Monitor Trigger Execution through the humio-activity Repository
The humio-activity repository provides comprehensive monitoring capabilities for trigger execution in LogScale, allowing users to track progress and identify errors through various category fields including Alert, FilterAlert, AggregateAlert, ScheduledSearch, Action, and Query. Users can monitor the success or failure status of triggers, understand severity levels (Info, Warning, Error), and access detailed event information to effectively troubleshoot and maintain their alert system.
The humio/activity package provides a wealth of information about activity within LogScale and should be installed to help monitor triggers.
Examine the category field in the humio-activity repository to track progress and any errors generated when executing triggers.
Alert marks legacy (standard) alerts
FilterAlert marks filter alerts
AggregateAlert marks aggregate alerts
ScheduledSearch marks scheduled searches
Action marks actions
Query marks queries
The status field indicates either a
Success or
Failure. Repeated entries with a
failure indicate an error should be investigated.
The four main success scenarios are:
LogScale successfully started the trigger query.
LogScale successfully polled the trigger query, found events to trigger on, and successfully triggered at least one of the associated actions
LogScale successfully polled the alert query, found events to trigger on, but the alert was throttled (not for scheduled search)
LogScale successfully polled the trigger query, but found no events to trigger on
Checking the severity field indicates the level of the event:
Infoentries are used to indicate when an alert has been triggered or other informational messages. No action is required.Warningindicates an issue either with the alert, reading the result, or triggering actions, or where an alert has not been triggered due to throttling. In some cases, the warning resolves on its own. But if the message persists, it may require action.Errorindicates an error, for example running the query or trigger. Requires action.
For information about additional fields each event contains, see Basic Structure. For a full example event, see Trigger Raw Event Example.
Trigger Raw Event Example
An example of a full event showing an error for reference.
| Field | Value |
|---|---|
| #category |
Alert
|
| #repo |
humio
|
| #severity |
Info
|
| @id |
XQP9NSlmxlxz6nHCuvRFgiDQ_113_111_1684918557
|
| @ingesttimestamp |
1684918557196
|
| @rawstring |
category="Alert" severity="Info"
@timestamp="1684918557196" message="Alert query polled"
subCategory="Query" alertId="5PW7eKlBvQWpJFRTL7j4N5n3Y3GeAIiE"
alertName="Alert2" viewId="KFrfTEli7ziKVdJiHMzmy6AV"
dataspace="humio" externalQueryId="P1-q4u0GQwR6Xel6XKT1HAMv8Ts"
query="\"cputime > 240000000\"" eventsToTriggerOn="0"
|
| @timestamp |
1684918557196
|
| @timestamp.nanos |
0
|
| @timezone |
Z
|
| alertId |
5PW7eKlBvQWpJFRTL7j4N5n3Y3GeAIiE
|
| alertName |
Alert2
|
| category |
Alert
|
| dataspace |
humio
|
| eventsToTriggerOn |
0
|
| externalQueryId |
P1-q4u0GQwR6Xel6XKT1HAMv8Ts
|
| message |
Alert query polled
|
| query |
"cputime > 240000000"
|
| severity |
Info
|
| subCategory |
Query
|
| timestamp |
1684918557196
|
| viewId |
KFrfTEli7ziKVdJiHMzmy6AV
|