Create a new alert

Alerts are tasks that continually monitor active queries to look for and report on specific events or conditions. Therefore, alerts are created from within the Data Search area where queries are made.

  1. Go to Data Search in the navigation panel.
  2. Run your query and apply any necessary filters, groupings, aggregations, and so on.
  3. Select New alert from the table toolbar. The New Alert Definition window appears.

    image2018-10-31_16-8-55.png

  4. Fill in the requested information in the New Alert Definition dialog window and click Create once you finish.

  • Message and Description - These are required fields. Depending on the delivery method used, the information in these fields will be displayed to the recipient to describe the alert condition. 
  • Subcategory and Alert Name - Select or create categories that fit logically within the classification structure of your orgnization's alerts.

    Type $columnName (case sensitive) if you want to add a column name to the Description field.

  • Configure alert triggering. There are four options available:

    Each Triggers an alert for each event that matches the query conditions. 

    An example of a simple alert based on firewall log data might be to trigger an alert whenever there is a connection attempt from a blacklisted IP address. In this case, the query should be filtered to include only events where the source IP addresses are confirmed to also appear on a blacklist lookup table.
    Several Triggers an alert when a given number of events occur within a given time period. 

    An example of this trigger method based on firewall log data might be to trigger an alert whenever there are more than 500 connection attempts from a single IP address within a 1-minute period.
    Low Triggers an alert when the number of events that occurred within a given time period is below a given threshold. An example might be an alert that monitors heartbeat events from network machines. In this case, the alert is configured to trigger if fewer than the expected number of heartbeat events are detected in a given period. 

    For example, if heartbeat events are sent every 60 seconds, the alert might monitor a 5-minute period and trigger if fewer than five heartbeat events have been recorded.
    Rolling Runs periodically based on a user-defined schedule and triggers an alert for each event that matches the query conditions. This is essentially the same as the "Each" type of alert except that this alert only checks for the trigger conditions at user-specified intervals and over a configurable time period. This is useful for informative alerts and not recommended for urgent alert conditions. 

    An example of this kind of alert can be to check, every hour, for events in the last 30 minutes that meet the criteria of the query.
  • If you have grouped the data and performed an aggregation before creating the alert, you will see two different alert types apart from Each and Rolling:
    • Deviation - Triggers an alert if the absolute deviation of any grouped element from the median group value exceeds a given threshold. The user defines the threshold and the method for expressing it and either Absolute or Percentage:
      • Absolute:

        abs(median of the values in the grouping period) - value(i) > threshold

        where (i) is each of the values of the grouping period.

      • Percentage:

        abs(median of the values in the grouping period) - value(i) > threshold / 100 * median of the values in the grouping period

        where (i) is each of the values of the grouping period.

        .

    • Gradient - Triggers an alert if the change in value of any grouped element from one grouping period to the next exceeds a given threshold. The user defines the threshold and the method for expressing it and either Absolute or Percentage:
      • Absolute

        abs(current value - previous value) > threshold
      • Percentage:

        abs(current value - previous value) > threshold / 100 * previous value

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.

CONTACT US