Alert, Scheduled Search, and Scheduled Report Errors and Resolutions
Messages for alerts, scheduled searches, and scheduled reports are logged in the humio-activity repository.
When investigating errors to identify issues, make use of the message and suggestion fields to provide guidance on why an issue has occurred. The list below describes each message type.
Info: is informational and does not require action.Warning: there is something to be aware of. In some cases, the warning resolves on its own. But if the message persists, it may require action.Error: there is an error that requires action.
The table below lists the messages in the UI and corresponding suggestions to resolve issues. These appear in the humio-activity repository. For more information about troubleshooting messages, see Diagnose trigger warnings and errors.
Table: Alert, scheduled search, scheduled report errors and solutions
| Message | Version | Component | Severity | Status | Description | Solution |
|---|---|---|---|---|---|---|
| Problem invoking action. If all actions fail, they will be retried | AggregateAlert | Error | | There was a problem invoking the alert's actions and all actions failed. In order to be successful, at least one action must trigger on an alert. The alert is not considered to have triggered and will not be throttled. | Check the logs for the invoked actions if unsure which action failed. Check if there are any problems with the action targets, such as e-mail server down, pager service down, and so on. | |
| Starting alert query did not finish in time. It will be retried in the next run | AggregateAlert | Error | Failure | The alert query did not finish in time and will be automatically retried in the next run. | If the error persists after retry, contact LogScale Support for assistance if needed. | |
| An unexpected error occurred. The alert is skipped | AggregateAlert | Error | Failure | There can be several reasons that this error appears. |
Look at the exceptionMessage
and consult documentation based upon that for possible solutions.
Contact LogScale
Support for assistance if needed.
| |
| Polling alert query resulted in an error | AggregateAlert | Error | Failure | The alert query produced an error. This can be due to many different reasons. |
Look at the message in the
exceptionMessage and consult
documentation based upon that for possible solutions.
| |
| Starting alert query resulted in an error | AggregateAlert | Error | Failure | The query returned an error when starting. This is usually because of an error in the query. |
Look at the message in the
exceptionMessage field and
consult documentation based upon that for possible solutions.
Contact LogScale
Support for assistance if needed.
| |
| Running a historic query to catch up took too long and the result is now outside the retry limit. LogScale will skip this data and start a query for events within the retry limit. | AggregateAlert | Error | Failure | The historic query to catch up took too long to run and has reached the retry limit. The system will skip the data and start running a query for events within the retry limit. | Edit the query, if possible, so it does not take too long to run. For information about editing queries, see Edit triggers. For information about writing better queries, see Query Writing Best Practices. If the message persists after editing the query, contact LogScale Support. | |
| The alert is broken and will not run | AggregateAlert | Error | Failure | The alert configuration prevents the alert from running. | Edit the alert, check all fields and queries, and save it again. For more information about how to do this, see Edit triggers. | |
| Could not start alert query since it is blocked | AggregateAlert | Error | Failure | The alert query cannot run since it is blocked. | Either rewrite the alert query so it is no longer blocked, or check with the system administrator and remove the query from the blocklist. If using LogScale Cloud, this error can occur if the cluster is in a maintenance window. | |
| Alert is too far behind. Will skip results that are older than the catch up limit | AggregateAlert | Error | |
Data older than X hours based on the configured value in the
AGGREGATE_ALERTS_MAX_CATCH_UP_LIMIT parameter will
not be considered in alert results.
| Look at other logs from the alert to see if there are any errors or warnings, or check whether there are other problems with LogScale. | |
| Alert is too far behind. Will skip results that are older than $catchUpLimit | 1.143.0 | AggregateAlert | Error | |
Data older than X hours based on the configured value in the
AGGREGATE_ALERTS_MAX_CATCH_UP_LIMIT parameter will
not be considered in alert results.
| Look at other logs from the alert to see if there are any errors or warnings, or check whether there are other problems with LogScale. |
| There has been a query warning that some events are unavailable for more than ${limit}. These events will now be skipped | AggregateAlert | Error | | Some events have been unavailable for more that the configured amount of time for the cluster. If there were events that may have produced results, these events were skipped during query execution. | Look at the query warning. Run query manually, if needed. Check cluster performance. | |
| Alert query took too long to start and the result are now too old. LogScale will stop the live query and start running historic queries to catch up. | AggregateAlert | Error | Failure | The alert query took too long to run, meaning that the results are now too old. The system will stop live queries and start running historic queries to catch up. | Edit the query, if possible, so it does not take too long to run. For information about editing queries, see Edit triggers. For information about writing better queries, see Query Writing Best Practices. If the message persists after editing the query, contact LogScale Support. | |
| Alert query took too long to start and the result is now too old. LogScale will stop the live query and start running historic queries to catch up. | 1.166.0 | AggregateAlert | Error | Failure | The alert query took too long to run, meaning that the results are now too old. The system will stop live queries and start running historic queries to catch up. | Edit the query, if possible, so it does not take too long to run. For information about editing queries, see Edit triggers. For information about writing better queries, see Query Writing Best Practices. If the message persists after editing the query, contact LogScale Support. |
| The alert is broken | AggregateAlert | Error | Failure | The alert configuration prevents the alert from running. | Edit the alert, check all fields and queries, and save it again. For more information about how to do this, see Edit triggers. | |
| The alert is not assigned to run on any node | AggregateAlert | Error | Failure | The alert is not assigned to run on any nodes. Alerts are distributed evenly among the nodes in a cluster, so that each one runs on a single node. Reassignment of nodes on which alerts run occurs automatically when new cluster nodes are added or old cluster nodes are removed. | If the alert does not run on another node after 15 minutes, contact LogScale Support. | |
| Problem invoking actions. The alert is not considered to have triggered and will not be throttled | AggregateAlert | Error | Failure | There was a problem triggering the alert's actions. In order to be successful, at least one action must trigger on an alert. The alert is not considered to have triggered and will not be throttled. | Check the logs for the actions if unsure which action failed. Check if there are any problems with the action targets, such as e-mail server down, pager service down, and so on. | |
| Cannot run ${triggerType.toLowerCase}. ${triggerType} was saved by a user that does not exist anymore. Change the alert to run as a different user or on behalf of the organization. | AggregateAlert | Error | Failure | The user attempting to execute the query no longer exists in the system. | Save the alert as a user that exists in the system, or change the alert to run on behalf of the organization. For more information about how to do this, see Edit triggers. | |
| Cannot run ${triggerType.toLowerCase}. ${triggerType} was saved by a user that does not exist anymore. Change the ${triggerType.toLowerCase} to run as a different user or on behalf of the organization. | 1.166.0 | AggregateAlert | Error | Failure | The user attempting to execute the query no longer exists in the system. | Save the alert as a user that exists in the system, or change the alert to run on behalf of the organization. For more information about how to do this, see Edit triggers. |
| Cannot run ${triggerType.toLowerCase}. ${triggerType} was saved by a user that no longer has read permission on the view. Grant the user permission again, or change the alert to run as a different user or on behalf of the organization. | AggregateAlert | Error | Failure | The configured user no longer has read access to the view or repository. | grant the user read permissions on the repository or view that the alert is running in, or save the alert with a user that has such permissions or to run on behalf of an organization. | |
| Cannot run ${triggerType.toLowerCase}. ${triggerType} was saved by a user that no longer has read permission on the view. Grant the user permission again, or change the ${triggerType.toLowerCase} to run as a different user or on behalf of the organization. | 1.166.0 | AggregateAlert | Error | Failure | The configured user no longer has read access to the view or repository. | grant the user read permissions on the repository or view that the alert is running in, or save the alert with a user that has such permissions or to run on behalf of an organization. |
| Polling alert query resulted in warnings that are treated as errors. The alert will not trigger if the result contains events | AggregateAlert | Error | Failure | Polling alert query resulted in warnings that are treated as errors. The alert will not trigger if the result contains events. | In this case, you must look at the specific messages in the errors field and fix them, if possible. | |
| Problem invoking action. If all actions fail, they will be retried | FilterAlert | Error | | There was a problem invoking the alert's actions and all actions failed. In order to be successful, at least one action must trigger on an alert. The alert is not considered to have triggered and will not be throttled. | Check the logs for the invoked actions if unsure which action failed. Check if there are any problems with the action targets, such as e-mail server down, pager service down, and so on. | |
| Starting alert query did not finish in time. It will be retried in the next run | FilterAlert | Error | Failure | The alert query did not finish in time and will be automatically retried in the next run. | If the error persists after retry, contact LogScale Support for assistance if needed. | |
| An unexpected error occurred. The alert is skipped | FilterAlert | Error | Failure | There can be several reasons that this error appears. |
Look at the exceptionMessage
and consult documentation based upon that for possible solutions.
Contact LogScale
Support for assistance if needed.
| |
| Polling alert query resulted in an error | FilterAlert | Error | Failure | The alert query produced an error. This can be due to many different reasons. |
Look at the message in the
exceptionMessage and consult
documentation based upon that for possible solutions.
| |
| Starting alert query resulted in an error | FilterAlert | Error | Failure | The query returned an error when starting. This is usually because of an error in the query. |
Look at the message in the
exceptionMessage field and
consult documentation based upon that for possible solutions.
Contact LogScale
Support for assistance if needed.
| |
| An event from the alert query does not contain @id or @ingesttimestamp | FilterAlert | Error | Failure | The alert query has removed the @id or @ingesttimestamp fields. This is needed for the alert to be able to run. | Check the alert query definition and edit it so that it preserves @id and @ingesttimestamp , if needed. For more information about how to do this, see Edit triggers. | |
| Running a historic query to catch up took too long and the result is now outside the retry limit. LogScale will skip this data and start a query for events within the retry limit. | FilterAlert | Error | Failure | The historic query to catch up took too long to run and has reached the retry limit. The system will skip the data and start running a query for events within the retry limit. | Edit the query, if possible, so it does not take too long to run. For information about editing queries, see Edit triggers. For information about writing better queries, see Query Writing Best Practices. If the message persists after editing the query, contact LogScale Support. | |
| Triggering on event did not succeed within retry limit, it will not be retried further | FilterAlert | Error | |
There was an action error and the value in the configurable
FILTER_ALERTS_MAX_CATCH_UP_LIMIT parameter has been
reached. It will not attempt to trigger the action further.
| Check the specific errors or warnings from invoking actions. If needed, contact LogScale Support for assistance. | |
| Could not start alert query since it is blocked | FilterAlert | Error | Failure | The alert query cannot run since it is blocked. | Either rewrite the alert query so it is no longer blocked, or check with the system administrator and remove the query from the blocklist. If using LogScale Cloud, this error can occur if the cluster is in a maintenance window. | |
| Did not start historic query to catch up since ingest is too far behind | FilterAlert | Error | Failure | Data is behind because ingest has not caught up. So the historic query on older data cannot run. | Look at other logs from the alert to see if there are any errors or warnings, or check whether there are other problems with LogScale. | |
| Alert is too far behind. Will skip events that are older than the catch up limit | FilterAlert | Error | |
Data older than X hours based on the configured value in the
FILTER_ALERTS_MAX_CATCH_UP_LIMIT parameter will not
be considered in alert results.
| Look at other logs from the alert to see if there are any errors or warnings, or check whether there are other problems with LogScale. | |
| There has been a query warning that some events are unavailable for more than ${limit}. These events will now be skipped | FilterAlert | Error | | Some events have been unavailable for more that the configured amount of time for the cluster. If there were events that may have produced results, these events were skipped during query execution. | Look at the query warning. Run query manually, if needed. Check cluster performance. | |
| Alert query took too long to start and the result is now too old. LogScale will stop the live query and start running historic queries to catch up. | 1.166.0 | FilterAlert | Error | Failure | The alert query took too long to run, meaning that the results are now too old. The system will stop live queries and start running historic queries to catch up. | Edit the query, if possible, so it does not take too long to run. For information about editing queries, see Edit triggers. For information about writing better queries, see Query Writing Best Practices. If the message persists after editing the query, contact LogScale Support. |
| Alert query took too long to start and the result are now too old. LogScale will stop the live query and start running historic queries to catch up. | FilterAlert | Error | Failure | The alert query took too long to run, meaning that the results are now too old. The system will stop live queries and start running historic queries to catch up. | Edit the query, if possible, so it does not take too long to run. For information about editing queries, see Edit triggers. For information about writing better queries, see Query Writing Best Practices. If the message persists after editing the query, contact LogScale Support. | |
| The alert is broken | FilterAlert | Error | Failure | The alert configuration prevents the alert from running. | Edit the alert, check all fields and queries, and save it again. For more information about how to do this, see Edit triggers. | |
| The alert is not assigned to run on any node | FilterAlert | Error | Failure | The alert is not assigned to run on any nodes. Alerts are distributed evenly among the nodes in a cluster, so that each one runs on a single node. Reassignment of nodes on which alerts run occurs automatically when new cluster nodes are added or old cluster nodes are removed. | If the alert does not run on another node after 15 minutes, contact LogScale Support. | |
| Cannot run ${triggerType.toLowerCase}. ${triggerType} was saved by a user that does not exist anymore. Change the ${triggerType.toLowerCase} to run as a different user or on behalf of the organization. | 1.166.0 | FilterAlert | Error | Failure | The user attempting to execute the query no longer exists in the system. | Save the alert as a user that exists in the system, or change the alert to run on behalf of the organization. For more information about how to do this, see Edit triggers. |
| Cannot run ${triggerType.toLowerCase}. ${triggerType} was saved by a user that does not exist anymore. Change the alert to run as a different user or on behalf of the organization. | FilterAlert | Error | Failure | The user attempting to execute the query no longer exists in the system. | Save the alert as a user that exists in the system, or change the alert to run on behalf of the organization. For more information about how to do this, see Edit triggers. | |
| Cannot run ${triggerType.toLowerCase}. ${triggerType} was saved by a user that no longer has read permission on the view. Grant the user permission again, or change the ${triggerType.toLowerCase} to run as a different user or on behalf of the organization. | 1.166.0 | FilterAlert | Error | Failure | The configured user no longer has read access to the view or repository. | grant the user read permissions on the repository or view that the alert is running in, or save the alert with a user that has such permissions or to run on behalf of an organization. |
| Cannot run ${triggerType.toLowerCase}. ${triggerType} was saved by a user that no longer has read permission on the view. Grant the user permission again, or change the alert to run as a different user or on behalf of the organization. | FilterAlert | Error | Failure | The configured user no longer has read access to the view or repository. | grant the user read permissions on the repository or view that the alert is running in, or save the alert with a user that has such permissions or to run on behalf of an organization. | |
| Problem invoking action | Alert | Error | | There was a problem invoking the alert's actions. In order to be successful, at least one action must trigger on an alert. The alert is not considered to have triggered and will not be throttled. | Check the logs for the invoked actions if unsure which action failed. Check if there are any problems with the action targets, such as e-mail server down, pager service down, and so on. | |
| Problem invoking action. If all actions fail, they will be retried | 1.144.0 | Alert | Error | | There was a problem invoking the alert's actions. In order to be successful, at least one action must trigger on an alert. The alert is not considered to have triggered and will not be throttled. | Check the logs for the invoked actions if unsure which action failed. Check if there are any problems with the action targets, such as e-mail server down, pager service down, and so on. |
| Problem invoking actions. The alert is not considered to have triggered and will not be throttled | Alert | Error | Failure | There was a problem invoking the alert's actions and all actions failed. In order to be successful, at least one action must trigger on an alert. The alert is not considered to have triggered and will not be throttled. | Check the logs for the invoked actions if unsure which action failed. Check if there are any problems with the action targets, such as e-mail server down, pager service down, and so on. | |
| Alert is broken and will not run | Alert | Error | Failure | The alert configuration prevents the alert running. | Edit the alert and save it again. For more information about how to do this, see Edit triggers. | |
| Polling alert query resulted in an error | Alert | Error | Failure | The alert query produced an error. This can be due to many different reasons. |
Look at the message in the
exceptionMessage and consult
documentation based upon that for possible solutions.
| |
| Could not submit alert query | Alert | Error | Failure | There can be several reasons that it is not possible to submit the query. |
Look at the exceptionMessage
and consult documentation based upon that for possible solutions.
Contact LogScale
Support for assistance if needed.
| |
| Alert is being stopped, since the alert is not assigned to run on any node | Alert | Error | Failure | The alert is not assigned to run on any nodes. Alerts are distributed evenly among the nodes in a cluster, so that each one runs on a single node. Reassignment of nodes on which alerts run occurs automatically when new cluster nodes are added or old cluster nodes are removed. | If the alert does not run on another node after 15 minutes, contact LogScale Support. | |
| Could not submit alert query since it is blocked | Alert | Error | Failure | The alert query cannot run since it is blocked. | Either rewrite the alert query so it is no longer blocked, or check with the system administrator and remove the query from the blocklist. If using LogScale Cloud, this error can occur if the cluster is in a maintenance window. | |
| Could not submit alert query since the search interval is too short | Alert | Error | Failure | Could not submit the alert query since the search interval is too short. | Edit the query to expand the search interval and save it. For more information about how to do this, see Edit triggers. | |
| Cannot run ${triggerType.toLowerCase}. ${triggerType} was saved by a user that does not exist anymore. Change the ${triggerType.toLowerCase} to run as a different user or on behalf of the organization. | 1.166.0 | Alert | Error | Failure | The user attempting to execute the query no longer exists in the system. | Save the alert as a user that exists in the system, or change the alert to run on behalf of the organization. For more information about how to do this, see Edit triggers. |
| Cannot run ${triggerType.toLowerCase}. ${triggerType} was saved by a user that does not exist anymore. Change the alert to run as a different user or on behalf of the organization. | Alert | Error | Failure | The user attempting to execute the query no longer exists in the system. | Save the alert as a user that exists in the system, or change the alert to run on behalf of the organization. For more information about how to do this, see Edit triggers. | |
| Cannot run ${triggerType.toLowerCase}. ${triggerType} was saved by a user that no longer has read permission on the view. Grant the user permission again, or change the alert to run as a different user or on behalf of the organization. | Alert | Error | Failure | The configured user no longer has read access to the view or repository. | Grant the user read permissions on the repository or view that the alert is running in, change the alert to run as another user with such permissions, or change the alert to run on behalf of the organization | |
| Cannot run ${triggerType.toLowerCase}. ${triggerType} was saved by a user that no longer has read permission on the view. Grant the user permission again, or change the ${triggerType.toLowerCase} to run as a different user or on behalf of the organization. | 1.166.0 | Alert | Error | Failure | The configured user no longer has read access to the view or repository. | Grant the user read permissions on the repository or view that the alert is running in, change the alert to run as another user with such permissions, or change the alert to run on behalf of the organization |
| Polling alert query resulted in warnings that are treated as errors. The alert will not trigger if the result contains events | Alert | Error | Failure | Polling alert query resulted in warnings that are treated as errors. The alert will not trigger if the result contains events. | In this case, you must look at the specific messages in the errors field and fix them, if possible. | |
| Scheduled report dashboard is missing. | ScheduledReport | Error | Failure | The dashboard on which the scheduled report is based is missing. | Inspect the scheduled report and update it with an existing dashboard. | |
| Scheduled report failed to finish executing because of a configuration error. Report will be disabled | ScheduledReport | Error | Failure | The scheduled report failed to finish executing because of a configuration error. The report will be disabled to allow time to resolve the error. | Edit the scheduled report configuration and enable the report again. | |
| Scheduled report failed to finish executing because of a configuration error. Report will be disabled! | 1.140.0 | ScheduledReport | Error | Failure | The scheduled report failed to finish executing because of a configuration error. The report will be disabled to allow time to resolve the error. | Edit the scheduled report configuration and enable the report again. |
| Scheduled report job cannot send render requests due to missing publicUrl configuration | ScheduledReport | Error | Failure | The public URL configuration is missing and the scheduled report job cannot send requests to render the reports. | Contact the system administrator to get the proper configuration for the public URL set up for the cluster. | |
| Scheduled report is broken and will not run | ScheduledReport | Error | Failure | The scheduled report configuration prevents the alert from running. | Check if the referenced dashboard was deleted. Update the scheduled report to fix the issue. For more information about how to do this, see Edit Scheduled Reports. | |
| Scheduled report execution is being stopped, since the scheduled report is broken | ScheduledReport | Error | | Some configuration of the scheduled report is broken and the report cannot run. | Check if the referenced dashboard that is the basis for the scheduled report was deleted. Update or recreate the scheduled report to fix the issue. | |
| Scheduled report execution is being stopped, since the scheduled report is not assigned to run on any node | ScheduledReport | Error | Failure | The scheduled report is not assigned to run on any nodes. Scheduled reports are distributed evenly among the nodes in a cluster, so that each one runs on a single node. Reassignment of nodes on which scheduled reports run occurs automatically when new cluster nodes are added or old cluster nodes are removed. | If the scheduled report does not run on another node after 15 minutes, contact LogScale Support. | |
| Problem firing action | ScheduledSearch | Error | | There was a problem starting the action for the scheduled search. | This message may self resolve. Otherwise, review the scheduled search and check the actions. For more information about actions, see Actions. | |
| Could not submit scheduled search query | ScheduledSearch | Error | Failure | There can be several reasons that it is not possible to submit the query. |
Look at the exceptionMessage
and consult documentation based upon that for possible solutions.
Contact LogScale
Support for assistance if needed.
| |
| An unexpected error occurred. The scheduled search is skipped | ScheduledSearch | Error | Failure | There can be several reasons that this error appears. |
Look at the exceptionMessage
and consult documentation based upon that for possible solutions.
Contact LogScale
Support for assistance if needed.
| |
| Encountered an error starting a scheduled search query | ScheduledSearch | Error | Failure |
Scheduled search did not start due to the error described in the
exceptionMessage.
|
Look at the exceptionMessage
and consult the documentation for possible solutions.
| |
| Could not fire actions for scheduled search | ScheduledSearch | Error | Failure | The actions of the scheduled search could not be triggered. No actions in the scheduled search were triggered. |
Look at the exceptionMessage
and consult the documentation for possible solutions. Check the
action configuration in the scheduled search and ensure that there
are no operational issues with the action type's system, such as
email, pager, etc. Check the (category scheduled search,
subcategory action) for specific information about the actions
that failed.
| |
| Could not submit query for scheduled search as it is blocked. | ScheduledSearch | Error | Failure | The alert query cannot run since it is blocked. | Either rewrite the alert query so it is no longer blocked, or check with the system administrator and remove the query from the blocklist. If using LogScale Cloud, this error can occur if the cluster is in a maintenance window. | |
| Scheduled search query is blocked. Either rewrite the query or get it unblocked. | 1.166.0 | ScheduledSearch | Error | Failure | The alert query cannot run since it is blocked. | Either rewrite the alert query so it is no longer blocked, or check with the system administrator and remove the query from the blocklist. If using LogScale Cloud, this error can occur if the cluster is in a maintenance window. |
| Polling scheduled search query resulted in an error | ScheduledSearch | Error | Failure | The alert query produced an error. This can be due to many different reasons. |
Look at the message in the
exceptionMessage and consult
documentation based upon that for possible solutions.
| |
| Could not submit scheduled search query | ScheduledSearch | Error | Failure | There can be several reasons that it is not possible to submit the query. |
Look at the exceptionMessage
and consult documentation based upon that for possible solutions.
Contact LogScale
Support for assistance if needed.
| |
| Scheduled search query took too long and the result is now outside the backfill limit. LogScale will skip this run and start the next scheduled run. | ScheduledSearch | Error | Failure | The scheduled search query took too long to run and has reached the backfill limit. The system will skip the run and start the net scheduled run. | Edit the scheduled search query, if possible, so it does not take too long to run. For information about editing scheduled searches, see Create triggers. For information about writing better queries, see Query Writing Best Practices. If the message persists after editing the query, contact LogScale Support. | |
| Scheduled search query took too long and the result is now outside the backfill limit. LogScale will skip this run and start the next scheduled run. | ScheduledSearch | Error | Failure | The scheduled search query took too long to run and has reached the backfill limit. The system will skip the run and start the net scheduled run. | Edit the scheduled search query, if possible, so it does not take too long to run. For information about editing scheduled searches, see Create triggers. For information about writing better queries, see Query Writing Best Practices. If the message persists after editing the query, contact LogScale Support. | |
| Scheduled search query took too long and the result is now outside the max wait time. LogScale will skip this run and start the next scheduled run. | ScheduledSearch | Error | Failure | The scheduled search query took too long to run and has reached the max wait time. The system will skip the run and start the net scheduled run. | Edit the scheduled search query, if possible, so it does not take too long to run. For information about editing scheduled searches, see Create triggers. For information about writing better queries, see Query Writing Best Practices. If the message persists after editing the query, contact LogScale Support. | |
| Scheduled search is broken and will not run | ScheduledSearch | Error | Failure | The scheduled search is broken and will not run. This is likely due to a configuration. | Update and save the scheduled search again. | |
| Scheduled search is being stopped, since the scheduled search is broken | ScheduledSearch | Error | Failure | The scheduled search is broken and will not run. This is likely due to a configuration. | Update and save the scheduled search again. | |
| Scheduled search is being stopped, since the scheduled search is not assigned to run on any node | ScheduledSearch | Error | Failure | The scheduled search is not assigned to run on any nodes. Scheduled searches are distributed evenly among the nodes in a cluster, so that each one runs on a single node. Reassignment of nodes on which scheduled searches run occurs automatically when new cluster nodes are added or old cluster nodes are removed. | If the scheduled search does not run on another node after 15 minutes, contact LogScale Support. | |
| Cannot run ${triggerType.toLowerCase}. ${triggerType} was saved by a user that does not exist anymore. Change the ${triggerType.toLowerCase} to run as a different user or on behalf of the organization. | 1.166.0 | ScheduledSearch | Error | Failure | The scheduled search was saved by a user that no longer exists. | You have to either change the scheduled search to run as a user that exists in the system, or change the scheduled search to run on behalf of the organization. For more information, see Create triggers. |
| Cannot run ${triggerType.toLowerCase}. ${triggerType} was saved by a user that does not exist anymore. Change the alert to run as a different user or on behalf of the organization. | ScheduledSearch | Error | Failure | The scheduled search was saved by a user that no longer exists. | You have to either change the scheduled search to run as a user that exists in the system, or change the scheduled search to run on behalf of the organization. For more information, see Create triggers. | |
| Cannot run ${triggerType.toLowerCase}. ${triggerType} was saved by a user that no longer has read permission on the view. Grant the user permission again, or change the ${triggerType.toLowerCase} to run as a different user or on behalf of the organization. | 1.166.0 | ScheduledSearch | Error | Failure | The scheduled search cannot run because it was saved by a user that does not have read permission on the view now. | You have to either grant the user read permissions on the repository or view that the scheduled search is running in, change the scheduled search to run as another user with such permissions, or change the scheduled search to run on behalf of the organization. For more information, see Create triggers. |
| Cannot run ${triggerType.toLowerCase}. ${triggerType} was saved by a user that no longer has read permission on the view. Grant the user permission again, or change the alert to run as a different user or on behalf of the organization. | ScheduledSearch | Error | Failure | The scheduled search cannot run because it was saved by a user that does not have read permission on the view now. | You have to either grant the user read permissions on the repository or view that the scheduled search is running in, change the scheduled search to run as another user with such permissions, or change the scheduled search to run on behalf of the organization. For more information, see Create triggers. | |
| Polling scheduled search query resulted in warnings that are treated as errors. The scheduled search will not trigger any actions if it finds any events | ScheduledSearch | Error | Failure | Polling scheduled search query resulted in warnings that are treated as errors. The scheduled search will not trigger if the result contains events. | In this case, you must look at the specific messages in the errors field and fix them, if possible. | |
| Alert has changed, restarting query | AggregateAlert | Info | | The alert query was edited while running, so the query will restart automatically. | None. This message is informational. | |
| Alert found results, but no actions were invoked since the alert is throttled | AggregateAlert | Info | Success | The alert found results, but no actions were invoked since the alert is throttled. | None. This message is informational. | |
| Alert found no results and will not trigger | AggregateAlert | Info | Success | The alert query, as configured, found no events that matched its requirements and no actions will trigger. | None. This message is informational. | |
| Alert query polled | AggregateAlert | Info | | The alert query ran. | None. This message is informational. | |
| Query started | AggregateAlert | Info | Success | The query started successfully. | None. This message is informational. | |
| The alert was deleted | AggregateAlert | Info | | The alert was deleted and will not run. | It is not possible to recover a deleted alert. If you want it to run, you must create the alert again. | |
| The organization of the alert was deleted | AggregateAlert | Info | | The organization for which the alert was created has been deleted. | Recreate the alert for another organization. | |
| The view of the alert was deleted | AggregateAlert | Info | | The view with which the alert was associated has been deleted and the job cannot run. | Add the alert to another view. | |
| The alert was disabled | AggregateAlert | Info | | The alert was disabled and cannot run. | If you want the alert to run, enable it again. For more information about how to do this, see Edit triggers. | |
| License has expired | AggregateAlert | Info | | The license has expired and must be renewed to continue. | Contact LogScale Support for assistance. | |
| The alert has no associated actions | AggregateAlert | Info | | The alert has no associated actions. Because a successful alert must trigger at least one action, the alert is stopped. | Edit the alert to add actions and save it. For more information about how to do this, see Edit triggers. | |
| The organization is being transferred | AggregateAlert | Info | | The organization is being transferred to a new cluster, and alerts are stopped during the transfer process. | If not resolved after 15 minutes, contact Logscale Support for more information. | |
| The alert was assigned to run on node $vhost | AggregateAlert | Info | | The alert was assigned to run on a another node in the cluster. | None. This message is informational. | |
| The view is not connected to any repository | AggregateAlert | Info | | The alert contains a view that is not connected to any repository. | Edit the view to connect it to a repository, or edit the alert to use another view that is connected to a repository. | |
| Alert triggering | AggregateAlert | Info | | The alert is triggering actions. | None. This message is informational. | |
| Alert triggered and invoked at least one action and will be throttled | AggregateAlert | Info | Success | The alert triggered and invoked at least one action and will be throttled. This indicates a successful alert. | None. This message is informational. | |
| Alert has changed, restarting query | FilterAlert | Info | | The alert query was edited while running, so the query will restart automatically. | None. This message is informational. | |
| Alert found results, but no actions were invoked since the alert is throttled | FilterAlert | Info | Success | The alert found results, but no actions were invoked since the alert is throttled. | None. This message is informational. | |
| Alert found no results and will not trigger | FilterAlert | Info | Success | The alert query, as configured, found no events that matched its requirements and no actions will trigger. | None. This message is informational. | |
| Alert query polled | FilterAlert | Info | | The alert query ran. | None. This message is informational. | |
| Query started | FilterAlert | Info | Success | The query started successfully. | None. This message is informational. | |
| The alert was deleted | FilterAlert | Info | | The alert was deleted and will not run. | It is not possible to recover a deleted alert. If you want it to run, you must create the alert again. | |
| The organization of the alert was deleted | FilterAlert | Info | | The organization for which the alert was created has been deleted. | Recreate the alert for another organization. | |
| The view of the alert was deleted | FilterAlert | Info | | The view with which the alert was associated has been deleted and the job cannot run. | Add the alert to another view. | |
| The alert was disabled | FilterAlert | Info | | The alert was disabled and cannot run. | If you want the alert to run, enable it again. For more information about how to do this, see Edit triggers. | |
| License has expired | FilterAlert | Info | | The license has expired and must be renewed to continue. | Contact LogScale Support for assistance. | |
| The alert has no associated actions | FilterAlert | Info | | The alert has no associated actions. Because a successful alert must trigger at least one action, the alert is stopped. | Edit the alert to add actions and save it. For more information about how to do this, see Edit triggers. | |
| The organization is being transferred | FilterAlert | Info | | The organization is being transferred to a new cluster, and alerts are stopped during the transfer process. | If not resolved after 15 minutes, contact Logscale Support for more information. | |
| The alert was assigned to run on node $vhost | FilterAlert | Info | | The alert was assigned to run on a another node in the cluster. | None. This message is informational. | |
| The view is not connected to any repository | FilterAlert | Info | | The alert contains a view that is not connected to any repository. | Edit the view to connect it to a repository, or edit the alert to use another view that is connected to a repository. | |
| Alert triggering on event | FilterAlert | Info | | The alert is triggering actions. | None. This message is informational. | |
| Alert triggered on event and invoked at least one action | FilterAlert | Info | Success | The alert triggered and invoked at least one action and will be throttled. This indicates a successful alert. | None. This message is informational. | |
| Alert has changed, restarting query | Alert | Info | | The alert query was edited while running, so the query will restart automatically. | None. This message is informational. | |
| Alert found results, but no actions were invoked since the alert is throttled | Alert | Info | Success | The alert found results, but no actions were invoked since the alert is throttled. | None. This message is informational. | |
| Alert triggered and invoked at least one action and will be throttled | Alert | Info | Success | The alert triggered and invoked at least one action. The alert will be throttled. | None. This message is informational. | |
| Alert triggering | Alert | Info | | The alert is triggering actions. | None. This message is informational. | |
| Alert is being stopped, since the alert is assigned to run on node $vhost | Alert | Info | Success | The alert was assigned to run on a another node in the cluster. | None. This message is informational. | |
| Alert is being stopped, since the alert was deleted | Alert | Info | Success | The alert was deleted and will not run. | It is not possible to recover a deleted alert. If you want it to run, you must create the alert again. | |
| Alert has been disabled and the alert query will be cancelled | Alert | Info | | The alert was disabled and cannot run. | If you want the alert to run, enable it again. For more information about how to do this, see Edit triggers. | |
| Alert is running on a view that is not connected to any repository. The alert query will be cancelled | Alert | Info | | The alert contains a view that is not connected to any repository. | Edit the view to connect it to a repository, or edit the alert to use another view that is connected to a repository. | |
| License has expired and the alert query will be cancelled | Alert | Info | | The license has expired and must be renewed to continue. | Contact LogScale Support for assistance. | |
| Alert no longer has any associated actions and the alert query will be cancelled | Alert | Info | | The alert has no associated actions. Because a successful alert must trigger at least one action, the alert is stopped. | Edit the alert to add actions and save it. For more information about how to do this, see Edit triggers. | |
| Alert found no results and will not trigger | Alert | Info | Success | The alert query, as configured, found no events that matched its requirements and no actions will trigger. | None. This message is informational. | |
| Alert is being stopped, since the organization is being transferred | Alert | Info | Success | The organization is being transferred to a new cluster, and alerts are stopped during the transfer process. | If not resolved after 15 minutes, contact Logscale Support for more information. | |
| Alert is being stopped, since the organization of the alert was deleted | Alert | Info | Success | The organization for which the alert was created has been deleted. | Recreate the alert for another organization. | |
| Query started | Alert | Info | Success | The query started successfully. | None. This message is informational. | |
| Alert is being stopped, since the view of the alert was deleted | Alert | Info | Success | The view with which the alert was associated has been deleted and the job cannot run. | Add the alert to another view. | |
| Scheduled report is still being generated | ScheduledReport | Info | Success | The scheduled report is still being generated. | None. This message is informational. If the message persists after 15 minutes, contact LogScale Support. | |
| Scheduled report successfully finished executing | ScheduledReport | Info | Success | The scheduled report executed successfully. | None. This message is informational. | |
| Scheduled report execution is being started | ScheduledReport | Info | Success | Scheduled report execution is being started. | None. This message is informational. | |
| Scheduled report generation was not started as the node is shutting down | ScheduledReport | Info | Failure | Scheduled report generation was not started because the node is shutting down. | None. This message is informational. Once the node restarts, scheduled reports will run. Contact the system administrator if the node downtime was unexpected. | |
| Scheduled report generation was not started as the node is shutting down. | 1.140.0 | ScheduledReport | Info | Failure | Scheduled report generation was not started because the node is shutting down. | None. This message is informational. Once the node restarts, scheduled reports will run. Contact the system administrator if the node downtime was unexpected. |
| Scheduled report lagged behind and had to be rescheduled | 1.152.0 | ScheduledReport | Info | Failure | The scheduled report lagged behind and had to be rescheduled. This is sometimes due to the query in the dashboard on which it was based. You may need to optimize the dashboard query. For information about writing better queries, see Writing Better Queries. | If LogScale was running fine when the report was scheduled, you might need to optimize the dashboard. For more information, see Writing Better Queries. |
| Scheduled report lacked behind and had to be rescheduled | ScheduledReport | Info | Failure | The scheduled report lagged behind and had to be rescheduled. This is sometimes due to the query in the dashboard on which it was based. You may need to optimize the dashboard query. For information about writing better queries, see Writing Better Queries. | If LogScale was running fine when the report was scheduled, you might need to optimize the dashboard. For more information, see Writing Better Queries. | |
| Scheduled report found but it should not run because: | 1.141.0 | ScheduledReport | Info | Success | A scheduled report was found but it should not run because of the reason stated in the message. | Look at the reason in the message. If it is necessary to fix something, consult the documentation based on the reason. |
| Scheduled report found but it should not run because | ScheduledReport | Info | Success | A scheduled report was found but it should not run because of the reason stated in the message. | Look at the reason in the message. If it is necessary to fix something, consult the documentation based on the reason. | |
| Scheduled report execution is being stopped, since the organization is being transferred | ScheduledReport | Info | | The organization is being transferred to a new cluster, and scheduled reports are stopped during the transfer process. | If not resolved after 15 minutes, contact Logscale Support for more information. | |
| Scheduled report execution is being stopped, since the organization of the scheduled report was deleted | ScheduledReport | Info | | The organization for which the scheduled report was created has been deleted. | Recreate the scheduled report for another organization. | |
| Scheduled report execution is being stopped, Scheduled report execution is being stopped, since the scheduled report is assigned to run on node $vhost | ScheduledReport | Info | | The scheduled report was assigned to run on a another node in the cluster. | None. This message is informational. | |
| Scheduled report execution is being stopped, since the scheduled report was deleted | ScheduledReport | Info | | The scheduled report was deleted and will not run. | It is not possible to recover a deleted scheduled report. If you want it to run, you must create the scheduled report again. | |
| Scheduled report execution is being stopped, since the view of the scheduled report was deleted | ScheduledReport | Info | | The view with which the scheduled report was associated has been deleted and the job cannot run. | Add the scheduled report to another view. | |
| Scheduled search has been disabled and the scheduled search query will be cancelled | ScheduledSearch | Info | | The alert was disabled and cannot run. | If you want the alert to run, enable it again. For more information about how to do this, see Edit triggers. | |
| Scheduled search found no results and will not trigger | ScheduledSearch | Info | Success | The scheduled search query, as configured, found no events that matched its requirements and no actions will trigger. | None. This message is informational. | |
| Scheduled search is running on a view that is not connected to any repository. The scheduled search query will be cancelled | ScheduledSearch | Info | | The alert contains a view that is not connected to any repository. | Edit the view to connect it to a repository, or edit the alert to use another view that is connected to a repository. | |
| Scheduled search firing actions | ScheduledSearch | Info | | The scheduled search is firing actions. | None. This message is informational. | |
| License has expired and scheduled search will not be run. | ScheduledSearch | Info | | The license has expired and must be renewed to continue. | Contact LogScale Support for assistance. | |
| Scheduled search no longer has any associated actions and the scheduled search query will be cancelled | ScheduledSearch | Info | | The alert has no associated actions. Because a successful alert must trigger at least one action, the alert is stopped. | Edit the alert to add actions and save it. For more information about how to do this, see Edit triggers. | |
| Query was not started as the node is shutting down | ScheduledSearch | Info | Failure | Scheduled search job was not started because the node is shutting down. | None. This message is informational. Once the node restarts, scheduled searches will run. Contact the system administrator if the node downtime was unexpected. | |
| Query started | ScheduledSearch | Info | Success | The query started successfully. | None. This message is informational. | |
| Scheduled search query is still running | ScheduledSearch | Info | Success | The scheduled search query is still running. | None. This message is informational. If the scheduled search query continues to run for an unreasonable amount of time, contact LogScale Support. | |
| Scheduled search is being stopped, since the scheduled search is assigned to run on node $vhost | ScheduledSearch | Info | Success | The scheduled search was assigned to run on a another node in the cluster. | None. This message is informational. | |
| Scheduled search is being stopped, since the scheduled search was deleted | ScheduledSearch | Info | Success | The scheduled search was deleted and will not run. | It is not possible to recover a deleted scheduled search. If you want it to run, you must create the scheduled search again. | |
| Scheduled search is being stopped, since the organization of the scheduled search was deleted | ScheduledSearch | Info | Success | The organization for which the scheduled search was created has been deleted. | Recreate the scheduled search for another organization. | |
| Scheduled search is being stopped, since the organization is being transferred | ScheduledSearch | Info | Success | The organization is being transferred to a new cluster, and scheduled searches are stopped during the transfer process. | If not resolved after 15 minutes, contact Logscale Support for more information. | |
| Scheduled search is being stopped, since the view of the scheduled search was deleted | ScheduledSearch | Info | Success | The view with which the scheduled search was associated has been deleted and the job cannot run. | Add the scheduled search to another view. | |
| Scheduled search successfully triggered at least one action | ScheduledSearch | Info | Success | The scheduled search successfully triggered at least one action. | None. This message is informational. | |
| Error happened while requesting scheduled report through pdf render service client | ScheduledReport | LogSeverity.Error | Failure | An error occurred while requesting the scheduled report through the PDF render service client. This can occur for several reasons. |
Look at the message in the
exceptionMessage field and
consult documentation based upon that for possible solutions.
Contact LogScale
Support for assistance if needed.
| |
| Successfully initiated pdf report generation through pdf render service client | ScheduledReport | LogSeverity.Info | Success | The PDF report generation through the PDF render service client was initiated successfully. | None. This message is informational. | |
| Starting alert query in previous run has not finished. The alert will not be polled in this run | AggregateAlert | Warning | Failure | The alert query starting did not finish in the previous run, so it cannot be polled in the current run. | None. This message is informational. If the problem continues, you can disable the alert, wait one minute, and enable the alert. NOTE: If you do this you may lose results. | |
| Historic query to catch up has not finished. The alert will not be polled in this run | AggregateAlert | Warning | Success | The running of an history query to catch up did not finish so the alert will not be polled in the run. | None. This message is informational. | |
| The cluster has restarted and is not yet ready. The alert will not be polled in this run | AggregateAlert | Warning | Failure | Because the cluster has restarted, the alert cannot yet run. | None. This message is informational. If the issue continues after 15 minutes, contact LogScale Support. | |
| Starting the alert query has not finished. The alert will not be polled in this run | AggregateAlert | Warning | Failure | Query is submitted but has not finished initial loading. | None. This message is informational. | |
| Discarding values for field-based throttling. The alert might trigger again before the throttle period expires | AggregateAlert | Warning | |
Maximum amount of field values for throttling has been reached.
Once exceeded, the older values are discarded and can produce
alerts again even though they are within the throttling period.
The values for field-based throttling are set in the following
field based on the alert type:
ALERT_MAX_THROTTLE_FIELD_VALUES_STORED. For more
information about field-based throttling, see
Field-Based Throttling.
| If possible, use a field that produces a smaller amount of different values. | |
| Unknown action | AggregateAlert | Warning | | The alert contains an unknown action. | Edit the alert, remove the action, and add a different action. | |
| Polling encountered a cancelled query | AggregateAlert | Warning | Failure | The query was cancelled before execution could complete. | The cancelled query will be restarted automatically. If the problem persists, contact the system administrator. | |
| Polling alert query resulted in a potentially incomplete result due to ingest delay, but since the ingest delay is too high, the result is still used | AggregateAlert | Warning | | The query result is possibly incomplete due to ingest delay. But because the ingest delay is too high, the result is used as it is. |
If running in CompleteMode, try
switching to ImmediateMode. For
more information about this setting and about handling ingest
delays in aggregate alerts, see
FAQ: How Does LogScale Handle Ingest Delays in Aggregate Alerts. Otherwise,
contact support.
| |
| Polling alert query resulted in a potentially incomplete result due to ingest delay. Skipping since the alert is configured to wait for complete results | AggregateAlert | Warning | | The alert query produced results but these may be incomplete since ingest was delayed. The alert will be skipped because the results were incomplete. | None. This message is informational. If you want the alert to trigger anyway, despite incomplete results, update the trigger mode of the alert. | |
| Polling alert query resulted in a potentially incomplete result due to query warnings, but retrying did not help, so the result is used | AggregateAlert | Warning | | The query result may be incomplete because of query warnings. But retrying the query did not improve the result, so the result is used anyway. | For more information about resolving query warnings for aggregate alerts, see Aggregate alert errors and solutions. Otherwise, contact support for information about how to resolve query warnings to get a more complete result. | |
| Polling alert query resulted in a potentially incomplete result due to query warnings. Skipping since the alert is configured to wait for complete results | AggregateAlert | Warning | | The alert query produced results but these may be incomplete since a query warning was skipped. The alert will be skipped because the results were incomplete. | None. This message is informational. If you want the alert to trigger anyway, despite incomplete results, update the trigger mode of the alert. | |
| Polling alert query in previous run has not finished. The alert will not be polled in this run | AggregateAlert | Warning | Failure | The alert query did not finish in the previous run, so it cannot be polled in the current run. | None. This message is informational. If the problem continues, you can disable the alert, wait one minute, and enable the alert. NOTE: If you do this you may lose results. | |
| Some of the actions invoked by the alert in the previous alerts loop have not finished and none have finished successfully. The alert will not be polled in this loop | AggregateAlert | Warning | Failure | To be successful, an alert must have at least one successful action. This error indicates that some of the actions in the alert have not finished and none have finished successfully. Therefore, the alert has no successful actions. | This warning can self-resolve. If the issue persists, contact the system administrator or LogScale Support. | |
| Polling alert query while catching up on old data resulted in warnings about missing data. The alert query will be restarted for a while | AggregateAlert | Warning | Failure | Polling alert query resulted in warnings about missing data. The files with the data might be unavailable or the query might not be able to run at the time of execution. The alert query will be retried automatically. | None. This message is informational. The query will be retried automatically. | |
| Polling alert query resulted in warnings about missing data. The alert query will be restarted for a while | AggregateAlert | Warning | Failure | Polling alert query resulted in warnings about missing data. The data might be unavailable or the query might not be able to run. The alert query will be retried automatically. |
None. This message is informational. If the
isLiveQuery field never reverts
to true, contact
support.
| |
| The query result is currently incomplete. The alert will not be polled in this run | AggregateAlert | Warning | Failure | The alert query took too long to run, meaning that the results are now too old. The system will stop live queries and start running historic queries to catch up. | Edit the query, if possible, so it does not take too long to run. For information about editing queries, see Edit triggers. For information about writing better queries, see Query Writing Best Practices. If the message persists after editing the query, contact LogScale Support. | |
| Alert is behind. Will stop live query and start running historic queries to catch up | AggregateAlert | Warning | | The alert execution is behind. The system will stop live queries and start running historic queries to catch up. |
None. This message is informational. If the
isLiveQuery field never reverts
to true, contact the system administrator.
| |
| Starting alert query in previous run has not finished. The alert will not be polled in this run | FilterAlert | Warning | Failure | The alert query starting did not finish in the previous run, so it cannot be polled in the current run. | None. This message is informational. If the problem continues, you can disable the alert, wait one minute, and enable the alert. NOTE: If you do this you may lose results. | |
| Starting the alert query has not finished. The alert will not be polled in this run | FilterAlert | Warning | Failure | Query is submitted but has not finished initial loading. | None. This message is informational. | |
| Discarding values for field-based throttling. The alert might trigger again before the throttle period expires | FilterAlert | Warning | |
Maximum amount of field values for throttling has been reached.
Once exceeded, the older values are discarded and can produce
alerts again even though they are within the throttling period.
The values for field-based throttling are set in the following
field based on the alert type:
ALERT_MAX_THROTTLE_FIELD_VALUES_STORED. For more
information about field-based throttling, see
Field-Based Throttling.
| If possible, use a field that produces a smaller amount of different values. | |
| Unknown action | FilterAlert | Warning | | The alert contains an unknown action. | Edit the alert, remove the action, and add a different action. | |
| Polling encountered a cancelled query | FilterAlert | Warning | Failure | The query was cancelled before execution could complete. | The cancelled query will be restarted automatically. If the problem persists, contact the system administrator. | |
| Polling alert query in previous run has not finished. The alert will not be polled in this run | FilterAlert | Warning | Failure | The alert query did not finish in the previous run, so it cannot be polled in the current run. | None. This message is informational. If the problem continues, you can disable the alert, wait one minute, and enable the alert. NOTE: If you do this you may lose results. | |
| Query uses functionality scheduled to change in an automation breaking way | FilterAlert | Warning | | The query contains some functionality that may break the alert after a coming release. | Look at the warning in the warning field, check the release notes for guidance about what has changed and how to adjust, and edit the query accordingly. | |
| $message The alert will trigger with the old information from the database | FilterAlert | Warning | | The database shown in the errorMessage has not been updated recently. | Contact the system administrator to update the database. | |
| Query uses deprecated functionality | FilterAlert | Warning | | The query contains some functionality that has been deprecated in a release. | Look at the warning in the warning field, check the release notes for guidance about what has changed and how to adjust, and edit the query accordingly. | |
| Some events are delayed in ingest. The alert will trigger for available events | FilterAlert | Warning | | Some events are still in the ingest phase and cannot be queried. The alert will trigger for all available events. | None. This message is informational. If the message continues, contact the system administrator. | |
| Some events are currently not available. The alert will trigger for available events | FilterAlert | Warning | | It is not possible to collect results for some events because the events were not available when the query ran. The alert will trigger for all other available events. | If the problem continues, contact Logscale Support. | |
| Some events are currently not available. The alert will trigger for available events and restart the query | FilterAlert | Warning | | Some of the events that might be part of the result are not currently avaiable. The alert will trigger on the available events and then restart to try to catch the events that were not available before. | If this warning continues, contact support. | |
| Some events are permanently not available. The alert will trigger for available events | FilterAlert | Warning | | Some of the events that might be part of the result are not avaiable and never will be. The alert will trigger on the available events. | Contact your LogScale administrator. | |
| $message The alert will trigger without information from the database | FilterAlert | Warning | | The database shown in the errorMessage does not exist or is not available. | Contact the system administrator for assistance. | |
| Query output cleaned for security reasons. $message The alert will trigger for available events | FilterAlert | Warning | | The query results contains specific characters that could be misused. These have been removed. | None. This message is informational. For self-hosted solutions, it is possible to turn off this functionality. | |
| Problem with file used in `match`. $message The alert will trigger for available events | FilterAlert | Warning | | Error in CIDR data in CSV file that will be skipped when parsing the data in the alert query. | Check the CSV file and fix the column containing CIDR data. | |
| Query contains tokens that may differ in semantics from what the query creator expects | FilterAlert | Warning | | The way that the alert query is written may not match what the user expects. | Edit the query for the alert so that the result better fits the user expectation. For information about editing queries, see Edit triggers. For information about writing better queries, see Query Writing Best Practices. If the message persists after editing the query, contact LogScale Support. | |
| Query may differ in semantics from what the query creator expects | 1.177.0 | FilterAlert | Warning | | The way that the alert query is written may not match what the user expects. | Edit the query for the alert so that the result better fits the user expectation. For information about editing queries, see Edit triggers. For information about writing better queries, see Query Writing Best Practices. If the message persists after editing the query, contact LogScale Support. |
| $message The alert will trigger for available events | FilterAlert | Warning | | Not enough resources to run query. | Contact the system administrator for assistance. | |
| Query contains a validation warning | FilterAlert | Warning | | The alert query contains a validation warning. | Look at the warning in the warning field, and edit the query accordingly. If the message persists after editing the query, contact LogScale Support. | |
| The query result is currently incomplete. The alert will not be polled in this run | FilterAlert | Warning | Failure | The alert query took too long to start, meaning that the results are now too old. The system will stop live queries and start running historic queries to catch up. | Edit the query, if possible, so it does not take too long to run. For information about editing queries, see Edit triggers. For information about writing better queries, see Query Writing Best Practices. If the message persists after editing the query, contact LogScale Support. | |
| Alert is behind. Will stop live query and start running historic queries to catch up | FilterAlert | Warning | | The alert execution is behind. The system will stop live queries and start running historic queries to catch up. |
None. This message is informational. If the
isLiveQuery field never reverts
to true, contact the system administrator.
| |
| Filter alert received too many events. It will only trigger on ${state.triggerLimit} per ${FilterAlertJobImpl.QueryBucketSpan} | FilterAlert | Warning | | The alert resulted in too many events and cannot trigger all events. The query is likely too broad. | If this was unexpected, rewrite the alert query to produce fewer results. For more information about how to do this, see Edit triggers. | |
| Filter alert received too many events. It will only trigger on ${state.triggerLimit} per ${FilterAlertJobImpl.QueryBucketDuration} | 1.167.0 | FilterAlert | Warning | | The alert resulted in too many events and cannot trigger all events. The query is likely too broad. | If this was unexpected, rewrite the alert query to produce fewer results. For more information about how to do this, see Edit triggers. |
| Filter alert did not trigger. Trigger limit of ${state.triggerLimit} per ${FilterAlertJobImpl.QueryBucketDuration} has already been reached | 1.167.0 | FilterAlert | Warning | Success | The alert resulted in too many events and cannot trigger all events. The query is likely too broad. | If this was unexpected, rewrite the alert query to produce fewer results. For more information about how to do this, see Edit triggers. |
| Filter alert did not trigger. Trigger limit of ${state.triggerLimit} per ${FilterAlertJobImpl.QueryBucketSpan} has already been reached | FilterAlert | Warning | Success | The alert resulted in too many events and cannot trigger all events. The query is likely too broad. | If this was unexpected, rewrite the alert query to produce fewer results. For more information about how to do this, see Edit triggers. | |
| Alert failed triggering on event | FilterAlert | Warning | Failure | There was a problem triggering the alert's actions. In order to be successful, at least one action must trigger on an alert. The alert is not considered to have triggered and will not be throttled. | Check the logs for the actions if unsure which action failed. Check if there are any problems with the action targets, such as e-mail server down, pager service down, and so on. | |
| Unknown query warning. The alert will trigger for available events | FilterAlert | Warning | | The alert encountered an unknown query. This occurs if, for example, if LogScale is being upgraded. The alert will trigger for the available events but not for any events that might be the result of the unknown query. | Look at the warning in the warning field for more information. | |
| Polling the alert in the previous alerts loop has not finished. The alert will not be polled in this loop | Alert | Warning | Failure | The alert did not finish in the previous run, so it cannot be polled in the current run. | None. This message is informational. If the problem continues, you can disable the alert, wait one minute, and enable the alert. NOTE: If you do this you may lose results. | |
| Starting the query for the alert in the previous alerts loop has not finished. The alert will not be polled in this loop | Alert | Warning | Failure | The alert query starting did not finish in the previous run, so it cannot be polled in the current run. | None. This message is informational. If the problem continues, you can disable the alert, wait one minute, and enable the alert. NOTE: If you do this you may lose results. | |
| Some of the actions invoked by the alert in the previous alerts loop have not finished and none have finished successfully. The alert will not be polled in this loop | Alert | Warning | Failure | To be successful, an alert must have at least one successful action. This error indicates that some of the actions in the alert have not finished and none have finished successfully. Therefore, the alert has no successful actions. | This warning can self-resolve. If the issue persists, contact the system administrator or LogScale Support. | |
| Could not cancel alert query | Alert | Warning | | The alert query could not be stopped. Query should not run. | None. This message is informational. | |
| Unknown action | Alert | Warning | | The alert contains an unknown action. | Edit the alert, remove the action, and add a different action. | |
| Alert encountered a cancelled query | Alert | Warning | Failure | The alert encountered a cancelled query during execution. | None. This message is informational. The alert query will be restarted automatically. If this happens frequently, review the alert configuration and contact LogScale Support, if needed. | |
| The query result is currently incomplete. The alert will not be polled in this loop | 1.160.0 | Alert | Warning | Failure | Starting the query for the alert has not finished. The alert will not be polled in this loop | Look at other logs from the alert to see if there are any errors or warnings, or check whether there are other problems with LogScale. |
| Starting the query for the alert has not finished. The alert will not be polled in this loop | Alert | Warning | Failure | Starting the query for the alert has not finished. The alert will not be polled in this loop | Look at other logs from the alert to see if there are any errors or warnings, or check whether there are other problems with LogScale. | |
| Polling alert query resulted in warnings that are normally treated as errors. The alert will still trigger if the result contains events | Alert | Warning | | Polling the alert query resulted in warnings that are normally treated as errors. The alert will still trigger actions if the result contains events. | This message is informational and does not require action. However, consider whether the specific messages in the errors field should be fixed. | |
| Scheduled report failed to finish executing. Report will be retried | ScheduledReport | Warning | Failure | The scheduled report did not finish executing. LogScale will retry the report. | This message may resolve on its own. If the message persists, contact LogScale Support. | |
| Scheduled report failed to finish executing. Report will be retried. | 1.140.0 | ScheduledReport | Warning | Failure | The scheduled report did not finish executing. LogScale will retry the report. | This message may resolve on its own. If the message persists, contact LogScale Support. |
| Render service did not respond in a timely fashion. Returning to planned state in order to retry render request | ScheduledReport | Warning | Failure | The render service did not respond in a reasonable amount of time. LogScale will return the scheduled report job to a planned state in order to retry the render request. | This message may resolve on its own. If it does not resolve after 15 minutes, contact LogScale Support for assistance. | |
| Could not cancel scheduled search query | ScheduledSearch | Warning | | The alert query could not be stopped. Query should not run. | None. This message is informational. | |
| Unknown action | ScheduledSearch | Warning | | The alert contains an unknown action. | Edit the alert, remove the action, and add a different action. | |
| Polling scheduled search query resulted in warnings about missing data, but retrying did not help, so the result is used | ScheduledSearch | Warning | Failure | The retry limit for the scheduled search has been exceeded. Retrying did not find the missing data, so the result is used as it is. |
Investigate if the scheduled search environment variable that
affects retry,
SCHEDULED_SEARCH_MAX_WAIT_FOR_MISSING_DATA can be
adjusted for your scheduled search.
| |
| Scheduled search encountered a cancelled query | ScheduledSearch | Warning | Failure | The query was cancelled before execution could complete. | The cancelled query will be restarted automatically. If the problem persists, contact the system administrator. | |
| Scheduled search query was cancelled and will be restarted | ScheduledSearch | Warning | Success | The alert encountered a cancelled query during execution. | None. This message is informational. The alert query will be restarted automatically. If this happens frequently, review the alert configuration and contact LogScale Support, if needed. | |
| Scheduled search lagged behind and had to be rescheduled | 1.152.0 | ScheduledSearch | Warning | Failure | The scheduled search lagged behind and had to be rescheduled. This is sometimes due to the query configuration. | If LogScale was running fine when the search was scheduled, you might need to optimize the query. For information about writing better queries, see Writing Better Queries. |
| Scheduled search lacked behind and had to be rescheduled | ScheduledSearch | Warning | Failure | The scheduled search lagged behind and had to be rescheduled. This is sometimes due to the query configuration. | If LogScale was running fine when the search was scheduled, you might need to optimize the query. For information about writing better queries, see Writing Better Queries. | |
| Polling scheduled search query resulted in warnings about missing data. The scheduled search will be retried for a while | ScheduledSearch | Warning | Failure | The files with the data might be unavailable or the query might not be able to run at the time of execution. | No action is required. The scheduled search will start again automatically. | |
| Polling the scheduled search in the previous loop has not finished. The scheduled search will not be polled in this loop | ScheduledSearch | Warning | Failure | The scheduled search did not finish in the previous run, so it cannot be polled in the current run. | None. This message is informational. If the problem continues, you can disable the scheduled search, wait one minute, and enable the scheduled search. NOTE: If you do this you may lose results. | |
| Some of the actions invoked by the scheduled search in the previous loop have not finished and none have finished successfully. The scheduled search will not be polled in this loop | ScheduledSearch | Warning | Failure | To be successful, a scheduled search must have at least one successful action. This error indicates that some of the actions in the scheduled search have not finished and none have finished successfully. Therefore, the scheduled search has no successful actions. | This warning can self-resolve. If the issue persists, contact the system administrator or LogScale Support. | |
| The backfill limit is higher than the allowed maximum. Defaulting to the maximum | ScheduledSearch | Warning | | The backfill limit configured on the scheduled search is higher than the allowed maximum. The system defaults to the maximum allowed automatically. | Decrease the backfill limit on the scheduled search or increase the configured maximum. | |
| Polling scheduled search query resulted in warnings that are normally treated as errors. The scheduled search will still trigger actions if it finds any events | ScheduledSearch | Warning | | Polling the scheduled search query resulted in warnings that are normally treated as errors. The scheduled search will still trigger actions if the result contains events. | This message is informational and does not require action. However, consider whether the specific messages in the errors field should be fixed. |
For more information about troubleshooting messages, see Diagnose trigger warnings and errors.