Errors & Warnings
In case of errors occuring when managing alerts, you will be notified with some warnings. These can be:
Errors when running an alert will be logged and also set on the alert as a warning, so that they can be seen on the properties' overview page.
Errors in alerts with multiple Actions attached. If some of the actions fail to run, this will be logged, but no error will be set on the alert. The alert will be considered to have fired, and will be throttled as normal. It will only be considered an error if all actions fail.
Transient errors. Many warnings might appear on alert queries at start up, but they will disappear after a while — for instance, they indicate that LogScale is trying to catch up on ingested data; because of this, the default behavior is to not fire an alert if there are warnings from the alert query and instead wait for the warning to go away.
Errors that require some user interaction, for instance a warning on too many groups in a
groupBy()function invocation in the alert query.Errors due to the alert query only returning partial results, which may trigger the alert when it should not have been triggered, or make the alert only return some of the events it would otherwise have returned.
Warnings aimed at discouraging queries that include a live
join()function in alerts. For more information, see Warnings when Using Live join() Functions here below.
Warnings when Using Live join() Functions
There is a known limitation about live queries that use
join() functions — the details are
explained at
Limitations of Live Joins. The
limitation means that alerts cannot be expected to work in combination
with these particular query functions.
You should be aware of this when you intend to create an alert with
join() functions, as the alert may not trigger as
expected.
The User Interface warns you about this behaviour before you save the alert:
Figure 200. Warning Using Live join()
In such cases, creating a scheduled search instead would better achieve the expected result.