Document toolboxDocument toolbox

Rolling alert type

Overview

The rolling method is based on a user-defined schedule and triggers an alert for each event that matches the query conditions. This is essentially the same as the method each, except that this alert only checks for the trigger conditions at user-specified intervals and over a configurable time period.

What data do I need to create this alert?

To create an alert using this triggering method, your query must group events using a no time-based option. Be aware that you are not able to use the eventdate field in the alert query after the grouping.

If you did not group, this alert type will not appear for you to select in the alert definition window. If you grouped but used a time-based option, the variables will not appear for you to define and a message will inform you about the requirements you still need to meet.

Specific settings

After selecting this type of alert, you have to define the following variables.

20_Rolling alert type.png

Run every & Check last

The Run every setting specifies how frequently you want the system to check for events matching the conditions of your query while the Check last setting specifies how far in the past the search extends. In both cases, you can use preset periods or create custom periods:

  • Preset periods: click the dropdown and select the desired option (you can use the editable field to filter them).

  • Custom periods: click the dropdown, write the desired period in the editable field and then click the green field that appears below to confirm it. You have to introduce a valid format, otherwise, you will get an error message. The accepted format consists of a number followed by a duration code without space between them:

Duration

Format

Example

Duration

Format

Example

Days

(0-n)d

1 day → 1d

Hours

(0-24)h

15 hours → 15h

Minutes

(0-59)m

45 min → 45m

Compound: you can stack the different durations to create a compound

(0-n)d(0-24)h(0-59)m(0-59)s

15 hours, 45 minutes, 50 seconds → 15h45m50s

Min/max period

The periods must be at least 1 minute and up to 100 days to be accepted for alert creation.

Check last/Run every permitted ratio

When the Run every parameter is less than 1 day, the ratio between check last/run every must not exceed 120. A ratio above 120 will prevent the alert from being created and will return an error message.

  • Valid ratio → run every 1m, check last 2h(=120m) → 120/1 → 120

  • Valid ratio → run every 2h, check last 5d(=120h) → 120/2 → 60

  • Invalid ratio → run every 1m, check last 3h(=180m) → 180/1 → 180

Starting moment

The period will not start counting from the moment of the alert creation but from a fixed division that takes the Epoch reference date as the starting point (midnight Jan 1, 1970). This means that if you created an alert past the hour with a one-hour period, the first time it will be triggered (if the conditions are met) will be when the clock strikes the hour and not after 60 minutes. In other words, if you created it at 9:37, it will be triggered at 10 and not at 10:37.

The period will be adjusted according to the timezone specified in the alert definition window (more info here).

Using field values in the Summary and Description

You can use the $fieldName command to display in the Summary and Description fields the field values of the events that triggered the alert. This command can be employed with the names of the fields and properties below. Using a different one will not activate the command and will be interpreted as plain text.

  • $eventdate

  • $fieldName of those resulting from grouping operations. 

  • $fieldName of those resulting from aggregation operations.

  • $ticktime: even though it is not the name of a field, it is a feature that can be used with the rolling alert type to make reference to the value specified in the Run every field.

  • $backperiod: even though it is not the name of a field, it is a feature that can be used with the rolling alert type to make reference to the value specified in the Check last field.

In the following query, you could use:

 

from demo.ecommerce.data where statusCode = 404 group every - by method, timeTaken select avg(bytesTransferred) as avgBytesTransferred

 

$eventdate
$method
$timeTaken

$avgBytesTransferred
$ticktime
$backperiod

Query example

In the demo.ecommerce.data table, imagine that you want to receive an alert each time you receive an event where the bytes transferred exceed 3000 and the status code is 404 in the last 30 minutes of every 5 minutes period.

First of all, you need to filter the query data using the Greater than (gt, >) and Equal (eq, =) operations and group events without a time period. Then, you need to open the alert definition window, select the rolling type alert and fill in all the details (pay special attention to the specific settings of this alert type).

To save time, you can copy the following query to reproduce the aforementioned example from the demo.ecommerce.data sample table and create a rolling type alert.

from demo.ecommerce.data where bytesTransferred > 3000, statusCode = 404 group every - by bytesTransferred, statusCode

 

Related Articles: