Creating Alerts

Security Requirements and Controls
  • Change triggers and actions permission

Alerts are constructed using queries and associated with one or more actions that will be triggered when then query runs. When creating an alert, the type of alert must be selected and this will adjust which configuration operations available, which is summarized in this table:

Configuration Standard Alert Filter Alert
General Parameters Creating an Alert, General section Creating an Alert, General section
Query Yes, using aggregates and joins Yes, aggregates and joins are not supported
Actions Yes Yes
Throttling Setting Alert Throttle Period Not supported
Action Retries Yes, for a single action; when multiple actions are configured, no retry is performed if at least one action is successfully invoked. Yes, for a single action; when multiple actions are configured, no retry is performed if at least one action is successfully invoked.

To create a new alert:

  1. Go to the Repository and Views page.

  2. Select a Repository or View.

  3. Click the Alerts tab on the top bar of the User Interface and select Alerts from the menu on the left: the full list of available alerts appears. They can have labels attached to them which are displayed next to the alert name. This can be a useful way to tag the alerts with meaningful data and to help when trying to locate them with a certain tag.

    Creating Alert from Tab

    Figure 169. Creating Alert from Tab

  4. Click + New Alert

  5. The New alert form appears, click Import from on the top right if you wish to import the alert:

    • From template, browse for or drag and drop a template based on an existing alert

    • From package, invoke alert templates that are part of a LogScale package

  6. Fill in the form with the information required:

    Creating an Alert

    Figure 170. Creating an Alert

    • General

      • Select the Alert type:

        • A Standard alert is triggered by the results of a query and supports aggregate query results

        • A Filter alert is triggered by a single event.

        For more information on the differences, see Alerts

      • You may change the Name and enter a Description that can be used to describe more specifically what causes the alert to be triggered.

      • You can categorize alerts using Labels. Existing labels are presented as a list of checkboxes, or you can enter a new label and create and select it. These can be used within the UI to filter alerts. See Managing Alerts for more information.

      • New alerts are automatically enabled. To change this, click the Alert enabled checkbox. Disabled alerts do not execute the corresponding query or trigger actions.

      • You can use the Run on behalf of field to run the alert on behalf of another user i.e. using their permissions; click this field to get a list of available names to pick from, or directly enter the name of the user you want to run the alert as. You can see and edit this field if you have ChangeTriggersToRunAsOtherUsers, ManageOrganizations, or root system permissions.

    • Query — Type the query that generates the alert. In the example query shown in Figure 170, “Creating an Alert” we're searching for events in which the web server recorded a log level equal to ERROR.

    • Actions — you may want to add an action for LogScale to take when the alert is triggered, if you have one that's suitable for this alert.

      In Filter Alerts, the Trigger limit per minute field allows you to set from the UI the number of triggers per minute.

      See Actions for more information.

      An alert will not be executed until there is at least one configured action.

      To delete an existing action, click the - next to each action.

    • Throttling — enables how often an alert is triggered to be set. For more information on configuring throttling, see Setting Alert Throttle Period.

      Throttling is only available for Standard Alerts.

  7. When you're done setting the properties for the new alert, click Create alert.