Aggregate alert errors and solutions
The following table contains errors and resolutions for aggregate alerts.
Table: Aggregate alert errors and solutions
| Message | Severity | Description | Solution |
|---|---|---|---|
| Problem invoking action. If all actions fail, they will be retried | Error | There was a problem invoking the alert's actions and all actions failed. In order to be successful, at least one action must trigger on an alert. The alert is not considered to have triggered and will not be throttled. | Check the logs for the invoked actions if unsure which action failed. Check if there are any problems with the action targets, such as e-mail server down, pager service down, and so on. |
| Starting alert query did not finish in time. It will be retried in the next run | Error | The alert query did not finish in time and will be automatically retried in the next run. | If the error persists after retry, contact LogScale Support for assistance if needed. |
| Polling alert query resulted in an error | Error | The alert query produced an error. This can be due to many different reasons. |
Look at the message in the exceptionMessage and
consult documentation based upon that for possible solutions.
|
| Starting alert query resulted in an error | Error | The query returned an error when starting. This is usually because of an error in the query. |
Look at the message in the exceptionMessage
field and consult documentation based upon that for possible
solutions. Contact LogScale
Support for assistance if needed.
|
| Alert query took too long to start and the result are now too old. LogScale will stop the live query and start running historic queries to catch up. | Error | The alert query took too long to start, meaning that the results are now too old. The system will stop live queries and start running historic queries to catch up. | Edit the query, if possible, so it does not take too long to run. For information about editing queries, see Editing Alerts. For information about writing better queries, see Query Writing Best Practices. If the message persists after editing the query, contact LogScale Support. |
| Running a historic query to catch up took too long and the result is now outside the retry limit. LogScale will skip this data and start a query for events within the retry limit. | Error | The historic query to catch up took too long to run and has reached the retry limit. The system will skip the data and start running a query for events within the retry limit. | Edit the query, if possible, so it does not take too long to run. For information about editing queries, see Editing Alerts. For information about writing better queries, see Query Writing Best Practices. If the message persists after editing the query, contact LogScale Support. |
| The alert is broken and will not run | Error | The alert configuration prevents the alert from running. | Edit the alert, check all fields and queries, and save it again. For more information about how to do this, see Editing Alerts. |
| Could not start alert query since it is blocked | Error | The alert query cannot run since it is blocked. | Either rewrite the alert query so it is no longer blocked, or check with the system administrator and remove the query from the blocklist. If using LogScale Cloud, this error can occur if the cluster is in a maintenance window. |
| Alert is too far behind. Will skip results that are older than $catchUpLimit | Error |
Data older than X hours based on the configured value in the
AGGREGATE_ALERTS_MAX_CATCH_UP_LIMIT parameter will
not be considered in alert results.
| Look at other logs from the alert to see if there are any errors or warnings, or check whether there are other problems with LogScale. |
| Alert query took too long to start and the result are now too old. LogScale will stop the live query and start running historic queries to catch up. | Error | The alert query took too long to run, meaning that the results are now too old. The system will stop live queries and start running historic queries to catch up. | Edit the query, if possible, so it does not take too long to run. For information about editing queries, see Editing Alerts. For information about writing better queries, see Query Writing Best Practices. If the message persists after editing the query, contact LogScale Support. |
| The alert is broken | Error | The alert configuration prevents the alert from running. | Edit the alert, check all fields and queries, and save it again. For more information about how to do this, see Editing Alerts. |
| The alert is not assigned to run on any node | Error | The alert is not assigned to run on any nodes. Alerts are distrubted evenly among the nodes in a cluster, so that each one runs on a single node. Reassignment of nodes on which alerts run occurs automatically when new cluster nodes are added or old cluster nodes are removed. | If the alert does not run on another node after 15 minutes, contact LogScale Support. |
| Problem invoking actions. The alert is not considered to have triggered and will not be throttled | Error | There was a problem triggering the alert's actions. In order to be successful, at least one action must trigger on an alert. The alert is not considered to have triggered and will not be throttled. | Check the logs for the actions if unsure which action failed. Check if there are any problems with the action targets, such as e-mail server down, pager service down, and so on. |
| Cannot run ${triggerType.toLowerCase}. ${triggerType} was saved by a user that does not exist anymore. Change the alert to run as a different user or on behalf of the organization. | Error | The user attempting to execute the query no longer exists in the system. | Save the alert as a user that exists in the system, or change the alert to run on behalf of the organization. For more information about how to do this, see Editing Alerts. |
| Cannot run ${triggerType.toLowerCase}. ${triggerType} was saved by a user that no longer has read permission on the view. Grant the user permission again, or change the alert to run as a different user or on behalf of the organization. | Error | The configured user no longer has read access to the view or repository. | grant the user read permissions on the repository or view that the alert is running in, or save the alert with a user that has such permissions or to run on behalf of an organization. |
| Polling alert query resulted in warnings that are treated as errors. The alert will not trigger if the result contains events | Error | Polling alert query resulted in warnings that are treated as errors. The alert will not trigger if the result contains events. | In this case, you must look at the specific messages in the errors field and fix them, if possible. |
| Alert has changed, restarting query | Info | The alert query was edited while running, so the query will restart automatically. | None. This message is informational. |
| Alert found results, but no actions were invoked since the alert is throttled | Info | The alert found results, but no actions were invoked since the alert is throttled. | None. This message is informational. |
| Alert found no results and will not trigger | Info | The alert query, as configured, found no events that matched its requirements and no actions will trigger. | None. This message is informational. |
| Polling alert query resulted in a potentially incomplete result due to ingest delay. Skipping since the alert is configured to wait for complete results | Info | The alert query produced results but these may be incomplete since ingest was delayed. The alert will be skipped because the results were incmplete. | None. This message is informational. If you want the alert to trigger anyway, despite incomplete results, update the trigger mode of the alert. |
| Alert query polled | Info | The alert query ran. | None. This message is informational. |
| Query started | Info | The query started successfully. | None. This message is informational. |
| The alert was deleted | Info | The alert was deleted and will not run. | It is not possible to recover a deleted alert. If you want it to run, you must create the alert again. |
| The organization of the alert was deleted | Info | The organization for which the alert was created has been deleted. | Recreate the alert for another organization. |
| The view of the alert was deleted | Info | The view with which the alert was associated has been deleted and the job cannot run. | Add the alert to another view. |
| The alert was disabled | Info | The alert was disabled and cannot run. | If you want the alert to run, enable it again. For more information about how to do this, see Editing Alerts. |
| License has expired | Info | The license has expired and must be renewed to continue. | Contact LogScale Support for assistance. |
| The alert has no associated actions | Info | The alert has no associated actions. Because a successful alert must trigger at least one action, the alert is stopped. | Edit the alert to add actions and save it. For more information about how to do this, see Editing Alerts. |
| The organization is being transferred | Info | The organization is being transferred to a new cluster, and alerts are stopped during the transfer process. | If not resolved after 15 minutes, contact Logscale Support for more information. |
| The alert was assigned to run on node $vhost | Info | The alert was assigned to run on a another node in the cluster. | None. This message is informational. |
| The view is not connected to any repository | Info | The alert contains a view that is not connected to any repository. | Edit the view to connect it to a repository, or edit the alert to use another view that is connected to a repository. |
| Alert triggering | Info | The alert is triggering actions. | None. This message is informational. |
| Alert triggered and invoked at least one action and will be throttled | Info | The alert triggered and invoked at least one action and will be throttled. This indicates a successful alert. | None. This message is informational. |
| Starting alert query in previous run has not finished. The alert will not be polled in this run | Warning | The alert query starting did not finish in the previous run, so it cannot be polled in the current run. | None. This message is informational. If the problem continues, you can disable the alert, wait one minute, and enable the alert. NOTE: If you do this you may lose results. |
| Starting the alert query has not finished. The alert will not be polled in this run | Warning | Query is submitted but has not finished initial loading. | None. This message is informational. |
| Historic query to catch up has not finished. The alert will not be polled in this run | Warning | The running of an history query to catch up did not finish so the alert will not be polled in the run. | None. This message is informational. |
| The cluster has restarted and is not yet ready. The alert will not be polled in this run | Warning | Because the cluster has restarted, the alert cannot yet run. | None. This message is informational. If the issue continues after 15 minutes, contact LogScale Support. |
| Starting the alert query has not finished. The alert will not be polled in this run | Warning | Query is submitted but has not finished initial loading. | None. This message is informational. |
| Discarding values for field-based throttling. The alert might trigger again before the throttle period expires | Warning |
Maximum amount of field values for throttling has been reached.
Once exceeded, the older values are discarded and can produce
alerts again even though they are within the throttling period.
The values for field-based throttling are set in the following
field based on the alert type:
ALERT_MAX_THROTTLE_FIELD_VALUES_STORED. For more
information about field-based throttling, see
Field-Based Throttling.
| If possible, use a field that produces a smaller amount of different values. |
| Unknown action | Warning | The alert contains an unknown action. | Edit the alert, remove the action, and add a different action. |
| Polling encountered a cancelled query | Warning | The query was cancelled before execution could complete. | The cancelled query will be restarted automatically. If the problem persists, contact the system administrator. |
| Polling alert query resulted in a potentially incomplete result due to query warnings. Skipping since the alert is configured to wait for complete results | Warning | The alert query produced results but these may be incomplete since a query warning was skpped. The alert will be skipped because the results were incmplete. | None. This message is informational. If you want the alert to trigger anyway, despite incomplete results, update the trigger mode of the alert. |
| Polling alert query in previous run has not finished. The alert will not be polled in this run | Warning | The alert query did not finish in the previous run, so it cannot be polled in the current run. | None. This message is informational. If the problem continues, you can disable the alert, wait one minute, and enable the alert. NOTE: If you do this you may lose results. |
| Some of the actions invoked by the alert in the previous alerts loop have not finished and none have finished successfully. The alert will not be polled in this loop | Warning | To be successful, an alert must have at least one successful action. This error indicates that some of the actions in the alert have not finished and none have finished successfully. Therefore, the alert has no successful actions. | This warning can self-resolve. If the issue persists, contact the system administrator or LogScale Support. |
| There has been a query warning that some events are unavailable for more than ${limit}. These events will now be skipped | Warning | Some events have been unavailable for more that the configured amount of time for the cluster. If there were events that may have produced results, these events were skipped during query execution. | Look at the query warning. Run query manually, if needed. Check cluster performance. |
| Polling alert query while catching up on old data resulted in warnings about missing data. The alert query will be retried for a while | Warning | Polling alert query or scheduled search query resulted in warnings about missing data. The files with the data might be unavailable or the query might not be able to run at the time of execution. The alert query will be retried automatically. | None. This message is informational. The query will be retried automatically. |
| The query result is currently incomplete. The alert will not be polled in this run | Warning | The alert query took too long to run, meaning that the results are now too old. The system will stop live queries and start running historic queries to catch up. | Edit the query, if possible, so it does not take too long to run. For information about editing queries, see Editing Alerts. For information about writing better queries, see Query Writing Best Practices. If the message persists after editing the query, contact LogScale Support. |
| Alert is behind. Will stop live query and start running historic queries to catch up | Warning | The alert execution is behind. The system will stop live queries and start running historic queries to catch up. |
None. This message is informational. If the
isLiveQuery field never reverts to true, contact
the system administrator.
|