warning | There was a problem invoking the alert's actions and all actions failed. In order to be successful, at least one action must trigger on an alert. The alert is not considered to have triggered and will not be throttled. | Check the logs for the invoked actions if unsure which action failed. Check if there are any problems with the action targets, such as e-mail server down, pager service down, and so on. |
| Polling the alert in the previous alerts loop has not finished. The alert will not be polled in this loop | Warning | The alert did not finish in the previous run, so it cannot be polled in the current run. | None. This message is informational. If the problem continues, you can disable the alert, wait one minute, and enable the alert. NOTE: If you do this you may lose results. |
| Some of the actions invoked by the alert in the previous alerts loop have not finished and none have finished successfully. The alert will not be polled in this loop | Warning | To be successful, an alert must have at least one successful action. This error indicates that some of the actions in the alert have not finished and none have finished successfully. Therefore, the alert has no successful actions. | This warning can self-resolve. If the issue persists, contact the system administrator or LogScale Support. |
| Could not cancel alert query | Warning | The alert query could not be stopped. Query should not run. | None. This message is informational. |
| Discarding values for field-based throttling. The alert might trigger again before the throttle period expires | Warning |
Maximum amount of field values for throttling has been reached.
Once exceeded, the older values are discarded and can produce
alerts again even though they are within the throttling period.
The values for field-based throttling are set in the following
field based on the alert type:
ALERT_MAX_THROTTLE_FIELD_VALUES_STORED. For more
information about field-based throttling, see
Field-Based Throttling.
| If possible, use a field that produces a smaller amount of different values. |
| Unknown action | Warning | The alert contains an unknown action. | Edit the alert, remove the action, and add a different action. |
| Could not submit alert query since it is blocked | Warning | The alert query cannot run since it is blocked. | Either rewrite the alert query so it is no longer blocked, or check with the system administrator and remove the query from the blocklist. If using LogScale Cloud, this error can occur if the cluster is in a maintenance window. |
| Starting the query for the alert has not finished. The alert will not be polled in this loop | Warning | Starting the query for the alert has not finished. The alert will not be polled in this loop | Look at other logs from the alert to see if there are any errors or warnings, or check whether there are other problems with LogScale. |
| Starting the query for the alert in the previous alerts loop has not finished. The alert will not be polled in this loop | Warning | The alert query starting did not finish in the previous run, so it cannot be polled in the current run. | None. This message is informational. If the problem continues, you can disable the alert, wait one minute, and enable the alert. NOTE: If you do this you may lose results. |
| Cannot run ${triggerType.toLowerCase}. ${triggerType} was saved by a user that does not exist anymore. Change the alert to run as a different user or on behalf of the organization. | Warning | The user attempting to execute the query no longer exists in the system. | Save the alert as a user that exists in the system, or change the alert to run on behalf of the organization. For more information about how to do this, see Editing an Alert. |
| Cannot run ${triggerType.toLowerCase}. ${triggerType} was saved by a user that no longer has read permission on the view. Grant the user permission again, or change the alert to run as a different user or on behalf of the organization. | Warning | The configured user no longer has read access to the view or repository. | Grant the user read permissions on the repository or view that the alert is running in, change the alert to run as another user with such permissions, or change the alert to run on behalf of the organization |
| Polling alert query resulted in warnings that are treated as errors. The alert will not trigger if the result contains events | Warning | Polling alert query resulted in warnings that are treated as errors. The alert will not trigger if the result contains events. | In this case, you must look at the specific messages in the errors field and fix them, if possible. |