Trigger management
The Triggers interface allows for operations such as create, edit, monitor and manage triggers in LogScale. The interface provides comprehensive trigger information including execution status, timestamps, query details, and customizable column views for monitoring trigger activities, with detailed explanations of key metrics like Last Executed and Last Triggered statuses for different trigger types.
In LogScale, use the
Triggers overview page to
perform these activities:
Create triggers either from the
Triggersoverview page or from theSearchpage.Edit to change details and refine your triggers.
View, duplicate, export or delete triggers from the repository.
Monitor, diagnose, and troubleshoot triggers
Check summary information for each configured trigger.
Hint
GraphQL Option
Alternatively, you can use the GraphQL API to view, create, update, manage, and delete triggers using the associated queries and mutations.
 |
Figure 194. Triggers Overview
The sidebar menu shows options to navigate between and . The filter buttons provide options for filtering the information on the page. Click to create a new trigger, and click ⋮ to import triggers from templates or packages.
allows you to
customize the Triggers
overview by showing or hiding columns in the table. The columns provide
information such as the trigger name, type, status of the trigger, last
executed, last triggered, the status of the action attached to the trigger,
and so on. Available columns are:
| Column | Description |
|---|---|
| Actions | Actions attached to the trigger. |
| Backfill limit | Only for scheduled searches. See Backfill Limit. |
| Delay run | Only for scheduled searches. See Delay run. |
| Labels | Labels applied to the trigger. |
| Last executed | See Last Executed and Last Triggered. |
| Last modified at | Date and timestamp when trigger was last changed. |
| Last modified by | User who last changed the trigger. |
| Last triggered | See Last Executed and Last Triggered. |
| Max wait time | Only for scheduled searches. See Max wait time. |
| Name | Trigger name |
| Package | Package associated with trigger |
| Query | Trigger query |
| Query owned by | Who owns the trigger query. If blank, the query is owned by the organization. |
| Status | Status of the trigger. The statuses that triggers can have are: Okay, Error, Warning, Disabled, Disabled actions, or No actions assigned. |
| Throttle field | Field name to throttle on when field-based throttling applies to the alert. For general information about throttling, see Throttling. For information about throttling for a specific alert type, see Triggers and select an alert type to learn more. |
| Timestamp | Timestamp type used by the trigger. For general information about timestamps, see Timestamps for triggers. For information about timestamps for a specific trigger type, see Triggers and select a trigger type to learn more. |
| Trigger type | Type of trigger. |
Last Executed and Last Triggered
The Triggers overview keeps track of the
end search interval for when a trigger was run, as well as when it was
last run with results — thus being able to distinguish between when
a trigger was executed, and the last time it had results and actually
triggered an action. This information is displayed in two columns in the
Triggers overview.
For Aggregate alerts and Scheduled searches
Last executed indicates the end of the search interval for the last query result that was checked successfully — whether or not any results were returned.
This means that if any error occurs with the query or the associated actions, the time shown by this field will NOT be updated. For a comprehensive list of errors and solutions for each trigger type, see Scheduled search errors and solutions, Aggregate alert errors and solutions, Filter alert errors and solutions, or Legacy alert errors and solutions.
On the other hand, if the query result is empty, this field will be updated.
For Filter alerts
Last executed indicates the last time the query result was checked.
For Aggregate alerts, Legacy alerts, and Scheduled searches
Last triggered indicates the end of the search interval for the last query result that was checked successfully, and successfully triggered at least one associated action. It is not updated if the query result is empty.
For Filter alerts
Last triggered indicates the latest @ingesttimestamp on the triggering events.