Rolling alert type
- Juan Tomás Alonso Nieto (Deactivated)
Overview
The rolling method is based on a user-defined schedule and triggers an alert for each event that matches the query conditions. This is essentially the same as the method each, except that this alert only checks for the trigger conditions at user-specified intervals and over a configurable time period.
What data do I need to create this alert?
To create an alert using this triggering method, your query must group events using a no time-based option. Be aware that you are not able to use the eventdate field in the alert query after the grouping.
If you did not group, this alert type will not appear for you to select in the alert definition window. If you grouped but used a time-based option, the variables will not appear for you to define and a message will inform you about the requirements you still need to meet.
Defining the alert
After selecting this type of alert, you have to define the following variables.
The Run every setting specifies how frequently you want the system to check for events matching the conditions of your query while the Check last setting specifies how far in the past the search extends. In both cases, you can use preset periods or create custom periods:
Preset periods: click the dropdown and select the desired option (you can use the editable field to filter them).
Custom periods: click the dropdown, write the desired period in the editable field and then click the green field that appears below to confirm it. You have to introduce a valid format, otherwise, you will get an error message. The accepted format consists of a number followed by a duration code without space between them:
Duration | Format | Example |
|---|---|---|
Days | (0-n)d | 1 day → 1d |
Hours | (0-24)h | 15 hours → 15h |
Minutes | (0-59)m | 45 min → 45m |
You can stack them to create a compound → 15h45m | ||
Minimum period
The period must be at least 1 minute.
Starting moment
The period will not start counting from the moment of the alert creation but from a fixed division that takes the Epoch reference date as the starting point (midnight Jan 1, 1970). This means that if you created an alert past the hour with a one-hour period, the first time it will be triggered (if the conditions are met) will be when the clock strikes the hour and not after 60 minutes. In other words, if you created it at 9:37, it will be triggered at 10 and not at 10:37.
The period will be adjusted according to the timezone specified in the delivery method assigned to the alert. To know more about this check the Manage delivery methods article.
Using column values in the Summary and Description
You can use the $columnName command to display in the Summary and Description fields the column values of the events that triggered the alert. This command can be employed with the names of the columns and properties below. Using a different one will not activate the command and will be interpreted as plain text.
$eventdate
$columnName of those resulting from grouping operations.Â
$columnName of those resulting from aggregation operations.
$ticktime: even though it is not the name of a column, it is a feature that can be used with the rolling alert type to make reference to the value specified in the Run every field.
$backperiod: even though it is not the name of a column, it is a feature that can be used with the rolling alert type to make reference to the value specified in the Check last field.
In the following query, you could use:
Â
from demo.ecommerce.data
where statusCode =Â 404
group every - by method, timeTaken
select avg(bytesTransferred) as avgBytesTransferredÂ
$eventdate
$method
$timeTaken
$avgBytesTransferred
$ticktime
$backperiod
Query example
In the demo.ecommerce.data table, imagine that you want to receive an alert each time you receive an event where the bytes transferred exceed 3000 and the status code is 404 in the last 30 minutes of every 5 minutes period.
First of all, you need to filter the query data using the Greater than (gt, >) and Equal (eq, =) operations and group events without a time period. Then, you need to open the alert definition window, select the rolling type alert and fill in all the details (pay special attention to the specific settings of this alert type).
To save time, you can copy the following query to reproduce the aforementioned example from the demo.ecommerce.data sample table and create a rolling type alert.
from demo.ecommerce.data
where bytesTransferred > 3000,
statusCode = 404
group every - by bytesTransferred, statusCodeÂ
Related Articles: