Automation & Alerts
Automating searches and responses; creating alerts and notifications for events
LogScale allows you to automate query running and get notified when certain events occur. This can be done thanks to the following functionalities.
You can create alerts that execute queries and trigger actions. Alerts are live queries; these are queries that are continually run and that trigger an action when the query returns results.
Alerts are triggered as data is being ingested into LogScale, and trigger the action response as soon as one or more events matches the query on the incoming data. Using alerts allows for notification when a query matches the configured search. This can be used, for example, to notify of excessive network connections, or when a specific error is identified in an ingested log file, based on the query that is executed by the alert.
Alerts trigger one or more Actions when a matching event is identified in the query during ingest. For more information on alerts, including how to create, manage, and monitor alert execution, see Alerts.
Alerts can be configured to execute a trigger on a matching event, and throttle the action trigger if the multiple events match within a specified time window.
Alerts should not be used for processing historical information, as the queries are executed on incoming data. For regular querying of existing or historical data, use a Scheduled Searches.
Scheduled Searches are queries on a regular interval on previously ingested and stored data. When the scheduled search returns results, one or more Actions are triggered. Unlike Alerts, scheduled searches are only run according to the configure schedule which can be set on an interval from 1 minute to years. See Scheduled Searches for more information.
Scheduled searches should not be used for queries where an instant action or notification is required. The live queries performed by Alerts are more efficient for regular notification.
Scheduled searches are ideal for regularly reporting on historical data for auditing or monitoring purposes.
When an alert or scheduled search is triggered, it initiates an action, which could include sending someone a message about a problem on the servers, logging it to another system, or performing some other action. See Actions for more information.
When choosing whether to use a Scheduled Search or an Alert, consider where the data is coming from and how quickly you want be notified of a to perform your query. Some examples of different query types and which automation to use are detailed in the table “Comparing Alerts and Scheduled Searches”.
Table: Comparing Alerts and Scheduled Searches
|Instant notification of matching events
|Active Searches while ingesting events