Some notes for handling errors and warnings when managing alerts:
If there is an error when running an Alert, the error will be logged and also set on the Alert, so that it can be seen on the Alerts overview page.
If an Alert has multiple Actions attached, and some of the Actions fail to run, this will be logged, but no error will be set on the Alert. The Alert will be considered to have fired, and will be throttled as normal. It will only be considered an error if all Actions fail.
If there are warnings from running the Alert query, they are logged, but the warning is not stored on the Alert. Many warnings are transient and will go away after some time, but some require user interaction, for instance a warning on too many groups in a
groupBy()function invocation in the Alert query. Some warnings will result in the Alert query only returning partial results, which may trigger the Alert when it should not have been triggered, or make the Alert only return some of the events it would otherwise have returned. There are usually a lot of warnings on Alert queries right after Humio starts up, indicating that Humio is trying to catch up on ingested data. Because of this, the default behavior is to not fire an Alert if there are warnings from the Alert query and instead wait for the warning to go away. It is possible to make Alerts fire even if there are warnings by setting ALERT_DESPITE_WARNINGS in the Humio configuration.
Alerts do not work in combination with Joins. This is due to the way joins are executed against recently ingested data and how the inner and outer queries can be executed out of sync, returning empty rsults. See Limitations of Live Joins for more information.