Sending Events that Produced Aggregate Results to Actions
Security Requirements and Controls
Change triggers and actions
permission
Note
This functionality is only available for Standard Alerts.
The list of events that match an aggregate query can be sent to Actions, in cases where it is needed to get some of the events out as a supplement. This is done through query writing, supported for many alert queries.
Suppose you have an alert on an error count being too high, based on a query like this:
loglevel = ERROR
| count()
| _count > 100
This will only produce a single event with the single field _count set to the value of the count out of the alert query.
To visualize just a portion of the counted events, use the
tail()
function:
loglevel = ERROR
| [count(), tail(5)]
| _count > 100
In the example, the alert query will display an aggregate of the last 5 individual events.
You may also want to return only some fields in the aggregated result:
to do so, add a select()
function to your query:
loglevel = ERROR
| [count(), tail(5)]
| _count > 100
| select([class,behindSec,_count])
The example query above will display class, behindSec and _count fields instead of the entire individual events.
The same query can be used to group errors by server:
loglevel = ERROR | groupBy(server, function=count()) | _count > 100
Similar to the previous example, it can be rewritten to get the last 5 events:
loglevel = ERROR | groupBy(server, function=[count(), tail(5)]) | _count > 100
To send the counted events out as a supplement — say via an Email action — you can use some message templates for the action you are creating.
You may use the message template
{field:
to get the count and one of the templates that produces all events, like
FIELD_NAME
}{events_str}
,
{events}
or
{events_html}
to get the events
out.
In our example, configure your Email action with
{field:$_count}
based
on {events_html}
to get both the
actual count and the events out.