Standard alerts work by returning the results from an aggregate query; when the query returns an aggregate result with one or more rows, the alert is triggered. Standard alerts have the following attributes and behaviour:
Standard alerts execute a live query and returns the results from the query to act as the content (and data) for the alert.
An alert is triggered against the query only when the query returns one or more results, and therefore the alert is triggered against a query result set of the aggregate query.
If you want the alert to output the events that went into the query result, see Sending Aggregate Results to Actions.
All the values within the result set from the query are available when triggering an action.
Standard alerts can be throttled to prevent the query triggering a configured action too often or too frequently. See Setting Alert Throttle Period.
The environment variable
ENABLE_ALERTSmust be set to the
trueon every host in the cluster.