Avatar
James Fields
  • Updated
Follow

Search Condition does not Trigger Scheduled Search Alert

Question:

I have an alert configured to trigger when the count of a condition reaches a certain value, however, I am not receiving any alerts.  My query is:

_sourceCategory=aws/prod
| json "message","logStream","logGroup"
| parse field=message "* * * * * * * * * * * * * *" as version,accountID,interfaceID,src_ip,dest_ip,src_port,dest_port,Protocol,Packets,bytes,StartSample,EndSample,Action,status
| timeslice 1m
| where action="REJECT"
| count as drops by _timeslice

The threshold set for my Scheduled Search alert is:

Greater than > 1000

This query returns results where the "drops" count is more than 1000, so why am I not receiving my alerts?

 

Answer:

Thresholds set within a Scheduled Search are based on the number of result rows returned with a query and do not consider any values that may be present within a column of those rows. If your query does not perform any aggregations the Scheduled Search threshold will apply to the number of raw messages returned with a query, as seen under the Messages tab of the search. If a query contains an aggregate operation, for example, count, sum, min, max, etc... the Scheduled Search threshold will be applied to the number of aggregate rows returned by the query, as seen within the Aggregate tab of the results. 

When performing an aggregation as part of a query, and wanting to alert when a specific aggregate value meets a threshold, the threshold for that field value will need to be included as part of the query itself. This can typically be done by providing a Where condition after the aggregation within the query.  For example:

_sourceCategory=aws/prod
| json "message","logStream","logGroup"
| parse field=message "* * * * * * * * * * * * * *" as version,accountID,interfaceID,src_ip,dest_ip,src_port,dest_port,Protocol,Packets,bytes,StartSample,EndSample,Action,status
| timeslice 1m
| where action="REJECT"
| count as drops by _timeslice
| where drops > 1000

This will cause there to only be a results row returned where the field value meets the threshold provided within the query. The threshold set within the Scheduled Search would then be set to alert based on the resulting number of rows that met the threshold set within the query. For example:

Greater than > 0

 

Comments

0 comments

Please sign in to leave a comment.

Related articles