Humio has support for alerting and can be configured to notify external systems about error conditions or other events. Every repository has its own set of alerts.
The alerting concept in Humio consists of two parts: Notifiers and Alerts.
Alerts are standard Live Queries that run continuously, and trigger whenever there are one or more rows in the search result.
For example, you can configure an alarm to trigger whenever there are more than five status 500s in the accesslog.
#type=accesslog statuscode=500 | count(as=internal_server_errors) | internal_server_errors > 5
If there are fewer than five events in the time window, the search will be an empty result and nothing will happen. If there are more than five events, a non-empty result will be returned and then the alert will trigger the notifier.
You can think of Alerts as one of two types
The easiest way to create a new alert is by building up your query in the Search view.
For notifiers like email and Slack, you want a lower notification frequency (more time in-between triggers) since the triggers don’t de-duplicate.
A notifier is a module that sends notifications when alerts trigger.
Humio currently supports the following notifier types:
You must assign all notifiers a name.
For on-site installations, remember to set the
PUBLIC_URL field in the Humio config. This will ensure that links in notifications will go to the correct URL.
If the built-in notifiers are not enough and you need to make something custom, Humio supports webhooks that allow you to call an external service with HTTP. You can add headers and customize body of the message as seen below.
Humio uses Notifier templates to create the messages sent by notifiers.
They currently apply to Email and Webhook
notifiers. The template engine is a simple “search/replace” model, where the
placeholders are replaced with contextually-aware variables.
See the list for an explanation of the placeholders:
||Extracts the value of
||The user-made name of the alert fired.|
||A user-made description of the alert fired.|
||The time at which the alert was triggered.|
||The number of events in the query result.|
||A URL to open Humio with the alert’s query.|
||The query that triggered the alert.|
||A summary of data in the query result.|
||The time interval for the alert’s query. (10m > now)|
||Any warnings that were generated by the query.|