humio/activity Dashboards

Alerts Overview

Widget	Description	Type
Alert Problems by Repository/View	How many distinct FDR feeds had problems per repository. Hide Query Show Query logscale `#category=Alert \| #severity =~ in(values=["Warning", "Error"]) \| dataspace=?{repository=} alertName=?{alertName=} \| timechart(dataspace, limit=50, function=count(field=alertName, distinct=true), span=10m)`	`Time Chart`
Action Invocation Problems	Overview of errors with invoking actions when a filter alert triggers. Hide Query Show Query logscale #category=Alert #severity = "Warning" message = "Problem invoking action" dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName, actionName], function=[tail(1), count(as="No. of times failed")]) \| sort(["No. of times failed", "dataspace","alertName"], order=[desc,asc,asc]) \| rename(@timestamp, as="Last failed") \| formatTime(field="Last failed", format="%Y/%m/%d %H:%M:%S %Z", as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("actionName", as="Action name") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository/view", "Alert name", "Action name", "No. of times failed", "Last failed", "Last exceptionMessage"])	`Table`
User Problems	Overview of errors with running filter alerts due to either the user having been deleted or the user not having permissions to run the filter alert. Fix this by either granting the user the missing permissions, change the alert to run as another user, or change the alert to run on behalf of the organization. Hide Query Show Query logscale #category=Alert subCategory=User \| #severity =~ in(values=["Warning", "Error"]) \| dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=tail(1)) \| sort(["dataspace","alertName"], order=asc) \| rename(@timestamp, as="Last failed") \| formatTime(field="Last failed", format="%Y/%m/%d %H:%M:%S %Z", as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("message", as="Message") \| rename("suggestion", as="Suggestion") \| table(["Repository/view", "Alert name", "Last failed", "Message", "Suggestion"])	`Table`
Successful Alert Triggers by Repository/View	This chart displays when the alert successfully triggered. Hide Query Show Query logscale `#category=Alert \| message="Alert triggered and invoked at least one action and will be throttled" dataspace=?{repository=} alertName=?{alertName=} \| timechart(dataspace, limit=50, function=count(field=alertName, distinct=true), span=10m)`	`Time Chart`
Alert Query Start over Time	Shows how many times the legacy alert query was restarted over time. If this happens more than a few times, it could indicate that the query is getting killed or has another problem. Hide Query Show Query logscale `#category = Alert message="Query started" dataspace=?{repository=} alertName=?{alertName=} \| dataspaceAlertName := format("%s: %s", field=[dataspace, alertName]) \| timeChart(dataspaceAlertName, limit=50)`	`Time Chart`
Other Problems	Number of error or warning logs per feed as well as the number of restarts. Unless the feed configuration is changed, a restart suggests some sort of problem with the feed. Also shows information about the last problem. Hide Query Show Query logscale #category=Alert \| #severity =~ in(values=["Warning", "Error"]) \| dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=[tail(1), count(as="No. of times failed")]) \| subCategory != User message != "Problem invoking action" \| sort(["No. of times failed", "dataspace", "alertName"], order=[desc,asc,asc]) \| rename(@timestamp, as="Last failed") \| formatTime(field="Last failed", format="%Y/%m/%d %H:%M:%S %Z", as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("warnings", as="Last warnings") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository/view", "Alert name", "No. of times failed", "Last failed", "Last message", "Last suggestion", "Last exceptionMessage", "Last warnings"])	`Table`
Alert Query Start	Lists all the times legacy alert queries restarted in time descending order. No. of times restarted represents how many times the query has restarted in the search window. If this number is high, it could indicate that the query is getting killed or has another problem. Hide Query Show Query logscale #category = Alert message="Query started" dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=[ { selectLast(@timestamp) }, count(as="No. of times started")]) \| sort(["No. of times started", "dataspace", "alertName"], order=[desc,asc,asc]) \| rename(@timestamp, as="Last started") \| formatTime(field="Last started", format="%Y/%m/%d %H:%M:%S %Z", as="Last started") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| table(["Repository/view", "Alert name", "No. of times started", "Last started"])	`Table`
Alerts Triggered	Overview of filter alerts that triggered and successfully invoked at least one action. Hide Query Show Query logscale #category=Alert message="Alert triggered and invoked at least one action and will be throttled" dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=[selectLast(["@timestamp", actionIds]), count(as="No. of times triggered")]) \| sort(["No. of times triggered", "dataspace", "alertName"], order=[desc,asc,asc]) \| rename(@timestamp, as="Last triggered") \| formatTime(field="Last triggered", format="%Y/%m/%d %H:%M:%S %Z", as="Last triggered") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("actionIds", as="Action ids") \| table(["Repository/view", "Alert name", "Action ids", "No. of times triggered", "Last triggered"])	`Table`

FDR Ingest Status

Widget Description Type

Alert Problems by Repository/View

How many distinct FDR feeds had problems per repository.

Hide Query

Show Query

logscale

#category=Alert | #severity =~ in(values=["Warning", "Error"]) | dataspace=?{repository=*} alertName=?{alertName=*}
| timechart(dataspace, limit=50, function=count(field=alertName, distinct=true), span=10m)

Time Chart

Scheduled Searches Overview

Widget	Description	Type
Alert Problems by Repository/View	How many distinct FDR feeds had problems per repository. Hide Query Show Query logscale `#category=Alert \| #severity =~ in(values=["Warning", "Error"]) \| dataspace=?{repository=} alertName=?{alertName=} \| timechart(dataspace, limit=50, function=count(field=alertName, distinct=true), span=10m)`	`Time Chart`
Action Invocation Problems	Overview of errors with invoking actions when a filter alert triggers. Hide Query Show Query logscale #category=Alert #severity = "Warning" message = "Problem invoking action" dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName, actionName], function=[tail(1), count(as="No. of times failed")]) \| sort(["No. of times failed", "dataspace","alertName"], order=[desc,asc,asc]) \| rename(@timestamp, as="Last failed") \| formatTime(field="Last failed", format="%Y/%m/%d %H:%M:%S %Z", as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("actionName", as="Action name") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository/view", "Alert name", "Action name", "No. of times failed", "Last failed", "Last exceptionMessage"])	`Table`
Scheduled Searches Lagging Behind	Overview of scheduled reports which cannot keep up with the schedule and where a planned execution was skipped. Scheduled reports that are on this list should first be checked if they have other problems. Second, if the time they lagged behind was a time where LogScale was not running optimally. If neither is the case, the target dashboard might need to be optimized. Hide Query Show Query logscale #category=ScheduledSearch \| message="Scheduled search lagged behind and had to be rescheduled" \| dataspace=?{repository=} scheduledSearchName=?{scheduledSearchName=} \| groupby([dataspace, scheduledSearchName], function=[selectLast(@timestamp), count(as="No. of times lagging behind")]) \| sort(["No. of times lagging behind", "dataspace", "scheduledSearchName"], order=[desc,asc,asc]) \| rename(@timestamp, as="Last lagging behind") \| formatTime(field="Last lagging behind", format="%Y/%m/%d %H:%M:%S %Z", as="Last lagging behind") \| rename("dataspace", as="Repository/view") \| rename("scheduledSearchName", as="Scheduled search name") \| table(["Repository/view", "Scheduled search name", "No. of times lagging behind", "Last lagging behind"])	`Table`
User Problems	Overview of errors with running filter alerts due to either the user having been deleted or the user not having permissions to run the filter alert. Fix this by either granting the user the missing permissions, change the alert to run as another user, or change the alert to run on behalf of the organization. Hide Query Show Query logscale #category=Alert subCategory=User \| #severity =~ in(values=["Warning", "Error"]) \| dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=tail(1)) \| sort(["dataspace","alertName"], order=asc) \| rename(@timestamp, as="Last failed") \| formatTime(field="Last failed", format="%Y/%m/%d %H:%M:%S %Z", as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("message", as="Message") \| rename("suggestion", as="Suggestion") \| table(["Repository/view", "Alert name", "Last failed", "Message", "Suggestion"])	`Table`
Successful Alert Triggers by Repository/View	This chart displays when the alert successfully triggered. Hide Query Show Query logscale `#category=Alert \| message="Alert triggered and invoked at least one action and will be throttled" dataspace=?{repository=} alertName=?{alertName=} \| timechart(dataspace, limit=50, function=count(field=alertName, distinct=true), span=10m)`	`Time Chart`
Other Problems	Number of error or warning logs per feed as well as the number of restarts. Unless the feed configuration is changed, a restart suggests some sort of problem with the feed. Also shows information about the last problem. Hide Query Show Query logscale #category=Alert \| #severity =~ in(values=["Warning", "Error"]) \| dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=[tail(1), count(as="No. of times failed")]) \| subCategory != User message != "Problem invoking action" \| sort(["No. of times failed", "dataspace", "alertName"], order=[desc,asc,asc]) \| rename(@timestamp, as="Last failed") \| formatTime(field="Last failed", format="%Y/%m/%d %H:%M:%S %Z", as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("warnings", as="Last warnings") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository/view", "Alert name", "No. of times failed", "Last failed", "Last message", "Last suggestion", "Last exceptionMessage", "Last warnings"])	`Table`
Alerts Triggered	Overview of filter alerts that triggered and successfully invoked at least one action. Hide Query Show Query logscale #category=Alert message="Alert triggered and invoked at least one action and will be throttled" dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=[selectLast(["@timestamp", actionIds]), count(as="No. of times triggered")]) \| sort(["No. of times triggered", "dataspace", "alertName"], order=[desc,asc,asc]) \| rename(@timestamp, as="Last triggered") \| formatTime(field="Last triggered", format="%Y/%m/%d %H:%M:%S %Z", as="Last triggered") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("actionIds", as="Action ids") \| table(["Repository/view", "Alert name", "Action ids", "No. of times triggered", "Last triggered"])	`Table`

Integrations

Packages

Other Integrations

Log Formats

humio/activity Dashboards

Alerts Overview

FDR Ingest Status

Scheduled Searches Overview

Enter search term