Document toolboxDocument toolbox

Low alert type

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: Jun 12, 2024 by Borja Moro Moreno
4 min read
[ 1 Overview ] [ 2 What data do I need to create this alert? ] [ 3 Specific settings ] [ 4 Using field values in the Summary and Description ] [ 5 Query example ]

Overview

The low method follows the same principle as the several method, except that it triggers an alert when the threshold is not exceeded after a specified period of time.

The alert threshold is determined by the specified time period and the number of events you set. The alert process keeps track of events that meet your query conditions over the designated time period, triggering an alert if the threshold number has not been exceeded by the end of that period. The time period is rolling, which means it will restart after elapsing.

This type of alert could be useful with heartbeat events since we want to be notified when a system is not sending its heartbeat events when expected.

What data do I need to create this alert?

To create an alert using this triggering method, you can apply filters and create new fields in your query but you cannot group events. If you grouped, this alert type will not appear for you to select in the alert definition window.

Specific settings

After selecting this type of alert, you have to define the following variables:

10_Low alert type.png

Period

This setting determines the duration of the intervals used by the system to check for events and trigger the corresponding alert when applicable. You can use preset periods or create custom periods:

  • Preset periods: click the dropdown and select the desired option (you can use the editable field to filter them).

  • Custom periods: click the dropdown, write the desired period in the editable field and then click the green field that appears below to confirm it. You have to introduce a valid format, otherwise you will get an error message. The accepted format consists of a number followed by a duration code without space between them:

Duration

Format

Example

Duration

Format

Example

Days

(0-n)d

1 day → 1d

Hours

(0-24)h

15 hours → 15h

Minutes

(0-59)m

45 min → 45m

Seconds

(0-59)s

50 seconds → 50s

Compound: you can stack the different durations to create a compound

(0-n)d(0-24)h(0-59)m(0-59)s

 

15 hours, 45 minutes, 50 seconds → 15h45m50s

Starting moment

The period will not start counting from the moment of the alert creation but from a fixed division that takes the Epoch reference date as the starting point (midnight Jan 1, 1970). This means that if you created an alert past the hour with a one-hour period, the first time it will be triggered (if the conditions are met) will be when the clock strikes the hour and not after 60 minutes. In other words, if you created it at 9:37, it will be triggered at 10 and not at 10:37.

The period will be adjusted according to the timezone specified in the alert definition window (more info here).

Triggering delay

An alert is only triggered after the specified period has elapsed and the system has completed the check, resulting in a slight delay between the actual occurrence and the alert generation.

Threshold

This setting specifies how many events you want to use as a limit to trigger the alert (only when this number is not reached, the alert will be triggered). Write the desired number.

  • Inactivity alert: If you set the threshold to 0 you can generate a special type of alert, the inactivity alert. You can find more information in the following link.

Using field values in the Summary and Description

You can use the $fieldName command to display in the Summary and Description fields the field values of the events that triggered the alert. This command can be employed with the names of the fields and properties below. Using a different one will not activate the command and will be interpreted as plain text.

  • $eventdate

  • $count: even though it is not the name of a field, it is a feature that can be used with the low alert type to display the number of events collected during the specified period.

In the following query, you could use:

 

from demo.ecommerce.data where statusCode = 404, bytesTransferred >= 4000

 

 

$eventdate
$count

 

Query example

In the demo.ecommerce.data table, imagine that you want to receive an alert when you receive less than 5 events per hour from a specific client Ip address where the bytes transferred exceed 3000.

First of all, you need to filter your query data using the Greater than (gt, >) and Equal (eq, =) operations. Then you need to open the alert definition window, select the low type alert and fill in all the details (pay special attention to the specific settings of this alert type).

To save time, you can copy the following query to reproduce the aforementioned example from the demo.ecommerce.data sample table and create a low type alert.

from demo.ecommerce.data where clientIpAddress = 59.224.206.36, bytesTransferred > 3000

 

Related articles: