humio/activity Dashboards

Alert Details

The Alert Details dashboard provides comprehensive alert monitoring capabilities through detailed status and performance visualizations. This dashboard enables real-time tracking of alert health, analysis of trigger patterns, and investigation of alert problems across the monitoring environment.
Alerts Overview

The Alerts Overview dashboard presents a consolidated view of alert health and performance through multi-dimensional monitoring visualizations. This dashboard enables tracking of alert problems across repositories, monitoring of trigger patterns, and analysis of lagging alerts across the alert management framework.
FDR Ingest Status

The FDR Ingest Status dashboard provides real-time monitoring of data replication feeds through comprehensive problem tracking visualizations. This dashboard enables identification of feed issues by repository, analysis of SQS message retry status, and monitoring of feed health across the ingestion environment.
Filter Alert Details

The Filter Alert Details dashboard presents detailed filter alert performance metrics through status and timing visualizations. This dashboard enables monitoring of historic query catch-up status, tracking of successful trigger patterns, and analysis of alert problems across filter configurations.
Filter Alerts Overview

The Filter Alerts Overview dashboard provides comprehensive monitoring of filter alert operations through multi-repository status visualizations. This dashboard enables tracking of action invocation errors, analysis of user permission issues, and monitoring of query performance across the filtering framework.
Legacy Alert Details

The Legacy Alert Details dashboard presents historical alert performance data through temporal status visualizations. This dashboard enables monitoring of alert query restarts, tracking of trigger success rates, and analysis of alert health status across legacy configurations.
Legacy Alerts Overview

The Legacy Alerts Overview dashboard provides comprehensive monitoring of legacy alert systems through multi-dimensional problem tracking visualizations. This dashboard enables analysis of action invocation errors, monitoring of query restart patterns, and tracking of alert triggers across legacy alert implementations.
Scheduled Reports Overview

The Scheduled Reports Overview dashboard presents comprehensive reporting metrics through performance and status visualizations. This dashboard enables monitoring of report generation times, tracking of PDF size limitations, and analysis of scheduling delays across the reporting framework.
Scheduled Search Details

The Scheduled Search Details dashboard provides detailed performance metrics through temporal status visualizations. This dashboard enables monitoring of search execution status, tracking of problem patterns, and analysis of search health across scheduled operations.
Scheduled Searches Overview

The Scheduled Searches Overview dashboard presents comprehensive search operation metrics through multi-dimensional monitoring visualizations. This dashboard enables tracking of execution errors, analysis of user permission issues, and monitoring of search performance across the scheduling framework.

Alert Details

The Alert Details dashboard provides comprehensive alert monitoring capabilities through detailed status and performance visualizations. This dashboard enables real-time tracking of alert health, analysis of trigger patterns, and investigation of alert problems across the monitoring environment.

Widget	Description	Type
Problems	Overview of problems with the alert. Hide Query Show Query logscale #category=~in(values=[Alert,AggregateAlert,FilterAlert]) \| #severity=~in(values=[?severity]) \| dataspace=?repository alertName=?alertName \| groupby(message, function=[tail(1), count(as="No. of times failed")]) \| rename(#severity, as="Severity") \| rename(@timestamp, as="Last failed") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Message") \| rename("warnings", as="Last warnings") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Message", "Severity", "No. of times failed", "Last failed", "Last suggestion", "Last exceptionMessage", "Last warnings", "alertId", "#category"], sortby=[Severity,Message], order=[asc,asc])	`Table`
Current Status	Shows the status of the alert within the last minute. If the alert was successfully polled, it is green. Otherwise, if the alert had a failure, it is red. Otherwise, if the alert had a success, it is green. Otherwise, the alert is grey. Hide Query Show Query logscale #category=~in(values=[Alert,AggregateAlert,FilterAlert]) \| dataspace=?repository alertName=?alertName \| status=* \| message match { "Alert triggered and invoked at least one action and will be throttled" => successfulPoll:="true"; "Alert triggered on event and invoked at least one action" => successfulPoll:="true"; "Alert found results, but no actions were invoked since the alert is throttled" => successfulPoll:="true"; "Alert found no results and will not trigger" => successfulPoll:="true"; * => ; } \| [{status=Failure \| count(as=failureCount)}, {status=Success successfulPoll=true \| count(as=successPollCount)}, {status=Success successfulPoll!=true \| count(as=successCount)}] \| case { test(successPollCount>0) \| aggStatus:="🟢"; test(failureCount>0) \| aggStatus:="🔴"; test(successCount>0) \| aggStatus:="🟢"; \| aggStatus:="⚪"; } \| select(aggStatus)	`Single Value`
Successful Alert Triggers	This chart displays when the alert successfully triggered. Hide Query Show Query logscale `#category=~in(values=[Alert,AggregateAlert,FilterAlert]) \| dataspace=?repository alertName=?alertName \| message=~in(values=["Alert triggered and invoked at least one action and will be throttled", "Alert triggered on event and invoked at least one action"]) \| timechart(alertName)`	`Time Chart`
Status over Time	Shows the status of the alert over time. Hide Query Show Query logscale #category=~in(values=[Alert,AggregateAlert,FilterAlert]) \| dataspace=?repository alertName=?alertName \| status=* \| message match { "Alert triggered and invoked at least one action and will be throttled" => successfulPoll:="true"; "Alert triggered on event and invoked at least one action" => successfulPoll:="true"; "Alert found results, but no actions were invoked since the alert is throttled" => successfulPoll:="true"; "Alert found no results and will not trigger" => successfulPoll:="true"; * => ; } \| timeChart(span=1m, function={ [ {status=Failure \| count(as=failureCount)}, {status=Success successfulPoll=true \| count(as=successPollCount)}, {status=Success successfulPoll!=true \| count(as=successCount)} ] }) \| case { test(successPollCount>0) \| "Success":=1 \| "Failure":=0 \| "Not Running":=0; test(failureCount>0) \| "Success":=0 \| "Failure":=1 \| "Not Running":=0; test(successCount>0) \| "Success":=1 \| "Failure":=0 \| "Not Running":=0; \| "Success":=0 \| "Failure":=0 \| "Not Running":=1; } \| drop([failureCount, successPollCount, successCount])	`Time Chart`
Lagging Behind over Time	Shows whether the filter or aggregate alert is running historic queries to catch up over time. Note: Legacy alerts do not run historic queries to catch up. Hide Query Show Query logscale `#category=~in(values=[AggregateAlert,FilterAlert]) \| dataspace=?repository alertName=?alertName isLiveQuery=false \| timechart(alertName, limit=50, function=count(), span=10m) \| case { _count>0 \| _count:=1; * \| *; }`	`Time Chart`
Lagging Behind	Whether the filter or aggregate alert is running historic queries to catch up and not reacting to new events in the meantime. Note: Legacy alerts do not run historic queries to catch up. Hide Query Show Query logscale `#category=~in(values=[AggregateAlert,FilterAlert]) \| dataspace=?repository alertName=?alertName isLiveQuery=* \| [{isLiveQuery=true \| count(as=liveCount)}, {isLiveQuery=false \| count(as=historicCount)}] \| case { test(historicCount>0) \| aggStatus:="🔴"; test(liveCount>0) \| aggStatus:="🟢"; * \| aggStatus:="⚪"; } \| select(aggStatus)`	`Single Value`
Problem severity		parameterPanel

Alerts Overview

The Alerts Overview dashboard presents a consolidated view of alert health and performance through multi-dimensional monitoring visualizations. This dashboard enables tracking of alert problems across repositories, monitoring of trigger patterns, and analysis of lagging alerts across the alert management framework.

Widget	Description	Type
Alert problems	Displays a table of alert problems (repository, alert name, last failed, last severity, etc.) Hide Query Show Query logscale #category=~in(values=[?alertTypes]) \| #severity=~in(values=[?severity]) \| subCategory=~in(values=[?subCategory])\| dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName, actionName], function=[tail(1), count(as="No. of times failed")]) \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename(@timestamp, as="Last failed") \| rename("#severity", as="Last severity") \| rename("message", as="Last message") \| rename("suggestion", as="Last suggestion") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository/view", "Alert name", "No. of times failed", "Last failed", "Last severity", "Last message", "Last suggestion", "Last exceptionMessage", "alertId", "#category"], sortby=["No. of times failed", "Repository/view", "Alert name"], order=[desc,asc,asc], limit=1000)	`Table`
Alerts Lagging Behind by Repository/View	This chart displays how many distinct aggregate or filter alerts over time per repository/view are running historic queries to catch up and not reacting to new events in the meantime. Note: Legacy alerts do not run historic queries to catch up. Hide Query Show Query logscale `#category=~in(values=[?alertTypes]) \| dataspace=?{repository=} alertName=?{alertName=} isLiveQuery=false \| timechart(dataspace, limit=50, function=count(field=alertName, distinct=true), span=10m)`	`Time Chart`
Alerts Triggered	Overview of alerts that triggered and successfully invoked at least one action. Hide Query Show Query logscale #category=~in(values=[?alertTypes]) \| dataspace=?{repository=} alertName=?{alertName=} \| message=~in(values=["Alert triggered and invoked at least one action and will be throttled", "Alert triggered on event and invoked at least one action"]) \| groupby([dataspace, alertName], function=[selectLast(["@timestamp", actionIds, alertId]), count(as="No. of times triggered")]) \| rename(@timestamp, as="Last triggered") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("actionIds", as="Action ids") \| table(["Repository/view", "Alert name", "Action ids", "No. of times triggered", "Last triggered", "alertId"], sortby=["No. of times triggered", "Repository/view", "Alert name"], order=[desc,asc,asc], limit=1000)	`Table`
Successful Alert Triggers by Repository/View	This chart displays how many distinct alerts triggered over time per repository or view. Hide Query Show Query logscale `#category=~in(values=[?alertTypes]) \| dataspace=?{repository=} alertName=?{alertName=} \| message=~in(values=["Alert triggered and invoked at least one action and will be throttled", "Alert triggered on event and invoked at least one action"]) \| timechart(dataspace, limit=50, function=count(field=alertName, distinct=true), span=10m)`	`Time Chart`
Alerts Lagging Behind	Overview over aggregate or filter alerts that are running historic queries to catch up and not reacting to new events in the meantime. Note: Legacy alerts do not run historic queries to catch up. Hide Query Show Query logscale `#category=~in(values=[?alertTypes]) \| dataspace=?{repository=} alertName=?{alertName=} isLiveQuery=false \| groupby([dataspace, alertName], function=tail(1)) \| rename(@timestamp, as="Last lagging behind") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| table(["Repository/view", "Alert name", "Last lagging behind", "alertId"], sortby=["Last lagging behind", "Repository/view", "Alert name"], order=[desc,asc,asc], limit=1000)`	`Table`
Alert Problems by Repository/View	This chart displays how many distinct alerts had problems over time per repository or view. Hide Query Show Query logscale `#category=~in(values=[?alertTypes]) \| #severity=~in(values=[?severity]) \| subCategory=~in(values=[?subCategory])\| dataspace=?{repository=} alertName=?{alertName=} \| timechart(dataspace, limit=50, function=count(field=alertName, distinct=true), span=10m)`	`Time Chart`
Problem parameters	Select problem severities and categories to show.	parameterPanel

FDR Ingest Status

The FDR Ingest Status dashboard provides real-time monitoring of data replication feeds through comprehensive problem tracking visualizations. This dashboard enables identification of feed issues by repository, analysis of SQS message retry status, and monitoring of feed health across the ingestion environment.

Widget Description Type

How many distinct FDR feeds had problems per repository.

Hide Query

Show Query

logscale

#category=Fdr | #severity =~ in(values=["Warning", "Error"]) | dataspace=?{repository=*} fdrFeedName=?{fdrFeedName=*}
| timechart(dataspace, limit=50, function=count(field=fdrFeedName, distinct=true))

Time Chart

Number of error or warning logs per feed as well as the number of restarts. Unless the feed configuration is changed, a restart suggests some sort of problem with the feed. Also shows information about the last problem.

Hide Query

Show Query

logscale

#category=Fdr | #severity =~ in(values=["Warning", "Error"]) | dataspace=?{repository=*} fdrFeedName=?{fdrFeedName=*}
| groupby([dataspace, fdrFeedName], function=[tail(1), count(as="No. of problems"), count(field=streamId, distinct=true, as="restarts")])
| restarts := restarts - 1
| rename(@timestamp, as="Last problem at")
| rename("dataspace", as="Repository")
| rename("fdrFeedName", as="FDR feed name")
| rename("restarts", as="No. of restarts")
| rename("suggestion", as="Last suggestion")
| rename("message", as="Last message")
| rename("exceptionMessage", as="Last exceptionMessage")
| table(["Repository", "FDR feed name", "No. of problems", "No. of restarts", "Last problem at", "Last message", "Last suggestion", "Last exceptionMessage"], sortby=["No. of problems", "Repository", "FDR feed name"], order=[desc,asc,asc], limit=1000)

Table

SQS messages that failed and have not yet been successfully retried.

Hide Query

Show Query

logscale

#category=Fdr | dataspace=?{repository=*} fdrFeedName=?{fdrFeedName=*} | message="SQS message ignored because of an error, it will be retried later as long as it stays on the SQS queue" OR message="SQS message ingested and deleted" |
groupBy([dataspace, fdrFeedName, messageId], function=tail(1)) |
message="SQS message ignored because of an error, it will be retried later as long as it stays on the SQS queue" |
groupBy([dataspace, fdrFeedName]) |
rename("dataspace",as="Repository") |
rename("fdrFeedName",as="FDR feed name") |
rename("_count",as="No. of messages") |
table(["Repository", "FDR feed name", "No. of messages"])

Table

Filter Alert Details

The Filter Alert Details dashboard presents detailed filter alert performance metrics through status and timing visualizations. This dashboard enables monitoring of historic query catch-up status, tracking of successful trigger patterns, and analysis of alert problems across filter configurations.

Widget	Description	Type
Lagging Behind over Time	Shows whether the filter alert is running historic queries to catch up over time. Hide Query Show Query logscale `#category=FilterAlert dataspace=?repository alertName=?alertName isLiveQuery=false \| timechart(alertName, limit=50, function=count(), span=10m) \| case { _count>0 \| _count:=1; * \| *; }`	`Time Chart`
Lagging Behind	Whether the filter alert is running historic queries to catch up and not reacting to new events in the meantime. Hide Query Show Query logscale `#category=FilterAlert dataspace=?repository alertName=?alertName isLiveQuery=* \| [{isLiveQuery=true \| count(as=liveCount)}, {isLiveQuery=false \| count(as=historicCount)}] \| case { test(historicCount>0) \| aggStatus:="🔴"; test(liveCount>0) \| aggStatus:="🟢"; * \| aggStatus:="⚪"; } \| select(aggStatus)`	`Single Value`
Warnings	Overview of warnings with the filter alert. Hide Query Show Query logscale #category=FilterAlert #severity=Warning dataspace=?repository alertName=?alertName \| groupby(message, function=[tail(1), count(as="No. of times failed")]) \| rename(@timestamp, as="Last failed") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Message") \| rename("warnings", as="Last warnings") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Message", "No. of times failed", "Last failed", "Last suggestion", "Last exceptionMessage", "Last warnings", "alertId", "#category"], sortby=Message, order=asc)	`Table`
Successful Alert Triggers	This chart displays when the alert successfully triggered. Hide Query Show Query logscale `#category=FilterAlert dataspace=?repository alertName=?alertName \| message="Alert triggered on event and invoked at least one action" \| timechart(alertName)`	`Time Chart`
Problems	Number of error or warning logs per feed as well as the number of restarts. Unless the feed configuration is changed, a restart suggests some sort of problem with the feed. Also shows information about the last problem. Hide Query Show Query logscale #category=Fdr \| #severity =~ in(values=["Warning", "Error"]) \| dataspace=?{repository=} fdrFeedName=?{fdrFeedName=} \| groupby([dataspace, fdrFeedName], function=[tail(1), count(as="No. of problems"), count(field=streamId, distinct=true, as="restarts")]) \| restarts := restarts - 1 \| rename(@timestamp, as="Last problem at") \| rename("dataspace", as="Repository") \| rename("fdrFeedName", as="FDR feed name") \| rename("restarts", as="No. of restarts") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository", "FDR feed name", "No. of problems", "No. of restarts", "Last problem at", "Last message", "Last suggestion", "Last exceptionMessage"], sortby=["No. of problems", "Repository", "FDR feed name"], order=[desc,asc,asc], limit=1000)	`Table`
Current Status	Shows the status of the alert within the last minute. If the alert was successfully polled, it is green. Otherwise, if the alert had a failure, it is red. Otherwise, if the alert had a success, it is green. Otherwise, the alert is grey. Hide Query Show Query logscale #category=FilterAlert dataspace=?repository alertName=?alertName \| status=* \| case { test(message=="Alert triggered on event and invoked at least one action") \| successfulPoll:="true"; test(message=="Alert found results, but no actions were invoked since the alert is throttled") \| successfulPoll:="true"; test(message=="Alert found no results and will not trigger") \| successfulPoll:="true"; * \| ; } \| [{status=Failure \| count(as=failureCount)}, {status=Success successfulPoll=true \| count(as=successPollCount)}, {status=Success successfulPoll!=true \| count(as=successCount)}] \| case { test(successPollCount>0) \| aggStatus:="🟢"; test(failureCount>0) \| aggStatus:="🔴"; test(successCount>0) \| aggStatus:="🟢"; \| aggStatus:="⚪"; } \| select(aggStatus)	`Single Value`
Status over Time	Shows the status of the alert over time. Hide Query Show Query logscale #category=FilterAlert dataspace=?repository alertName=?alertName \| status=* \| case { test(message=="Alert triggered on event and invoked at least one action") \| successfulPoll:="true"; test(message=="Alert found results, but no actions were invoked since the alert is throttled") \| successfulPoll:="true"; test(message=="Alert found no results and will not trigger") \| successfulPoll:="true"; * \| ; } \| timeChart(span=1m, function={ [ {status=Failure \| count(as=failureCount)}, {status=Success successfulPoll=true \| count(as=successPollCount)}, {status=Success successfulPoll!=true \| count(as=successCount)} ] }) \| case { test(successPollCount>0) \| "Success":=1 \| "Failure":=0 \| "Not Running":=0; test(failureCount>0) \| "Success":=0 \| "Failure":=1 \| "Not Running":=0; test(successCount>0) \| "Success":=1 \| "Failure":=0 \| "Not Running":=0; \| "Success":=0 \| "Failure":=0 \| "Not Running":=1; } \| drop([failureCount, successPollCount, successCount])	`Time Chart`

Filter Alerts Overview

The Filter Alerts Overview dashboard provides comprehensive monitoring of filter alert operations through multi-repository status visualizations. This dashboard enables tracking of action invocation errors, analysis of user permission issues, and monitoring of query performance across the filtering framework.

Widget	Description	Type
FDR Ingest Problems by Repository	How many distinct FDR feeds had problems per repository. Hide Query Show Query logscale `#category=Fdr \| #severity =~ in(values=["Warning", "Error"]) \| dataspace=?{repository=} fdrFeedName=?{fdrFeedName=} \| timechart(dataspace, limit=50, function=count(field=fdrFeedName, distinct=true))`	`Time Chart`
Errors due to Action Invocation	Overview of errors with invoking actions when a filter alert triggers. Hide Query Show Query logscale #category=FilterAlert #severity="Error" subCategory=Action dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName, actionName], function=[tail(1), count(as="No. of times failed")]) \| rename(@timestamp, as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository/view", "Alert name", "No. of times failed", "Last failed", "Last message", "Last suggestion", "Last exceptionMessage", "alertId", "#category"], sortby=["No. of times failed", "Repository/view","Alert name"], order=[desc,asc,asc], limit=1000)	`Table`
Errors with User	Overview of errors with running filter alerts due to either the user having been deleted or the user not having permissions to run the filter alert. Fix this by either granting the user the missing permissions, change the alert to run as another user, or change the alert to run on behalf of the organization. Hide Query Show Query logscale #category=FilterAlert #severity="Error" subCategory=User dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=tail(1)) \| rename(@timestamp, as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("message", as="Message") \| rename("suggestion", as="Suggestion") \| table(["Repository/view", "Alert name", "Last failed", "Message", "Suggestion", "alertId", "#category"], sortby=["Repository/view", "Alert name"], order=[asc,asc], limit=1000)	`Table`
Other Errors	Overview of other errors with running filter alerts than the three lists above. Hide Query Show Query logscale #category=FilterAlert #severity="Error" subCategory=Alert dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName, actionName], function=[tail(1), count(as="No. of times failed")]) \| rename(@timestamp, as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("message", as="Last message") \| rename("warnings", as="Last warnings") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository/view", "Alert name", "No. of times failed", "Last failed", "Last message", "Last suggestion", "Last exceptionMessage", "alertId", "#category"], sortby=["No. of times failed", "Repository/view","Alert name"], order=[desc,asc,asc], limit=1000)	`Table`
Action Invocation Warnings	Overview of warnings with invoking actions when a filter alert triggers. Note that if the filter alert has multiple actions attached and at least one succeeds, it is considered to have triggered. Hide Query Show Query logscale #category=FilterAlert #severity="Warning" subCategory=Action dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName, actionName], function=[tail(1), count(as="No. of times failed")]) \| rename(@timestamp, as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("actionName", as="Action name") \| rename("message", as="Last message") \| rename("warnings", as="Last warnings") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository/view", "Alert name", "Action name", "No. of times failed", "Last failed", "Last message", "Last suggestion", "Last exceptionMessage", "alertId", "#category"], sortby=["No. of times failed", "Repository/view","Alert name"], order=[desc,asc,asc], limit=1000)	`Table`
Successful Alert Triggers	This chart displays when the alert successfully triggered. Hide Query Show Query logscale `#category=FilterAlert dataspace=?repository alertName=?alertName \| message="Alert triggered on event and invoked at least one action" \| timechart(alertName)`	`Time Chart`
Problems	Number of error or warning logs per feed as well as the number of restarts. Unless the feed configuration is changed, a restart suggests some sort of problem with the feed. Also shows information about the last problem. Hide Query Show Query logscale #category=Fdr \| #severity =~ in(values=["Warning", "Error"]) \| dataspace=?{repository=} fdrFeedName=?{fdrFeedName=} \| groupby([dataspace, fdrFeedName], function=[tail(1), count(as="No. of problems"), count(field=streamId, distinct=true, as="restarts")]) \| restarts := restarts - 1 \| rename(@timestamp, as="Last problem at") \| rename("dataspace", as="Repository") \| rename("fdrFeedName", as="FDR feed name") \| rename("restarts", as="No. of restarts") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository", "FDR feed name", "No. of problems", "No. of restarts", "Last problem at", "Last message", "Last suggestion", "Last exceptionMessage"], sortby=["No. of problems", "Repository", "FDR feed name"], order=[desc,asc,asc], limit=1000)	`Table`
Filter Alerts Lagging Behind by Repository/View	This chart displays how many distinct filter alerts over time per repository/view are running historic queries to catch up and not reacting to new events in the meantime. Hide Query Show Query logscale `#category=FilterAlert isLiveQuery=false dataspace=?{repository=} alertName=?{alertName=} \| timechart(dataspace, limit=50, function=count(field=alertName, distinct=true), span=10m)`	`Time Chart`
Filter Alerts Lagging Behind	Overview over filter alerts that are running historic queries to catch up and not reacting to new events in the meantime. Hide Query Show Query logscale `#category=FilterAlert isLiveQuery=false dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=tail(1)) \| rename(@timestamp, as="Last lagging behind") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| table(["Repository/view", "Alert name", "Last lagging behind", "alertId"], sortby=["Last lagging behind", "Repository/view", "Alert name"], order=[desc,asc,asc], limit=1000)`	`Table`
Filter Alert Warnings by Repository/View	This chart displays how many distinct filter alerts had warnings over time per repository or view. Hide Query Show Query logscale `#category=FilterAlert #severity="Warning" dataspace=?{repository=} alertName=?{alertName=} \| timechart(dataspace, limit=50, function=count(field=alertName, distinct=true), span=10m)`	`Time Chart`
Filter Alerts Triggered	Overview of filter alerts that triggered and successfully invoked at least one action. Hide Query Show Query logscale #category=FilterAlert message="Alert triggered on event and invoked at least one action" dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=[selectLast(["@timestamp", actionIds, alertId]), count(as="No. of times triggered")]) \| rename(@timestamp, as="Last triggered") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("actionIds", as="Action ids") \| table(["Repository/view", "Alert name", "Action ids", "No. of times triggered", "Last triggered", "alertId"], sortby=["No. of times triggered", "Repository/view", "Alert name"], order=[desc,asc,asc], limit=1000)	`Table`
Query Warnings	Overview of warnings with running the filter alert queries. Hide Query Show Query logscale #category=FilterAlert #severity="Warning" subCategory=Query dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=[tail(1), count(as="No. of times failed")]) \| rename(@timestamp, as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("queryWarning", as="Last query warning") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository/view", "Alert name", "No. of times failed", "Last failed", "Last message", "Last suggestion", "Last exceptionMessage", "Last query warning", "alertId", "#category"], sortby=["No. of times failed", "Repository/view", "Alert name"], order=[desc,asc,asc], limit=1000)	`Table`
Errors with Query	Overview of errors with running filter alert queries. This can either be due to an error in the query or due to problems in the cluster causing errors when trying to run the query. Hide Query Show Query logscale #category=FilterAlert #severity="Error" subCategory=Query dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName, actionName], function=[tail(1), count(as="No. of times failed")]) \| rename(@timestamp, as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository/view", "Alert name", "No. of times failed", "Last failed", "Last message", "Last suggestion", "Last exceptionMessage", "alertId", "#category"], sortby=["No. of times failed", "Repository/view","Alert name"], order=[desc,asc,asc], limit=1000)	`Table`

Legacy Alert Details

The Legacy Alert Details dashboard presents historical alert performance data through temporal status visualizations. This dashboard enables monitoring of alert query restarts, tracking of trigger success rates, and analysis of alert health status across legacy configurations.

Widget	Description	Type
Successful Alert Triggers	This chart displays when the alert successfully triggered. Hide Query Show Query logscale `#category=FilterAlert dataspace=?repository alertName=?alertName \| message="Alert triggered on event and invoked at least one action" \| timechart(alertName)`	`Time Chart`
Alert Query Restarts over Time	Shows how many times the legacy alert query was restarted over time. If this happens more than a few times, it could indicate that the query is getting killed or has another problem. Hide Query Show Query logscale `#category = Alert dataspace=?repository alertName=?alertName \| message="Query started" \| timeChart(alertName, limit=50)`	`Time Chart`
Problems	Number of error or warning logs per feed as well as the number of restarts. Unless the feed configuration is changed, a restart suggests some sort of problem with the feed. Also shows information about the last problem. Hide Query Show Query logscale #category=Fdr \| #severity =~ in(values=["Warning", "Error"]) \| dataspace=?{repository=} fdrFeedName=?{fdrFeedName=} \| groupby([dataspace, fdrFeedName], function=[tail(1), count(as="No. of problems"), count(field=streamId, distinct=true, as="restarts")]) \| restarts := restarts - 1 \| rename(@timestamp, as="Last problem at") \| rename("dataspace", as="Repository") \| rename("fdrFeedName", as="FDR feed name") \| rename("restarts", as="No. of restarts") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository", "FDR feed name", "No. of problems", "No. of restarts", "Last problem at", "Last message", "Last suggestion", "Last exceptionMessage"], sortby=["No. of problems", "Repository", "FDR feed name"], order=[desc,asc,asc], limit=1000)	`Table`
Current Status	Shows the status of the alert within the last minute. If the alert was successfully polled, it is green. Otherwise, if the alert had a failure, it is red. Otherwise, if the alert had a success, it is green. Otherwise, the alert is grey. Hide Query Show Query logscale #category=FilterAlert dataspace=?repository alertName=?alertName \| status=* \| case { test(message=="Alert triggered on event and invoked at least one action") \| successfulPoll:="true"; test(message=="Alert found results, but no actions were invoked since the alert is throttled") \| successfulPoll:="true"; test(message=="Alert found no results and will not trigger") \| successfulPoll:="true"; * \| ; } \| [{status=Failure \| count(as=failureCount)}, {status=Success successfulPoll=true \| count(as=successPollCount)}, {status=Success successfulPoll!=true \| count(as=successCount)}] \| case { test(successPollCount>0) \| aggStatus:="🟢"; test(failureCount>0) \| aggStatus:="🔴"; test(successCount>0) \| aggStatus:="🟢"; \| aggStatus:="⚪"; } \| select(aggStatus)	`Single Value`
Status over Time	Shows the status of the alert over time. Hide Query Show Query logscale #category=FilterAlert dataspace=?repository alertName=?alertName \| status=* \| case { test(message=="Alert triggered on event and invoked at least one action") \| successfulPoll:="true"; test(message=="Alert found results, but no actions were invoked since the alert is throttled") \| successfulPoll:="true"; test(message=="Alert found no results and will not trigger") \| successfulPoll:="true"; * \| ; } \| timeChart(span=1m, function={ [ {status=Failure \| count(as=failureCount)}, {status=Success successfulPoll=true \| count(as=successPollCount)}, {status=Success successfulPoll!=true \| count(as=successCount)} ] }) \| case { test(successPollCount>0) \| "Success":=1 \| "Failure":=0 \| "Not Running":=0; test(failureCount>0) \| "Success":=0 \| "Failure":=1 \| "Not Running":=0; test(successCount>0) \| "Success":=1 \| "Failure":=0 \| "Not Running":=0; \| "Success":=0 \| "Failure":=0 \| "Not Running":=1; } \| drop([failureCount, successPollCount, successCount])	`Time Chart`

Legacy Alerts Overview

The Legacy Alerts Overview dashboard provides comprehensive monitoring of legacy alert systems through multi-dimensional problem tracking visualizations. This dashboard enables analysis of action invocation errors, monitoring of query restart patterns, and tracking of alert triggers across legacy alert implementations.

Widget	Description	Type
FDR Ingest Problems by Repository	How many distinct FDR feeds had problems per repository. Hide Query Show Query logscale `#category=Fdr \| #severity =~ in(values=["Warning", "Error"]) \| dataspace=?{repository=} fdrFeedName=?{fdrFeedName=} \| timechart(dataspace, limit=50, function=count(field=fdrFeedName, distinct=true))`	`Time Chart`
Errors due to Action Invocation	Overview of errors with invoking actions when a filter alert triggers. Hide Query Show Query logscale #category=FilterAlert #severity="Error" subCategory=Action dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName, actionName], function=[tail(1), count(as="No. of times failed")]) \| rename(@timestamp, as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository/view", "Alert name", "No. of times failed", "Last failed", "Last message", "Last suggestion", "Last exceptionMessage", "alertId", "#category"], sortby=["No. of times failed", "Repository/view","Alert name"], order=[desc,asc,asc], limit=1000)	`Table`
Errors with User	Overview of errors with running filter alerts due to either the user having been deleted or the user not having permissions to run the filter alert. Fix this by either granting the user the missing permissions, change the alert to run as another user, or change the alert to run on behalf of the organization. Hide Query Show Query logscale #category=FilterAlert #severity="Error" subCategory=User dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=tail(1)) \| rename(@timestamp, as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("message", as="Message") \| rename("suggestion", as="Suggestion") \| table(["Repository/view", "Alert name", "Last failed", "Message", "Suggestion", "alertId", "#category"], sortby=["Repository/view", "Alert name"], order=[asc,asc], limit=1000)	`Table`
Successful Alert Triggers	This chart displays when the alert successfully triggered. Hide Query Show Query logscale `#category=FilterAlert dataspace=?repository alertName=?alertName \| message="Alert triggered on event and invoked at least one action" \| timechart(alertName)`	`Time Chart`
Alert Query Restarts over Time	Shows how many times the legacy alert query was restarted over time. If this happens more than a few times, it could indicate that the query is getting killed or has another problem. Hide Query Show Query logscale `#category = Alert dataspace=?repository alertName=?alertName \| message="Query started" \| timeChart(alertName, limit=50)`	`Time Chart`
Problems	Number of error or warning logs per feed as well as the number of restarts. Unless the feed configuration is changed, a restart suggests some sort of problem with the feed. Also shows information about the last problem. Hide Query Show Query logscale #category=Fdr \| #severity =~ in(values=["Warning", "Error"]) \| dataspace=?{repository=} fdrFeedName=?{fdrFeedName=} \| groupby([dataspace, fdrFeedName], function=[tail(1), count(as="No. of problems"), count(field=streamId, distinct=true, as="restarts")]) \| restarts := restarts - 1 \| rename(@timestamp, as="Last problem at") \| rename("dataspace", as="Repository") \| rename("fdrFeedName", as="FDR feed name") \| rename("restarts", as="No. of restarts") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository", "FDR feed name", "No. of problems", "No. of restarts", "Last problem at", "Last message", "Last suggestion", "Last exceptionMessage"], sortby=["No. of problems", "Repository", "FDR feed name"], order=[desc,asc,asc], limit=1000)	`Table`
Alert Query Restarts	Lists all the times legacy alert queries restarted in time descending order. No. of times restarted represents how many times the query has restarted in the search window. If this number is high, it could indicate that the query is getting killed or has another problem. Hide Query Show Query logscale #category = Alert message="Query started" dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=[ { selectLast([@timestamp, alertId]) }, count(as="No. of times restarted")]) \| rename(@timestamp, as="Last restarted") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| table(["Repository/view", "Alert name", "No. of times restarted", "Last restarted", "alertId"], sortby=["No. of times restarted", "Repository/view", "Alert name"], order=[desc,asc,asc], limit=1000)	`Table`
Filter Alerts Triggered	Overview of filter alerts that triggered and successfully invoked at least one action. Hide Query Show Query logscale #category=FilterAlert message="Alert triggered on event and invoked at least one action" dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=[selectLast(["@timestamp", actionIds, alertId]), count(as="No. of times triggered")]) \| rename(@timestamp, as="Last triggered") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("actionIds", as="Action ids") \| table(["Repository/view", "Alert name", "Action ids", "No. of times triggered", "Last triggered", "alertId"], sortby=["No. of times triggered", "Repository/view", "Alert name"], order=[desc,asc,asc], limit=1000)	`Table`

Scheduled Reports Overview

The Scheduled Reports Overview dashboard presents comprehensive reporting metrics through performance and status visualizations. This dashboard enables monitoring of report generation times, tracking of PDF size limitations, and analysis of scheduling delays across the reporting framework.

Widget	Description	Type
FDR Ingest Problems by Repository	How many distinct FDR feeds had problems per repository. Hide Query Show Query logscale `#category=Fdr \| #severity =~ in(values=["Warning", "Error"]) \| dataspace=?{repository=} fdrFeedName=?{fdrFeedName=} \| timechart(dataspace, limit=50, function=count(field=fdrFeedName, distinct=true))`	`Time Chart`
Warnings with Scheduled Reports	Overview of warnings related to scheduled reports. Hide Query Show Query logscale #category="ScheduledReport" \| #severity = "Warning" \| dataspace=?{repository=} scheduledReportName=?{scheduledReportName=} \| subCategory="ScheduledReport" \| groupby([dataspace, scheduledReportName], function=[tail(1), count(as="No. of times failed")]) \| rename(@timestamp, as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("scheduledReportName", as="Scheduled report name") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("warnings", as="Last warnings") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository/view", "Scheduled report name", "No. of times failed", "Last failed", "Last message", "Last suggestion", "Last exceptionMessage", "Last warnings", "scheduledReportId"], sortby=["No. of times failed", "Repository/view", "Scheduled report name"], order=[desc,asc,asc], limit=1000)	`Table`
Errors due to Action Invocation	Overview of errors with invoking actions when a filter alert triggers. Hide Query Show Query logscale #category=FilterAlert #severity="Error" subCategory=Action dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName, actionName], function=[tail(1), count(as="No. of times failed")]) \| rename(@timestamp, as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository/view", "Alert name", "No. of times failed", "Last failed", "Last message", "Last suggestion", "Last exceptionMessage", "alertId", "#category"], sortby=["No. of times failed", "Repository/view","Alert name"], order=[desc,asc,asc], limit=1000)	`Table`
Scheduled Reports Lagging Behind	Overview of scheduled reports which cannot keep up with the schedule and where a planned execution was skipped. Scheduled reports that are on this list should first be checked if they have other problems. Second, if the time they lagged behind was a time where LogScale was not running optimally. If neither is the case, the target dashboard might need to be optimized. Hide Query Show Query logscale #category="ScheduledReport" \| message="Scheduled report lacked behind and had to be rescheduled" \| dataspace=?{repository=} scheduledReportName=?{scheduledReportName=} \| groupby([dataspace, scheduledReportName], function=[tail(1), count(as="No. of times lagging behind")]) \| rename(@timestamp, as="Last lagging behind") \| rename("dataspace", as="Repository/view") \| rename("scheduledReportName", as="Scheduled report name") \| table(["Repository/view", "Scheduled report name", "No. of times lagging behind", "Last lagging behind", "scheduledReportId"], sortby=["No. of times lagging behind", "Repository/view", "Scheduled report name"], order=[desc,asc,asc], limit=1000)	`Table`
Number of too large PDF reports generated	There is a limit to the size of pdf files LogScale will send. This widget shows a number of too large pdf reports that have been generated and attempted sent. Hide Query Show Query logscale `#category="ScheduledReport" #severity="Error" \| dataspace=?{repository=} scheduledReportName=?{scheduledReportName=} \| errors="File too large to process" \| groupby([dataspace, scheduledReportName]) \| count()`	`Single Value`
Successful Alert Triggers	This chart displays when the alert successfully triggered. Hide Query Show Query logscale `#category=FilterAlert dataspace=?repository alertName=?alertName \| message="Alert triggered on event and invoked at least one action" \| timechart(alertName)`	`Time Chart`
Problems	Number of error or warning logs per feed as well as the number of restarts. Unless the feed configuration is changed, a restart suggests some sort of problem with the feed. Also shows information about the last problem. Hide Query Show Query logscale #category=Fdr \| #severity =~ in(values=["Warning", "Error"]) \| dataspace=?{repository=} fdrFeedName=?{fdrFeedName=} \| groupby([dataspace, fdrFeedName], function=[tail(1), count(as="No. of problems"), count(field=streamId, distinct=true, as="restarts")]) \| restarts := restarts - 1 \| rename(@timestamp, as="Last problem at") \| rename("dataspace", as="Repository") \| rename("fdrFeedName", as="FDR feed name") \| rename("restarts", as="No. of restarts") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository", "FDR feed name", "No. of problems", "No. of restarts", "Last problem at", "Last message", "Last suggestion", "Last exceptionMessage"], sortby=["No. of problems", "Repository", "FDR feed name"], order=[desc,asc,asc], limit=1000)	`Table`
Errors with Scheduled Reports	Overview of errors related to scheduled reports. Hide Query Show Query logscale #category="ScheduledReport" \| #severity = "Error" \| dataspace=?{repository=} scheduledReportName=?{scheduledReportName=} \| subCategory="ScheduledReport" \| groupby([dataspace, scheduledReportName], function=[tail(1), count(as="No. of times failed")]) \| rename(@timestamp, as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("scheduledReportName", as="Scheduled report name") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("warnings", as="Last warnings") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository/view", "Scheduled report name", "No. of times failed", "Last failed", "Last message", "Last suggestion", "Last exceptionMessage", "Last warnings", "scheduledReportId"], sortby=["No. of times failed", "Repository/view", "Scheduled report name"], order=[desc,asc,asc], limit=1000)	`Table`
Scheduled Report Generation Time (Ms)	Overview of the time it takes for a report to transition from being planned to completing either as a success with the email being sent or a failure. Hide Query Show Query logscale `#category="ScheduledReport" \| dataspace=?{repository=} scheduledReportName=?{scheduledReportName=} \| in(field="message", values=["Scheduled report successfully finished executing", "Scheduled report failed to finish executing. Report will be retried.", "Scheduled report failed to finish executing because of a configuration error. Report will be disabled!"]) \| timeChart(function=percentile(field=generationExecutionTimeMs, percentiles=[75,90,99]), minSpan=10m)`	`Time Chart`
Filter Alerts Triggered	Overview of filter alerts that triggered and successfully invoked at least one action. Hide Query Show Query logscale #category=FilterAlert message="Alert triggered on event and invoked at least one action" dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=[selectLast(["@timestamp", actionIds, alertId]), count(as="No. of times triggered")]) \| rename(@timestamp, as="Last triggered") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("actionIds", as="Action ids") \| table(["Repository/view", "Alert name", "Action ids", "No. of times triggered", "Last triggered", "alertId"], sortby=["No. of times triggered", "Repository/view", "Alert name"], order=[desc,asc,asc], limit=1000)	`Table`

Scheduled Search Details

The Scheduled Search Details dashboard provides detailed performance metrics through temporal status visualizations. This dashboard enables monitoring of search execution status, tracking of problem patterns, and analysis of search health across scheduled operations.

Widget Description Type

This chart displays when the alert successfully triggered.

Hide Query

Show Query

logscale

#category=FilterAlert dataspace=?repository alertName=?alertName
| message="Alert triggered on event and invoked at least one action"
| timechart(alertName)

Time Chart

Hide Query

Show Query

logscale

#category=Fdr | #severity =~ in(values=["Warning", "Error"]) | dataspace=?{repository=*} fdrFeedName=?{fdrFeedName=*}
| groupby([dataspace, fdrFeedName], function=[tail(1), count(as="No. of problems"), count(field=streamId, distinct=true, as="restarts")])
| restarts := restarts - 1
| rename(@timestamp, as="Last problem at")
| rename("dataspace", as="Repository")
| rename("fdrFeedName", as="FDR feed name")
| rename("restarts", as="No. of restarts")
| rename("suggestion", as="Last suggestion")
| rename("message", as="Last message")
| rename("exceptionMessage", as="Last exceptionMessage")
| table(["Repository", "FDR feed name", "No. of problems", "No. of restarts", "Last problem at", "Last message", "Last suggestion", "Last exceptionMessage"], sortby=["No. of problems", "Repository", "FDR feed name"], order=[desc,asc,asc], limit=1000)

Table

Shows the status of the alert over time.

Hide Query

Show Query

logscale

#category=FilterAlert dataspace=?repository alertName=?alertName
| status=*
| case {
    test(message=="Alert triggered on event and invoked at least one action")                      | successfulPoll:="true";
    test(message=="Alert found results, but no actions were invoked since the alert is throttled") | successfulPoll:="true";
    test(message=="Alert found no results and will not trigger")                                   | successfulPoll:="true";
    *                                                                                              | *;
}
| timeChart(span=1m, function={
    [
      {status=Failure                      | count(as=failureCount)},
      {status=Success successfulPoll=true  | count(as=successPollCount)},
      {status=Success successfulPoll!=true | count(as=successCount)}
    ]
  })
| case {
    test(successPollCount>0) | "Success":=1 | "Failure":=0 | "Not Running":=0;
    test(failureCount>0)     | "Success":=0 | "Failure":=1 | "Not Running":=0;
    test(successCount>0)     | "Success":=1 | "Failure":=0 | "Not Running":=0;
    *                        | "Success":=0 | "Failure":=0 | "Not Running":=1;
  }
| drop([failureCount, successPollCount, successCount])

Time Chart

Scheduled Searches Overview

The Scheduled Searches Overview dashboard presents comprehensive search operation metrics through multi-dimensional monitoring visualizations. This dashboard enables tracking of execution errors, analysis of user permission issues, and monitoring of search performance across the scheduling framework.

Widget	Description	Type
FDR Ingest Problems by Repository	How many distinct FDR feeds had problems per repository. Hide Query Show Query logscale `#category=Fdr \| #severity =~ in(values=["Warning", "Error"]) \| dataspace=?{repository=} fdrFeedName=?{fdrFeedName=} \| timechart(dataspace, limit=50, function=count(field=fdrFeedName, distinct=true))`	`Time Chart`
Errors due to Action Invocation	Overview of errors with invoking actions when a filter alert triggers. Hide Query Show Query logscale #category=FilterAlert #severity="Error" subCategory=Action dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName, actionName], function=[tail(1), count(as="No. of times failed")]) \| rename(@timestamp, as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository/view", "Alert name", "No. of times failed", "Last failed", "Last message", "Last suggestion", "Last exceptionMessage", "alertId", "#category"], sortby=["No. of times failed", "Repository/view","Alert name"], order=[desc,asc,asc], limit=1000)	`Table`
Scheduled Reports Lagging Behind	Overview of scheduled reports which cannot keep up with the schedule and where a planned execution was skipped. Scheduled reports that are on this list should first be checked if they have other problems. Second, if the time they lagged behind was a time where LogScale was not running optimally. If neither is the case, the target dashboard might need to be optimized. Hide Query Show Query logscale #category="ScheduledReport" \| message="Scheduled report lacked behind and had to be rescheduled" \| dataspace=?{repository=} scheduledReportName=?{scheduledReportName=} \| groupby([dataspace, scheduledReportName], function=[tail(1), count(as="No. of times lagging behind")]) \| rename(@timestamp, as="Last lagging behind") \| rename("dataspace", as="Repository/view") \| rename("scheduledReportName", as="Scheduled report name") \| table(["Repository/view", "Scheduled report name", "No. of times lagging behind", "Last lagging behind", "scheduledReportId"], sortby=["No. of times lagging behind", "Repository/view", "Scheduled report name"], order=[desc,asc,asc], limit=1000)	`Table`
Errors with User	Overview of errors with running filter alerts due to either the user having been deleted or the user not having permissions to run the filter alert. Fix this by either granting the user the missing permissions, change the alert to run as another user, or change the alert to run on behalf of the organization. Hide Query Show Query logscale #category=FilterAlert #severity="Error" subCategory=User dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=tail(1)) \| rename(@timestamp, as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("message", as="Message") \| rename("suggestion", as="Suggestion") \| table(["Repository/view", "Alert name", "Last failed", "Message", "Suggestion", "alertId", "#category"], sortby=["Repository/view", "Alert name"], order=[asc,asc], limit=1000)	`Table`
Successful Alert Triggers	This chart displays when the alert successfully triggered. Hide Query Show Query logscale `#category=FilterAlert dataspace=?repository alertName=?alertName \| message="Alert triggered on event and invoked at least one action" \| timechart(alertName)`	`Time Chart`
Problems	Number of error or warning logs per feed as well as the number of restarts. Unless the feed configuration is changed, a restart suggests some sort of problem with the feed. Also shows information about the last problem. Hide Query Show Query logscale #category=Fdr \| #severity =~ in(values=["Warning", "Error"]) \| dataspace=?{repository=} fdrFeedName=?{fdrFeedName=} \| groupby([dataspace, fdrFeedName], function=[tail(1), count(as="No. of problems"), count(field=streamId, distinct=true, as="restarts")]) \| restarts := restarts - 1 \| rename(@timestamp, as="Last problem at") \| rename("dataspace", as="Repository") \| rename("fdrFeedName", as="FDR feed name") \| rename("restarts", as="No. of restarts") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository", "FDR feed name", "No. of problems", "No. of restarts", "Last problem at", "Last message", "Last suggestion", "Last exceptionMessage"], sortby=["No. of problems", "Repository", "FDR feed name"], order=[desc,asc,asc], limit=1000)	`Table`
Filter Alerts Triggered	Overview of filter alerts that triggered and successfully invoked at least one action. Hide Query Show Query logscale #category=FilterAlert message="Alert triggered on event and invoked at least one action" dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=[selectLast(["@timestamp", actionIds, alertId]), count(as="No. of times triggered")]) \| rename(@timestamp, as="Last triggered") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("actionIds", as="Action ids") \| table(["Repository/view", "Alert name", "Action ids", "No. of times triggered", "Last triggered", "alertId"], sortby=["No. of times triggered", "Repository/view", "Alert name"], order=[desc,asc,asc], limit=1000)	`Table`

Versions of this Page

Package Marketplace

Package Reference

Dashboard Reference

Package Management

Other Integrations

Log Formats

humio/activity Dashboards

Alert Details

Alerts Overview

FDR Ingest Status

Filter Alert Details

Filter Alerts Overview

Legacy Alert Details

Legacy Alerts Overview

Scheduled Reports Overview

Scheduled Search Details

Scheduled Searches Overview

Enter search term