Rolling alert type
The rolling method is based on a user-defined schedule and triggers an alert for each event that matches the query conditions. This is essentially the same as the each method except that this alert only checks for the trigger conditions at user-specified intervals and over a configurable time period.
This type of alert could be useful for informative alerts and not recommended for urgent alert conditions.
What data do I need to create this alert?
To create an alert using this triggering method, your query must group events using a no time-based option.
If you did not group, this alert type will not appear for you to select in the alert definition window. If you grouped but used a time-based option, the variables will not appear for you to define and a message will inform you about the requirements you still need to meet.
Configuring the alert
After selecting this type of alert, you have to define the following variables.
- Run every: specifies how frequently you want the system to check for events matching the conditions of your query.
- Check last: specifies how far in the past the search extends.
In both cases, you can use preset periods or create custom periods:
Preset periods: click the dropdown and select the desired option (you can use the editable field to filter them).
Custom periods: click the dropdown, write the desired period in the editable field and then click the green field that appears below to confirm it. You have to introduce a valid format, otherwise you will get an error message. The accepted format consists of a number followed by a duration code without space between them:
Duration Format Example Days (0-n)d 1 day → 1d Hours (0-24)h 15 hours → 15h Minutes (0-59)m 45 min → 45m Seconds (0-59)s 50 seconds → 50s You can stack them to create a compound → 15h45m50s
The period will not start counting from the moment of the alert creation but from a fixed division that takes the Epoch reference date as the starting point (midnight Jan 1, 1970). This means that if you created an alert past the hour with a one-hour period, the first time it will be triggered (if the conditions are met) will be when the clock strikes the hour and not after 60 minutes. In other words, if you created it at 9:37, it will be triggered at 10 and not at 10:37.
The period will be adjusted according to the timezone specified in the delivery method assigned to the alert. To know more about this check the Manage delivery methods article.
Using column values in the Summary and Description
The $columnName command used to display column values in the Summary and Description fields can be employed with the columns and properties below. Using a different one will not activate the command and will be interpreted as plain text.
|$eventdate||You can use this column to display the moment in time at which the events that triggered the alert were received.|
|Grouping columns||You can use only the columns added as arguments in the grouping operation (for example, the $responseTime command will be valid only if the responseTime column is added as an argument when grouping your data).|
|Aggregation columns||You can use the columns that result from the aggregation operation (for example, the $count command will be valid only if a count aggregation operation is performed and the resultant column is named as count).|
|$ticktime||Even though it is not a column, it can be used to make reference to the value specified in the Run every field.|
|$backperiod||Even though it is not a column, it can be used to make reference to the value specified in the Check last field.|
demo.ecommerce.data table, imagine that you want to receive an alert each time you receive an event where the bytes transferred exceed 3000 and the status code is 404 in the last 5 minutes of every 30 minutes period.
First of all, you need to filter the query data using the Greater than (gt, >) and Equal (eq, =) operations and group events without a time period. Then, you need to open the alert definition window, select the rolling type alert and fill in all the details (pay special attention to the specific settings of this alert type).
To save time, you can copy the following query to reproduce the aforementioned example from the
demo.ecommerce.data sample table and create a rolling type alert.
from demo.ecommerce.data where bytesTransferred > 3000, statusCode = 404 group by bytesTransferred, statusCode every -