Document toolboxDocument toolbox

Each alert type

Overview

Each method triggers an alert for each event that reaches your query.

The threshold for this kind of alert is defined by the filters you have applied in the query. So, each time an event is written on the data table and meets the conditions of your query, an alert will be triggered.

This type of alert could be useful when monitoring key data and every single event needs to be considered individually.

Each-type alerts with subqueries

The Devo Alerts API allows users to define each-type alerts using source queries that contain subqueries.

This cannot be done through the Devo app interface. However, alerts with subqueries defined through the Alerting API will appear in Administration → Alert Configuration. You'll be able to open them and see their details; however, you'll only be able to edit them using the Alerting API.

Learn more in Working with alert definitions

What data do I need to create this alert?

To create an alert using this triggering method, you can apply filters and create new columns in your query as well as group and aggregate data. However, note that this type of alert only accepts time-based grouping (they cannot be defined with queries with non-time-based grouping)

Configuring the alert

After selecting this type of alert, you don't have to select any other setting. The alert will be triggered every time an event is received with the characteristics specified in the active query.

Using column values in Summary and Description

You can use the $columnName command to display in the Summary and Description fields the column values of the event that triggered the alert. This command can be employed with the name of any column present in the query result.

In the following query, you could use:

 

from demo.ecommerce.data where statusCode = 404, bytesTransferred >= 4000

 

$eventdate
$clientIpAddress
$timestamp
$method

$uri
$protocol
$statusCode
$bytesTransferred

$referralUri
$userAgent
$cookie
$timeTaken

Take into account that if your query groups events, this command will only work with the names of those columns resulting from the grouping operation. Using a different one will not activate the command and will be interpreted as plain text.

In the following query, you could use:

 

from demo.ecommerce.data where statusCode = 404, bytesTransferred >= 4000 group every 5m by method, timeTaken

 

 

$eventdate
$method
$timeTaken

 

Query example

In the demo.ecommerce.data table, imagine that you want to receive an alert each time there's an event that comes from a private IP address.

First of all, you need to filter the query data using the Is Private IPv4 (isprivate) operation. Then, you need to open the alert definition window and select an each type alert.

To save time, you can copy the following query to reproduce the aforementioned example from the demo.ecommerce.data sample table and create an each type alert.

from demo.ecommerce.data where isprivate(clientIpAddress)

 

Related articles: