Legacy Alerts

Similar to Aggregate Alerts, Legacy alerts work by returning the results from an aggregate query; when the query returns an aggregate result with one or more rows, the alert is triggered. Legacy alerts have the following attributes and behavior:

An alert is triggered only when the query returns one or more results. If you want the alert to output the full events that went into the query result, see Sending Aggregate Results to Actions.
All the values within the result set from the query are available when triggering an action.
Events matching an aggregate query can also be sent to Actions. See Sending Aggregate Results to Actions.
Legacy alerts can be throttled to prevent the query triggering a configured action too often or too frequently. See Setting Alert Throttle Period.
The environment variable ENABLE_ALERTS must be set to true on every host in the cluster.
The limitations explained at Errors when Using Live join() Functions should be considered when using Join Query Functions in Legacy alerts.

The following limitations for Legacy alerts are known:

If an error occurs, Legacy alerts keep running so when they eventually succeed it will be for a different search interval and possibly a different result.
When throttling, the next search after the Legacy alerts trigger does not start exactly when the throttle period ends, which means that events right before or after might be missed.

For improved reliability, these limitations have been addressed in the aggregate alert type. For more information, see Aggregate Alerts.

Data Analysis Overview

LogScale User Interface

Repositories & Views

Parsing Data

Searching Data

Writing Queries

Query Language Syntax

Query Functions

Dashboards & Widgets

Automation

Template Language

Keyboard Shortcuts

Legacy Alerts

Enter search term