humio/activity Dashboards

Alert Details

Widget	Description	Type
Problems	Overview of problems with the alert. Hide Query Show Query logscale #category=~in(values=[Alert,AggregateAlert,FilterAlert]) \| #severity=~in(values=[?severity]) \| dataspace=?repository alertName=?alertName \| groupby(message, function=[tail(1), count(as="No. of times failed")]) \| rename(#severity, as="Severity") \| rename(@timestamp, as="Last failed") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Message") \| rename("warnings", as="Last warnings") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Message", "Severity", "No. of times failed", "Last failed", "Last suggestion", "Last exceptionMessage", "Last warnings", "alertId", "#category"], sortby=[Severity,Message], order=[asc,asc])	`Table`
Current Status	Shows the status of the alert within the last minute. If the alert was successfully polled, it is green. Otherwise, if the alert had a failure, it is red. Otherwise, if the alert had a success, it is green. Otherwise, the alert is grey. Hide Query Show Query logscale #category=~in(values=[Alert,AggregateAlert,FilterAlert]) \| dataspace=?repository alertName=?alertName \| status=* \| message match { "Alert triggered and invoked at least one action and will be throttled" => successfulPoll:="true"; "Alert triggered on event and invoked at least one action" => successfulPoll:="true"; "Alert found results, but no actions were invoked since the alert is throttled" => successfulPoll:="true"; "Alert found no results and will not trigger" => successfulPoll:="true"; * => ; } \| [{status=Failure \| count(as=failureCount)}, {status=Success successfulPoll=true \| count(as=successPollCount)}, {status=Success successfulPoll!=true \| count(as=successCount)}] \| case { test(successPollCount>0) \| aggStatus:="🟢"; test(failureCount>0) \| aggStatus:="🔴"; test(successCount>0) \| aggStatus:="🟢"; \| aggStatus:="⚪"; } \| select(aggStatus)	`Single Value`
Successful Alert Triggers	This chart displays when the alert successfully triggered. Hide Query Show Query logscale `#category=~in(values=[Alert,AggregateAlert,FilterAlert]) \| dataspace=?repository alertName=?alertName \| message=~in(values=["Alert triggered and invoked at least one action and will be throttled", "Alert triggered on event and invoked at least one action"]) \| timechart(alertName)`	`Time Chart`
Status over Time	Shows the status of the alert over time. Hide Query Show Query logscale #category=~in(values=[Alert,AggregateAlert,FilterAlert]) \| dataspace=?repository alertName=?alertName \| status=* \| message match { "Alert triggered and invoked at least one action and will be throttled" => successfulPoll:="true"; "Alert triggered on event and invoked at least one action" => successfulPoll:="true"; "Alert found results, but no actions were invoked since the alert is throttled" => successfulPoll:="true"; "Alert found no results and will not trigger" => successfulPoll:="true"; * => ; } \| timeChart(span=1m, function={ [ {status=Failure \| count(as=failureCount)}, {status=Success successfulPoll=true \| count(as=successPollCount)}, {status=Success successfulPoll!=true \| count(as=successCount)} ] }) \| case { test(successPollCount>0) \| "Success":=1 \| "Failure":=0 \| "Not Running":=0; test(failureCount>0) \| "Success":=0 \| "Failure":=1 \| "Not Running":=0; test(successCount>0) \| "Success":=1 \| "Failure":=0 \| "Not Running":=0; \| "Success":=0 \| "Failure":=0 \| "Not Running":=1; } \| drop([failureCount, successPollCount, successCount])	`Time Chart`
Lagging Behind over Time	Shows whether the filter or aggregate alert is running historic queries to catch up over time. Note: Legacy alerts do not run historic queries to catch up. Hide Query Show Query logscale `#category=~in(values=[AggregateAlert,FilterAlert]) \| dataspace=?repository alertName=?alertName isLiveQuery=false \| timechart(alertName, limit=50, function=count(), span=10m) \| case { _count>0 \| _count:=1; * \| *; }`	`Time Chart`
Lagging Behind	Whether the filter or aggregate alert is running historic queries to catch up and not reacting to new events in the meantime. Note: Legacy alerts do not run historic queries to catch up. Hide Query Show Query logscale `#category=~in(values=[AggregateAlert,FilterAlert]) \| dataspace=?repository alertName=?alertName isLiveQuery=* \| [{isLiveQuery=true \| count(as=liveCount)}, {isLiveQuery=false \| count(as=historicCount)}] \| case { test(historicCount>0) \| aggStatus:="🔴"; test(liveCount>0) \| aggStatus:="🟢"; * \| aggStatus:="⚪"; } \| select(aggStatus)`	`Single Value`
Problem severity		parameterPanel

Alerts Overview

Widget	Description	Type
Alert problems	Displays a table of alert problems (repository, alert name, last failed, last severity, etc.) Hide Query Show Query logscale #category=~in(values=[?alertTypes]) \| #severity=~in(values=[?severity]) \| subCategory=~in(values=[?subCategory])\| dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName, actionName], function=[tail(1), count(as="No. of times failed")]) \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename(@timestamp, as="Last failed") \| rename("#severity", as="Last severity") \| rename("message", as="Last message") \| rename("suggestion", as="Last suggestion") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository/view", "Alert name", "No. of times failed", "Last failed", "Last severity", "Last message", "Last suggestion", "Last exceptionMessage", "alertId", "#category"], sortby=["No. of times failed", "Repository/view", "Alert name"], order=[desc,asc,asc], limit=1000)	`Table`
Alerts Lagging Behind by Repository/View	This chart displays how many distinct aggregate or filter alerts over time per repository/view are running historic queries to catch up and not reacting to new events in the meantime. Note: Legacy alerts do not run historic queries to catch up. Hide Query Show Query logscale `#category=~in(values=[?alertTypes]) \| dataspace=?{repository=} alertName=?{alertName=} isLiveQuery=false \| timechart(dataspace, limit=50, function=count(field=alertName, distinct=true), span=10m)`	`Time Chart`
Alerts Triggered	Overview of alerts that triggered and successfully invoked at least one action. Hide Query Show Query logscale #category=~in(values=[?alertTypes]) \| dataspace=?{repository=} alertName=?{alertName=} \| message=~in(values=["Alert triggered and invoked at least one action and will be throttled", "Alert triggered on event and invoked at least one action"]) \| groupby([dataspace, alertName], function=[selectLast(["@timestamp", actionIds, alertId]), count(as="No. of times triggered")]) \| rename(@timestamp, as="Last triggered") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("actionIds", as="Action ids") \| table(["Repository/view", "Alert name", "Action ids", "No. of times triggered", "Last triggered", "alertId"], sortby=["No. of times triggered", "Repository/view", "Alert name"], order=[desc,asc,asc], limit=1000)	`Table`
Successful Alert Triggers by Repository/View	This chart displays how many distinct alerts triggered over time per repository or view. Hide Query Show Query logscale `#category=~in(values=[?alertTypes]) \| dataspace=?{repository=} alertName=?{alertName=} \| message=~in(values=["Alert triggered and invoked at least one action and will be throttled", "Alert triggered on event and invoked at least one action"]) \| timechart(dataspace, limit=50, function=count(field=alertName, distinct=true), span=10m)`	`Time Chart`
Alerts Lagging Behind	Overview over aggregate or filter alerts that are running historic queries to catch up and not reacting to new events in the meantime. Note: Legacy alerts do not run historic queries to catch up. Hide Query Show Query logscale `#category=~in(values=[?alertTypes]) \| dataspace=?{repository=} alertName=?{alertName=} isLiveQuery=false \| groupby([dataspace, alertName], function=tail(1)) \| rename(@timestamp, as="Last lagging behind") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| table(["Repository/view", "Alert name", "Last lagging behind", "alertId"], sortby=["Last lagging behind", "Repository/view", "Alert name"], order=[desc,asc,asc], limit=1000)`	`Table`
Alert Problems by Repository/View	This chart displays how many distinct alerts had problems over time per repository or view. Hide Query Show Query logscale `#category=~in(values=[?alertTypes]) \| #severity=~in(values=[?severity]) \| subCategory=~in(values=[?subCategory])\| dataspace=?{repository=} alertName=?{alertName=} \| timechart(dataspace, limit=50, function=count(field=alertName, distinct=true), span=10m)`	`Time Chart`
Problem parameters	Select problem severities and categories to show.	parameterPanel

FDR Ingest Status

Widget Description Type

How many distinct FDR feeds had problems per repository.

Show Query

Time Chart

Number of error or warning logs per feed as well as the number of restarts. Unless the feed configuration is changed, a restart suggests some sort of problem with the feed. Also shows information about the last problem.

Show Query

Table

SQS messages that failed and have not yet been successfully retried.

Show Query

Table

Filter Alert Details

Widget	Description	Type
Lagging Behind over Time	Shows whether the filter alert is running historic queries to catch up over time. Hide Query Show Query logscale `#category=FilterAlert dataspace=?repository alertName=?alertName isLiveQuery=false \| timechart(alertName, limit=50, function=count(), span=10m) \| case { _count>0 \| _count:=1; * \| *; }`	`Time Chart`
Lagging Behind	Whether the filter alert is running historic queries to catch up and not reacting to new events in the meantime. Hide Query Show Query logscale `#category=FilterAlert dataspace=?repository alertName=?alertName isLiveQuery=* \| [{isLiveQuery=true \| count(as=liveCount)}, {isLiveQuery=false \| count(as=historicCount)}] \| case { test(historicCount>0) \| aggStatus:="🔴"; test(liveCount>0) \| aggStatus:="🟢"; * \| aggStatus:="⚪"; } \| select(aggStatus)`	`Single Value`
Warnings	Overview of warnings with the filter alert. Hide Query Show Query logscale #category=FilterAlert #severity=Warning dataspace=?repository alertName=?alertName \| groupby(message, function=[tail(1), count(as="No. of times failed")]) \| rename(@timestamp, as="Last failed") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Message") \| rename("warnings", as="Last warnings") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Message", "No. of times failed", "Last failed", "Last suggestion", "Last exceptionMessage", "Last warnings", "alertId", "#category"], sortby=Message, order=asc)	`Table`
Successful Alert Triggers	This chart displays when the alert successfully triggered. Hide Query Show Query logscale `#category=FilterAlert dataspace=?repository alertName=?alertName \| message="Alert triggered on event and invoked at least one action" \| timechart(alertName)`	`Time Chart`
Problems	Number of error or warning logs per feed as well as the number of restarts. Unless the feed configuration is changed, a restart suggests some sort of problem with the feed. Also shows information about the last problem. Hide Query Show Query logscale #category=Fdr \| #severity =~ in(values=["Warning", "Error"]) \| dataspace=?{repository=} fdrFeedName=?{fdrFeedName=} \| groupby([dataspace, fdrFeedName], function=[tail(1), count(as="No. of problems"), count(field=streamId, distinct=true, as="restarts")]) \| restarts := restarts - 1 \| rename(@timestamp, as="Last problem at") \| rename("dataspace", as="Repository") \| rename("fdrFeedName", as="FDR feed name") \| rename("restarts", as="No. of restarts") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository", "FDR feed name", "No. of problems", "No. of restarts", "Last problem at", "Last message", "Last suggestion", "Last exceptionMessage"], sortby=["No. of problems", "Repository", "FDR feed name"], order=[desc,asc,asc], limit=1000)	`Table`
Current Status	Shows the status of the alert within the last minute. If the alert was successfully polled, it is green. Otherwise, if the alert had a failure, it is red. Otherwise, if the alert had a success, it is green. Otherwise, the alert is grey. Hide Query Show Query logscale #category=FilterAlert dataspace=?repository alertName=?alertName \| status=* \| case { test(message=="Alert triggered on event and invoked at least one action") \| successfulPoll:="true"; test(message=="Alert found results, but no actions were invoked since the alert is throttled") \| successfulPoll:="true"; test(message=="Alert found no results and will not trigger") \| successfulPoll:="true"; * \| ; } \| [{status=Failure \| count(as=failureCount)}, {status=Success successfulPoll=true \| count(as=successPollCount)}, {status=Success successfulPoll!=true \| count(as=successCount)}] \| case { test(successPollCount>0) \| aggStatus:="🟢"; test(failureCount>0) \| aggStatus:="🔴"; test(successCount>0) \| aggStatus:="🟢"; \| aggStatus:="⚪"; } \| select(aggStatus)	`Single Value`
Status over Time	Shows the status of the alert over time. Hide Query Show Query logscale #category=FilterAlert dataspace=?repository alertName=?alertName \| status=* \| case { test(message=="Alert triggered on event and invoked at least one action") \| successfulPoll:="true"; test(message=="Alert found results, but no actions were invoked since the alert is throttled") \| successfulPoll:="true"; test(message=="Alert found no results and will not trigger") \| successfulPoll:="true"; * \| ; } \| timeChart(span=1m, function={ [ {status=Failure \| count(as=failureCount)}, {status=Success successfulPoll=true \| count(as=successPollCount)}, {status=Success successfulPoll!=true \| count(as=successCount)} ] }) \| case { test(successPollCount>0) \| "Success":=1 \| "Failure":=0 \| "Not Running":=0; test(failureCount>0) \| "Success":=0 \| "Failure":=1 \| "Not Running":=0; test(successCount>0) \| "Success":=1 \| "Failure":=0 \| "Not Running":=0; \| "Success":=0 \| "Failure":=0 \| "Not Running":=1; } \| drop([failureCount, successPollCount, successCount])	`Time Chart`

Filter Alerts Overview

Widget	Description	Type
FDR Ingest Problems by Repository	How many distinct FDR feeds had problems per repository. Hide Query Show Query logscale `#category=Fdr \| #severity =~ in(values=["Warning", "Error"]) \| dataspace=?{repository=} fdrFeedName=?{fdrFeedName=} \| timechart(dataspace, limit=50, function=count(field=fdrFeedName, distinct=true))`	`Time Chart`
Errors due to Action Invocation	Overview of errors with invoking actions when a filter alert triggers. Hide Query Show Query logscale #category=FilterAlert #severity="Error" subCategory=Action dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName, actionName], function=[tail(1), count(as="No. of times failed")]) \| rename(@timestamp, as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository/view", "Alert name", "No. of times failed", "Last failed", "Last message", "Last suggestion", "Last exceptionMessage", "alertId", "#category"], sortby=["No. of times failed", "Repository/view","Alert name"], order=[desc,asc,asc], limit=1000)	`Table`
Errors with User	Overview of errors with running filter alerts due to either the user having been deleted or the user not having permissions to run the filter alert. Fix this by either granting the user the missing permissions, change the alert to run as another user, or change the alert to run on behalf of the organization. Hide Query Show Query logscale #category=FilterAlert #severity="Error" subCategory=User dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=tail(1)) \| rename(@timestamp, as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("message", as="Message") \| rename("suggestion", as="Suggestion") \| table(["Repository/view", "Alert name", "Last failed", "Message", "Suggestion", "alertId", "#category"], sortby=["Repository/view", "Alert name"], order=[asc,asc], limit=1000)	`Table`
Other Errors	Overview of other errors with running filter alerts than the three lists above. Hide Query Show Query logscale #category=FilterAlert #severity="Error" subCategory=Alert dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName, actionName], function=[tail(1), count(as="No. of times failed")]) \| rename(@timestamp, as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("message", as="Last message") \| rename("warnings", as="Last warnings") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository/view", "Alert name", "No. of times failed", "Last failed", "Last message", "Last suggestion", "Last exceptionMessage", "alertId", "#category"], sortby=["No. of times failed", "Repository/view","Alert name"], order=[desc,asc,asc], limit=1000)	`Table`
Action Invocation Warnings	Overview of warnings with invoking actions when a filter alert triggers. Note that if the filter alert has multiple actions attached and at least one succeeds, it is considered to have triggered. Hide Query Show Query logscale #category=FilterAlert #severity="Warning" subCategory=Action dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName, actionName], function=[tail(1), count(as="No. of times failed")]) \| rename(@timestamp, as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("actionName", as="Action name") \| rename("message", as="Last message") \| rename("warnings", as="Last warnings") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository/view", "Alert name", "Action name", "No. of times failed", "Last failed", "Last message", "Last suggestion", "Last exceptionMessage", "alertId", "#category"], sortby=["No. of times failed", "Repository/view","Alert name"], order=[desc,asc,asc], limit=1000)	`Table`
Successful Alert Triggers	This chart displays when the alert successfully triggered. Hide Query Show Query logscale `#category=FilterAlert dataspace=?repository alertName=?alertName \| message="Alert triggered on event and invoked at least one action" \| timechart(alertName)`	`Time Chart`
Problems	Number of error or warning logs per feed as well as the number of restarts. Unless the feed configuration is changed, a restart suggests some sort of problem with the feed. Also shows information about the last problem. Hide Query Show Query logscale #category=Fdr \| #severity =~ in(values=["Warning", "Error"]) \| dataspace=?{repository=} fdrFeedName=?{fdrFeedName=} \| groupby([dataspace, fdrFeedName], function=[tail(1), count(as="No. of problems"), count(field=streamId, distinct=true, as="restarts")]) \| restarts := restarts - 1 \| rename(@timestamp, as="Last problem at") \| rename("dataspace", as="Repository") \| rename("fdrFeedName", as="FDR feed name") \| rename("restarts", as="No. of restarts") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository", "FDR feed name", "No. of problems", "No. of restarts", "Last problem at", "Last message", "Last suggestion", "Last exceptionMessage"], sortby=["No. of problems", "Repository", "FDR feed name"], order=[desc,asc,asc], limit=1000)	`Table`
Filter Alerts Lagging Behind by Repository/View	This chart displays how many distinct filter alerts over time per repository/view are running historic queries to catch up and not reacting to new events in the meantime. Hide Query Show Query logscale `#category=FilterAlert isLiveQuery=false dataspace=?{repository=} alertName=?{alertName=} \| timechart(dataspace, limit=50, function=count(field=alertName, distinct=true), span=10m)`	`Time Chart`
Filter Alerts Lagging Behind	Overview over filter alerts that are running historic queries to catch up and not reacting to new events in the meantime. Hide Query Show Query logscale `#category=FilterAlert isLiveQuery=false dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=tail(1)) \| rename(@timestamp, as="Last lagging behind") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| table(["Repository/view", "Alert name", "Last lagging behind", "alertId"], sortby=["Last lagging behind", "Repository/view", "Alert name"], order=[desc,asc,asc], limit=1000)`	`Table`
Filter Alert Warnings by Repository/View	This chart displays how many distinct filter alerts had warnings over time per repository or view. Hide Query Show Query logscale `#category=FilterAlert #severity="Warning" dataspace=?{repository=} alertName=?{alertName=} \| timechart(dataspace, limit=50, function=count(field=alertName, distinct=true), span=10m)`	`Time Chart`
Filter Alerts Triggered	Overview of filter alerts that triggered and successfully invoked at least one action. Hide Query Show Query logscale #category=FilterAlert message="Alert triggered on event and invoked at least one action" dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=[selectLast(["@timestamp", actionIds, alertId]), count(as="No. of times triggered")]) \| rename(@timestamp, as="Last triggered") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("actionIds", as="Action ids") \| table(["Repository/view", "Alert name", "Action ids", "No. of times triggered", "Last triggered", "alertId"], sortby=["No. of times triggered", "Repository/view", "Alert name"], order=[desc,asc,asc], limit=1000)	`Table`
Query Warnings	Overview of warnings with running the filter alert queries. Hide Query Show Query logscale #category=FilterAlert #severity="Warning" subCategory=Query dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=[tail(1), count(as="No. of times failed")]) \| rename(@timestamp, as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("queryWarning", as="Last query warning") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository/view", "Alert name", "No. of times failed", "Last failed", "Last message", "Last suggestion", "Last exceptionMessage", "Last query warning", "alertId", "#category"], sortby=["No. of times failed", "Repository/view", "Alert name"], order=[desc,asc,asc], limit=1000)	`Table`
Errors with Query	Overview of errors with running filter alert queries. This can either be due to an error in the query or due to problems in the cluster causing errors when trying to run the query. Hide Query Show Query logscale #category=FilterAlert #severity="Error" subCategory=Query dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName, actionName], function=[tail(1), count(as="No. of times failed")]) \| rename(@timestamp, as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository/view", "Alert name", "No. of times failed", "Last failed", "Last message", "Last suggestion", "Last exceptionMessage", "alertId", "#category"], sortby=["No. of times failed", "Repository/view","Alert name"], order=[desc,asc,asc], limit=1000)	`Table`

Legacy Alert Details

Widget	Description	Type
Successful Alert Triggers	This chart displays when the alert successfully triggered. Hide Query Show Query logscale `#category=FilterAlert dataspace=?repository alertName=?alertName \| message="Alert triggered on event and invoked at least one action" \| timechart(alertName)`	`Time Chart`
Alert Query Restarts over Time	Shows how many times the legacy alert query was restarted over time. If this happens more than a few times, it could indicate that the query is getting killed or has another problem. Hide Query Show Query logscale `#category = Alert dataspace=?repository alertName=?alertName \| message="Query started" \| timeChart(alertName, limit=50)`	`Time Chart`
Problems	Number of error or warning logs per feed as well as the number of restarts. Unless the feed configuration is changed, a restart suggests some sort of problem with the feed. Also shows information about the last problem. Hide Query Show Query logscale #category=Fdr \| #severity =~ in(values=["Warning", "Error"]) \| dataspace=?{repository=} fdrFeedName=?{fdrFeedName=} \| groupby([dataspace, fdrFeedName], function=[tail(1), count(as="No. of problems"), count(field=streamId, distinct=true, as="restarts")]) \| restarts := restarts - 1 \| rename(@timestamp, as="Last problem at") \| rename("dataspace", as="Repository") \| rename("fdrFeedName", as="FDR feed name") \| rename("restarts", as="No. of restarts") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository", "FDR feed name", "No. of problems", "No. of restarts", "Last problem at", "Last message", "Last suggestion", "Last exceptionMessage"], sortby=["No. of problems", "Repository", "FDR feed name"], order=[desc,asc,asc], limit=1000)	`Table`
Current Status	Shows the status of the alert within the last minute. If the alert was successfully polled, it is green. Otherwise, if the alert had a failure, it is red. Otherwise, if the alert had a success, it is green. Otherwise, the alert is grey. Hide Query Show Query logscale #category=FilterAlert dataspace=?repository alertName=?alertName \| status=* \| case { test(message=="Alert triggered on event and invoked at least one action") \| successfulPoll:="true"; test(message=="Alert found results, but no actions were invoked since the alert is throttled") \| successfulPoll:="true"; test(message=="Alert found no results and will not trigger") \| successfulPoll:="true"; * \| ; } \| [{status=Failure \| count(as=failureCount)}, {status=Success successfulPoll=true \| count(as=successPollCount)}, {status=Success successfulPoll!=true \| count(as=successCount)}] \| case { test(successPollCount>0) \| aggStatus:="🟢"; test(failureCount>0) \| aggStatus:="🔴"; test(successCount>0) \| aggStatus:="🟢"; \| aggStatus:="⚪"; } \| select(aggStatus)	`Single Value`
Status over Time	Shows the status of the alert over time. Hide Query Show Query logscale #category=FilterAlert dataspace=?repository alertName=?alertName \| status=* \| case { test(message=="Alert triggered on event and invoked at least one action") \| successfulPoll:="true"; test(message=="Alert found results, but no actions were invoked since the alert is throttled") \| successfulPoll:="true"; test(message=="Alert found no results and will not trigger") \| successfulPoll:="true"; * \| ; } \| timeChart(span=1m, function={ [ {status=Failure \| count(as=failureCount)}, {status=Success successfulPoll=true \| count(as=successPollCount)}, {status=Success successfulPoll!=true \| count(as=successCount)} ] }) \| case { test(successPollCount>0) \| "Success":=1 \| "Failure":=0 \| "Not Running":=0; test(failureCount>0) \| "Success":=0 \| "Failure":=1 \| "Not Running":=0; test(successCount>0) \| "Success":=1 \| "Failure":=0 \| "Not Running":=0; \| "Success":=0 \| "Failure":=0 \| "Not Running":=1; } \| drop([failureCount, successPollCount, successCount])	`Time Chart`

Legacy Alerts Overview

Widget	Description	Type
FDR Ingest Problems by Repository	How many distinct FDR feeds had problems per repository. Hide Query Show Query logscale `#category=Fdr \| #severity =~ in(values=["Warning", "Error"]) \| dataspace=?{repository=} fdrFeedName=?{fdrFeedName=} \| timechart(dataspace, limit=50, function=count(field=fdrFeedName, distinct=true))`	`Time Chart`
Errors due to Action Invocation	Overview of errors with invoking actions when a filter alert triggers. Hide Query Show Query logscale #category=FilterAlert #severity="Error" subCategory=Action dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName, actionName], function=[tail(1), count(as="No. of times failed")]) \| rename(@timestamp, as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository/view", "Alert name", "No. of times failed", "Last failed", "Last message", "Last suggestion", "Last exceptionMessage", "alertId", "#category"], sortby=["No. of times failed", "Repository/view","Alert name"], order=[desc,asc,asc], limit=1000)	`Table`
Errors with User	Overview of errors with running filter alerts due to either the user having been deleted or the user not having permissions to run the filter alert. Fix this by either granting the user the missing permissions, change the alert to run as another user, or change the alert to run on behalf of the organization. Hide Query Show Query logscale #category=FilterAlert #severity="Error" subCategory=User dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=tail(1)) \| rename(@timestamp, as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("message", as="Message") \| rename("suggestion", as="Suggestion") \| table(["Repository/view", "Alert name", "Last failed", "Message", "Suggestion", "alertId", "#category"], sortby=["Repository/view", "Alert name"], order=[asc,asc], limit=1000)	`Table`
Successful Alert Triggers	This chart displays when the alert successfully triggered. Hide Query Show Query logscale `#category=FilterAlert dataspace=?repository alertName=?alertName \| message="Alert triggered on event and invoked at least one action" \| timechart(alertName)`	`Time Chart`
Alert Query Restarts over Time	Shows how many times the legacy alert query was restarted over time. If this happens more than a few times, it could indicate that the query is getting killed or has another problem. Hide Query Show Query logscale `#category = Alert dataspace=?repository alertName=?alertName \| message="Query started" \| timeChart(alertName, limit=50)`	`Time Chart`
Problems	Number of error or warning logs per feed as well as the number of restarts. Unless the feed configuration is changed, a restart suggests some sort of problem with the feed. Also shows information about the last problem. Hide Query Show Query logscale #category=Fdr \| #severity =~ in(values=["Warning", "Error"]) \| dataspace=?{repository=} fdrFeedName=?{fdrFeedName=} \| groupby([dataspace, fdrFeedName], function=[tail(1), count(as="No. of problems"), count(field=streamId, distinct=true, as="restarts")]) \| restarts := restarts - 1 \| rename(@timestamp, as="Last problem at") \| rename("dataspace", as="Repository") \| rename("fdrFeedName", as="FDR feed name") \| rename("restarts", as="No. of restarts") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository", "FDR feed name", "No. of problems", "No. of restarts", "Last problem at", "Last message", "Last suggestion", "Last exceptionMessage"], sortby=["No. of problems", "Repository", "FDR feed name"], order=[desc,asc,asc], limit=1000)	`Table`
Alert Query Restarts	Lists all the times legacy alert queries restarted in time descending order. No. of times restarted represents how many times the query has restarted in the search window. If this number is high, it could indicate that the query is getting killed or has another problem. Hide Query Show Query logscale #category = Alert message="Query started" dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=[ { selectLast([@timestamp, alertId]) }, count(as="No. of times restarted")]) \| rename(@timestamp, as="Last restarted") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| table(["Repository/view", "Alert name", "No. of times restarted", "Last restarted", "alertId"], sortby=["No. of times restarted", "Repository/view", "Alert name"], order=[desc,asc,asc], limit=1000)	`Table`
Filter Alerts Triggered	Overview of filter alerts that triggered and successfully invoked at least one action. Hide Query Show Query logscale #category=FilterAlert message="Alert triggered on event and invoked at least one action" dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=[selectLast(["@timestamp", actionIds, alertId]), count(as="No. of times triggered")]) \| rename(@timestamp, as="Last triggered") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("actionIds", as="Action ids") \| table(["Repository/view", "Alert name", "Action ids", "No. of times triggered", "Last triggered", "alertId"], sortby=["No. of times triggered", "Repository/view", "Alert name"], order=[desc,asc,asc], limit=1000)	`Table`

Scheduled Reports Overview

Widget	Description	Type
FDR Ingest Problems by Repository	How many distinct FDR feeds had problems per repository. Hide Query Show Query logscale `#category=Fdr \| #severity =~ in(values=["Warning", "Error"]) \| dataspace=?{repository=} fdrFeedName=?{fdrFeedName=} \| timechart(dataspace, limit=50, function=count(field=fdrFeedName, distinct=true))`	`Time Chart`
Warnings with Scheduled Reports	Overview of warnings related to scheduled reports. Hide Query Show Query logscale #category="ScheduledReport" \| #severity = "Warning" \| dataspace=?{repository=} scheduledReportName=?{scheduledReportName=} \| subCategory="ScheduledReport" \| groupby([dataspace, scheduledReportName], function=[tail(1), count(as="No. of times failed")]) \| rename(@timestamp, as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("scheduledReportName", as="Scheduled report name") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("warnings", as="Last warnings") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository/view", "Scheduled report name", "No. of times failed", "Last failed", "Last message", "Last suggestion", "Last exceptionMessage", "Last warnings", "scheduledReportId"], sortby=["No. of times failed", "Repository/view", "Scheduled report name"], order=[desc,asc,asc], limit=1000)	`Table`
Errors due to Action Invocation	Overview of errors with invoking actions when a filter alert triggers. Hide Query Show Query logscale #category=FilterAlert #severity="Error" subCategory=Action dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName, actionName], function=[tail(1), count(as="No. of times failed")]) \| rename(@timestamp, as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository/view", "Alert name", "No. of times failed", "Last failed", "Last message", "Last suggestion", "Last exceptionMessage", "alertId", "#category"], sortby=["No. of times failed", "Repository/view","Alert name"], order=[desc,asc,asc], limit=1000)	`Table`
Scheduled Reports Lagging Behind	Overview of scheduled reports which cannot keep up with the schedule and where a planned execution was skipped. Scheduled reports that are on this list should first be checked if they have other problems. Second, if the time they lagged behind was a time where LogScale was not running optimally. If neither is the case, the target dashboard might need to be optimized. Hide Query Show Query logscale #category="ScheduledReport" \| message="Scheduled report lacked behind and had to be rescheduled" \| dataspace=?{repository=} scheduledReportName=?{scheduledReportName=} \| groupby([dataspace, scheduledReportName], function=[tail(1), count(as="No. of times lagging behind")]) \| rename(@timestamp, as="Last lagging behind") \| rename("dataspace", as="Repository/view") \| rename("scheduledReportName", as="Scheduled report name") \| table(["Repository/view", "Scheduled report name", "No. of times lagging behind", "Last lagging behind", "scheduledReportId"], sortby=["No. of times lagging behind", "Repository/view", "Scheduled report name"], order=[desc,asc,asc], limit=1000)	`Table`
Number of too large PDF reports generated	There is a limit to the size of pdf files LogScale will send. This widget shows a number of too large pdf reports that have been generated and attempted sent. Hide Query Show Query logscale `#category="ScheduledReport" #severity="Error" \| dataspace=?{repository=} scheduledReportName=?{scheduledReportName=} \| errors="File too large to process" \| groupby([dataspace, scheduledReportName]) \| count()`	`Single Value`
Successful Alert Triggers	This chart displays when the alert successfully triggered. Hide Query Show Query logscale `#category=FilterAlert dataspace=?repository alertName=?alertName \| message="Alert triggered on event and invoked at least one action" \| timechart(alertName)`	`Time Chart`
Problems	Number of error or warning logs per feed as well as the number of restarts. Unless the feed configuration is changed, a restart suggests some sort of problem with the feed. Also shows information about the last problem. Hide Query Show Query logscale #category=Fdr \| #severity =~ in(values=["Warning", "Error"]) \| dataspace=?{repository=} fdrFeedName=?{fdrFeedName=} \| groupby([dataspace, fdrFeedName], function=[tail(1), count(as="No. of problems"), count(field=streamId, distinct=true, as="restarts")]) \| restarts := restarts - 1 \| rename(@timestamp, as="Last problem at") \| rename("dataspace", as="Repository") \| rename("fdrFeedName", as="FDR feed name") \| rename("restarts", as="No. of restarts") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository", "FDR feed name", "No. of problems", "No. of restarts", "Last problem at", "Last message", "Last suggestion", "Last exceptionMessage"], sortby=["No. of problems", "Repository", "FDR feed name"], order=[desc,asc,asc], limit=1000)	`Table`
Errors with Scheduled Reports	Overview of errors related to scheduled reports. Hide Query Show Query logscale #category="ScheduledReport" \| #severity = "Error" \| dataspace=?{repository=} scheduledReportName=?{scheduledReportName=} \| subCategory="ScheduledReport" \| groupby([dataspace, scheduledReportName], function=[tail(1), count(as="No. of times failed")]) \| rename(@timestamp, as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("scheduledReportName", as="Scheduled report name") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("warnings", as="Last warnings") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository/view", "Scheduled report name", "No. of times failed", "Last failed", "Last message", "Last suggestion", "Last exceptionMessage", "Last warnings", "scheduledReportId"], sortby=["No. of times failed", "Repository/view", "Scheduled report name"], order=[desc,asc,asc], limit=1000)	`Table`
Scheduled Report Generation Time (Ms)	Overview of the time it takes for a report to transition from being planned to completing either as a success with the email being sent or a failure. Hide Query Show Query logscale `#category="ScheduledReport" \| dataspace=?{repository=} scheduledReportName=?{scheduledReportName=} \| in(field="message", values=["Scheduled report successfully finished executing", "Scheduled report failed to finish executing. Report will be retried.", "Scheduled report failed to finish executing because of a configuration error. Report will be disabled!"]) \| timeChart(function=percentile(field=generationExecutionTimeMs, percentiles=[75,90,99]), minSpan=10m)`	`Time Chart`
Filter Alerts Triggered	Overview of filter alerts that triggered and successfully invoked at least one action. Hide Query Show Query logscale #category=FilterAlert message="Alert triggered on event and invoked at least one action" dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=[selectLast(["@timestamp", actionIds, alertId]), count(as="No. of times triggered")]) \| rename(@timestamp, as="Last triggered") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("actionIds", as="Action ids") \| table(["Repository/view", "Alert name", "Action ids", "No. of times triggered", "Last triggered", "alertId"], sortby=["No. of times triggered", "Repository/view", "Alert name"], order=[desc,asc,asc], limit=1000)	`Table`

Scheduled Search Details

Widget Description Type

This chart displays when the alert successfully triggered.

Show Query

Time Chart

Show Query

Table

Shows the status of the alert over time.

Show Query

Time Chart

Scheduled Searches Overview

Widget	Description	Type
FDR Ingest Problems by Repository	How many distinct FDR feeds had problems per repository. Hide Query Show Query logscale `#category=Fdr \| #severity =~ in(values=["Warning", "Error"]) \| dataspace=?{repository=} fdrFeedName=?{fdrFeedName=} \| timechart(dataspace, limit=50, function=count(field=fdrFeedName, distinct=true))`	`Time Chart`
Errors due to Action Invocation	Overview of errors with invoking actions when a filter alert triggers. Hide Query Show Query logscale #category=FilterAlert #severity="Error" subCategory=Action dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName, actionName], function=[tail(1), count(as="No. of times failed")]) \| rename(@timestamp, as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository/view", "Alert name", "No. of times failed", "Last failed", "Last message", "Last suggestion", "Last exceptionMessage", "alertId", "#category"], sortby=["No. of times failed", "Repository/view","Alert name"], order=[desc,asc,asc], limit=1000)	`Table`
Scheduled Reports Lagging Behind	Overview of scheduled reports which cannot keep up with the schedule and where a planned execution was skipped. Scheduled reports that are on this list should first be checked if they have other problems. Second, if the time they lagged behind was a time where LogScale was not running optimally. If neither is the case, the target dashboard might need to be optimized. Hide Query Show Query logscale #category="ScheduledReport" \| message="Scheduled report lacked behind and had to be rescheduled" \| dataspace=?{repository=} scheduledReportName=?{scheduledReportName=} \| groupby([dataspace, scheduledReportName], function=[tail(1), count(as="No. of times lagging behind")]) \| rename(@timestamp, as="Last lagging behind") \| rename("dataspace", as="Repository/view") \| rename("scheduledReportName", as="Scheduled report name") \| table(["Repository/view", "Scheduled report name", "No. of times lagging behind", "Last lagging behind", "scheduledReportId"], sortby=["No. of times lagging behind", "Repository/view", "Scheduled report name"], order=[desc,asc,asc], limit=1000)	`Table`
Errors with User	Overview of errors with running filter alerts due to either the user having been deleted or the user not having permissions to run the filter alert. Fix this by either granting the user the missing permissions, change the alert to run as another user, or change the alert to run on behalf of the organization. Hide Query Show Query logscale #category=FilterAlert #severity="Error" subCategory=User dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=tail(1)) \| rename(@timestamp, as="Last failed") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("message", as="Message") \| rename("suggestion", as="Suggestion") \| table(["Repository/view", "Alert name", "Last failed", "Message", "Suggestion", "alertId", "#category"], sortby=["Repository/view", "Alert name"], order=[asc,asc], limit=1000)	`Table`
Successful Alert Triggers	This chart displays when the alert successfully triggered. Hide Query Show Query logscale `#category=FilterAlert dataspace=?repository alertName=?alertName \| message="Alert triggered on event and invoked at least one action" \| timechart(alertName)`	`Time Chart`
Problems	Number of error or warning logs per feed as well as the number of restarts. Unless the feed configuration is changed, a restart suggests some sort of problem with the feed. Also shows information about the last problem. Hide Query Show Query logscale #category=Fdr \| #severity =~ in(values=["Warning", "Error"]) \| dataspace=?{repository=} fdrFeedName=?{fdrFeedName=} \| groupby([dataspace, fdrFeedName], function=[tail(1), count(as="No. of problems"), count(field=streamId, distinct=true, as="restarts")]) \| restarts := restarts - 1 \| rename(@timestamp, as="Last problem at") \| rename("dataspace", as="Repository") \| rename("fdrFeedName", as="FDR feed name") \| rename("restarts", as="No. of restarts") \| rename("suggestion", as="Last suggestion") \| rename("message", as="Last message") \| rename("exceptionMessage", as="Last exceptionMessage") \| table(["Repository", "FDR feed name", "No. of problems", "No. of restarts", "Last problem at", "Last message", "Last suggestion", "Last exceptionMessage"], sortby=["No. of problems", "Repository", "FDR feed name"], order=[desc,asc,asc], limit=1000)	`Table`
Filter Alerts Triggered	Overview of filter alerts that triggered and successfully invoked at least one action. Hide Query Show Query logscale #category=FilterAlert message="Alert triggered on event and invoked at least one action" dataspace=?{repository=} alertName=?{alertName=} \| groupby([dataspace, alertName], function=[selectLast(["@timestamp", actionIds, alertId]), count(as="No. of times triggered")]) \| rename(@timestamp, as="Last triggered") \| rename("dataspace", as="Repository/view") \| rename("alertName", as="Alert name") \| rename("actionIds", as="Action ids") \| table(["Repository/view", "Alert name", "Action ids", "No. of times triggered", "Last triggered", "alertId"], sortby=["No. of times triggered", "Repository/view", "Alert name"], order=[desc,asc,asc], limit=1000)	`Table`

Integrations

Packages

Other Integrations

Log Formats

humio/activity Dashboards

Alert Details

Alerts Overview

FDR Ingest Status

Filter Alert Details

Filter Alerts Overview

Legacy Alert Details

Legacy Alerts Overview

Scheduled Reports Overview

Scheduled Search Details

Scheduled Searches Overview

Enter search term