Creating Alerts
Security Requirements and Controls
Change triggers and actionspermission
Alerts are constructed using queries and associated with one or more actions that will be triggered when the query runs. When typing a query to create an alert, the type of alert is automatically selected for you. This will adjust which configuration operations are available. They are summarized in the table below.
| Configuration | Aggregate Alert | Filter Alert | Legacy Alert |
|---|---|---|---|
| General Parameters | Configurable in the General section of the Alert Properties. | Creating an Alert, General section | Creating an Alert, General section |
| Query |
Yes, using aggregates except bucket(),
timeChart() start(),
end(), now(), and
Join Query Functions
| Yes, aggregates and joins are not supported |
Yes, using aggregates except bucket() and
Join Query Functions
|
| Actions | Yes, see Actions | Yes, see Actions | Yes, see Actions |
| Throttling | Yes, seeSetting Alert Throttle Period | Yes, seeSetting Alert Throttle Period | Yes, seeSetting Alert Throttle Period |
| Action Retries | Yes, for a single action; when multiple actions are configured, no retry is performed if at least one action is successfully invoked. | Yes, for a single action; when multiple actions are configured, no retry is performed if at least one action is successfully invoked. | Yes, for a single action; when multiple actions are configured, no retry is performed if at least one action is successfully invoked. |
Creating an Alert from the Alerts Overview
Go to the tab on the top bar of the User Interface and select from the menu on the left, the full list of available alerts appears in the
Alertsoverview page:
Figure 189. Alerts Overview
The table lists the currently configured alerts for the selected repository or view, with information such as the alert name, type, the status of the action attached to the alert, etc. Use this page for filtering and managing alerts.
Click on the top right and the
Searchpage is displayed in Creating new alert mode — it is streamlined to only include the relevant and buttons.
Figure 190. Simplified Search page
Type a query for your alert and click
Fill in the Details side panel on the right, as depicted in Figure 192, “New Alert Details”.
Click the button on top: the new alert is now displayed in the alerts' overview, see Figure 189, “Alerts Overview”.
Creating an Alert from a Query
A query that's just been typed in
Search can be converted to a new alert:
Go to the tab on the top bar of the User Interface.
Type the query you need for your alert and click .
Click near the top-right and choose the option. The menu is disabled if the query is invalid for the alert you're trying to save.
Figure 191. Save a Query as Alert
Fill in the Details side panel as required:
Figure 192. New Alert Details
For the full list of alert properties that can be set from the side panel, see Alert Properties.
Pay special attention in selecting the right Alert type: a recommended alert type is suggested based on the query. For example, if the query contains an aggregate function, you can see that the type is selected in the side panel. Options are:
for filtering functions
for aggregate queries without explicit bucketing
for the few queries that cannot be used with the other two types, or for pre-existing alert queries. For information on the different alert types, see Alerts.
Note
If the recommended alert type is ignored and another type is selected, the query editor will show a notification that the query is forbidden for that alert type.
Click to complete the alert creation: the new alert is now displayed in the alerts' overview, see Figure 189, “Alerts Overview”.