Document toolboxDocument toolbox

Low alert type

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Last updated: Jan 10, 2022Version comment
4 min read

Overview

The low method follows the same principle as the several method except that it triggers an alert when the threshold is not exceeded after a specified period of time.

The threshold for this kind of alert is defined by the time period and the threshold number of events you specify. So, the alert process will maintain a count of events that meet the conditions of your query over the last time period and trigger an alert when the threshold number has not been exceeded at the end of the period. The time period is rolling, that is to say, that if your chosen time period is 1 hour, the alert will maintain a running count of events over 60 minutes and it will restart after that time.

This type of alert could be useful with heartbeat events since we want to be notified when a system is not sending its heartbeat events when expected.

What data do I need to create this alert?

To create an alert using this triggering method, you can apply filters and create new columns in your query but you cannot group events. If you grouped, this alert type will not appear for you to select in the alert definition window.

Defining the alert

After selecting this type of alert, you have to define the following variables:


Using column values in the Summary and Description

You can use the $columnName command to display in the Summary and Description fields the column values of the events that triggered the alert. This command can be employed with the names of the columns and properties below. Using a different one will not activate the command and will be interpreted as plain text.

  • $eventdate
  • $count: even though it is not the name of a column, it is a feature that can be used with the low alert type to display the number of events collected during the specified period.

In the following query, you could use:

from demo.ecommerce.data
where statusCode = 404,
bytesTransferred >= 4000


$eventdate
$count

Query example

In the demo.ecommerce.data table, imagine that you want to receive an alert when you receive less than 5 events per hour from a specific client Ip address where the bytes transferred exceed 3000.

First of all, you need to filter your query data using the Greater than (gt, >) and Equal (eq, =) operations. Then you need to open the alert definition window, select the low type alert and fill in all the details (pay special attention to the specific settings of this alert type).

To save time, you can copy the following query to reproduce the aforementioned example from the demo.ecommerce.data sample table and create a low type alert.

from demo.ecommerce.data
  where clientIpAddress = 59.224.206.36,
    bytesTransferred > 3000

Related Articles: