A variant of the low alert type, an inactivity alert informs you of the absence of expected activity. It is defined to trigger when no events matching the query conditions are registered over a given time period.
What data do I need to create this alert?
Like any other low alert type, it is based on the absence of individual events so it can't be created for queries that group the events.
Configuring the alert
To create an inactivity alert, the time period can be freely chosen but the threshold needs to be 0.
Using column values in the Summary and Description
Like any other low alert type, the $columnName command can be used with the $eventdate column and the $count property.
demo.ecommerce.data table, imagine that you want to receive an alert every hour if you don't receive any event from the IP address 188.8.131.52 with the method POST.
First of all, you need to filter your query data using the Equal (eq, =) operation. Then you need to open the alert definition window, select the low type alert and fill in all the details (pay special attention to the threshold, which must be 0).
To save time, you can copy the following query to reproduce the aforementioned example from the
demo.ecommerce.data sample table and create a low (inactivity) alert.
from demo.ecommerce.data where clientIpAddress = 184.108.40.206, method = "POST"