Databases Reference
In-Depth Information
°
Schedule
: You can choose to either run your search on a set schedule
or run your alert according to a cron schedule. Keep in mind that
the time frame selected in the time picker will be used each time the
query runs—you probably don't want to run a query looking at 24
hours of data every minute.
°
Trigger if
lets you choose when to trigger the alert.
•
Number of results
lets you build a rule based on the count.
Is greater than
0
is the most commonly used option.
•
A custom condition is met
lets you use a bit of search language to decide
whether to fire the alert. If any events pass the search language test then the
rule passes and the alert is fired. For example,
search authclass
would test
each event for the word
authclass
, which in our example would pass one
event. In most cases, you would use a threshold value. The purpose is to test
the search results without affecting the search results that are handed along
to the defined action.
•
Monitor in real-time over a rolling window of…
: This is a very useful
option for generating alerts as soon as some threshold is passed. For instance,
you could watch the access logs for a web server, and if the number of events
seen in the last minute falls below 100, send an alert.
Working with our example data, let's set an alert to fire any time more than
five errors affecting the user
mary
are matched in the last
5
minutes.
Search WWH ::
Custom Search