You can create an alert definition from one of two places, either the Explore > Discover page and second from the Alerts > Definitions page.
From the Discover page:
Here you can query and filter to specify the logs you'd like to be examining. Once set, you can click the alert button in the top right corner which will take you to the definition creation page. This is typically a more intuitive starting point for creating a definition. See Discover documentation for more info on querying and filtering.
From the Alert > Definitions page:
Simply click the top right button "Add Alert".
From this point on the process of creating an alert definition is the same.
Here you can specify the name and description for your alert definition.
Here you can create or further refine your queries. These are the logs that will be checked against your condition set in the Trigger section. If coming here from the Discover page you'll see your previously specified queries and filters. At any time you can hit the Preview in Kibana link to view the logs that match your query in Discover.
Here is where you set the condition that, when satisfied, will trigger an alert. The interval that is checked can be between 5 minutes and 24 hours. You can also specify the severity of the alert, in this case we'll create an alert with a severity of "warning".
Here you can optionally attach a notifier that will be sent when the definition is triggered. You must already have a Notifier created to attach it here. See Attaching Notifiers.
If you don't have a notifier set up at this point, you can always add it later.
Thats it, once set observIQ is keeping an eye out for your alert criteria, next you can view and manage incidents, see Managing Incidents.
Once you've created an alert definition, it is then viewable in the Alerts > Definition page. At a glance for each definition you can see its description, if it's enabled, the date it was created, and if there is an active incident currently for the definition.
Clicking the name in the first column of the table will take you to the Configuration page where you can more closely inspect and edit each definition.
From the Configuration page you have the options to delete, edit, disable, or view logs for a definition.
Once you delete an alert definition, all of its corresponding incidents (open or closed) are deleted too.
The edit button will take you to the Edit Definition page, where you can change the details of the alert definition such as its name, description, query, trigger, and notifications.
If you no longer want a definition to trigger incidents, but don't want to delete it entirely you can disable the definition on the configuration page.
You can now enable a definition from the same configuration page.
Updated 12 months ago