Create triggers

Security Requirements and Controls

Create triggers permission

Triggers are constructed using queries and associated with one or more actions that will be triggered when the query runs. When creating a trigger, the type of trigger is suggested for you based upon the query. This adjusts which configuration options are available.

Create a trigger from the Triggers overview

Go to the Repository and Views page.
Select a Repository or View.
Go to Automation and select Triggers. The full list of available triggers appears in the Triggers overview page:
Figure 193. Triggers Overview
Click + New trigger to display the Search page in Creating new trigger mode.
Figure 194. Simplified Search page
Note
It is possible to create new triggers by importing them from a template or package. Click Import from in the ⋮ menu on +New trigger.
- Choose Template, then browse for or drag and drop a template based on an existing trigger.
- Choose Package to invoke templates that are part of a LogScale library package.
Type a query for your trigger and click Run.
Fill in the Details panel, as depicted in Figure 196, “New trigger details”.
For the full list of trigger properties that can be set from the side panel, see Trigger properties.
Click Save to display the new trigger in the Triggers overview, see Figure 193, “Triggers Overview”.

Create a trigger from the search page

A query that has been typed in Search can be converted to a new alert:

Go to the Search tab.
Type the query you need for your trigger and click Run.
Click Save and choose the Trigger option.
Figure 195. Save a query as trigger
Fill in the Details panel as required:
Figure 196. New trigger details

For the full list of trigger properties that can be set from the side panel, see Trigger properties.
Select the Query type. If you select Live, be sure to select the correct Alert type. A recommended alert type is suggested based on the query. For example, if the query contains an aggregate function, you can see that the Aggregate type is recommended in the side panel. Options are:
- Filter for filter queries
- Aggregate for aggregate queries without explicit bucketing
- Scheduled search for scheduled searches that run at fixed times
- Legacy are not recommended. For information about recommended alternatives to Legacy alerts, see What trigger type to choose. In case one of the other alert types does not fit your needs, use a scheduled search.
Note
If the recommended alert type is ignored and another type is selected, the query editor shows a notification that the query is forbidden for that alert type if the query is not valid for the alert type.
Click Save trigger to complete the trigger creation: the new trigger is now displayed in the Triggers overview, see Figure 193, “Triggers Overview”.