In Humio, you can create Alerts to be triggered when specific events happen that you designate, when some parameters are exceeded that you determine. When an Alert is triggered, it can initiate an Action, which could include sending a message to someone, logging it to another system, or performing some other action.
Although you can at any time log into Humio and run a query, check a dashboard composed of several saved queries represented by graphs, tables and in other formats, Alerts automate the process. Alerts are essentially stored live-queries that run continuously, and trigger whenever there are one or more rows in the search results. This means you don’t have to rely on a routine of checking Humio or worry about not immediately detecting a problem when it occurs.
There are a few things you need to know about using Humio’s Alert system before using it. This section of the Humio Documentation provides instructions on how to create and manage Alerts, as well as how to integrate them into other systems:
To learn how to create an Alert, click on the heading here to see our documentation with detailed instructions and screenshots on creating Alerts using the Humio User Interface.
You can keep Alerts from triggering multiple times in a short period of time by setting the throttle, so that it won’t trigger again until after the throttle period has passed. Basically and typically, you’ll get one Alert for a batch of events, rather than one for each event.
As part of the Humio Alert system, you may integrate it with an incident management system, as well as a security monitoring system. These systems can be used to notify your staff and allow for more detailed analysis of server security.
You’ll also find in this section of the Documentation, a page on managing Alerts. This is where information on editing or removing any Alerts you’ve created is located.
An Alert is most useful when it initiates an Action, such as sending someone a message about a problem on the servers. Although Actions are integral to Alerts, they are covered in the Actions section of the Documentation: click on the heading here to go to that section.
While we recommend highly using Alerts, you can disable all Alerts from running by setting the environment variable,
false. Rather than disable all Alerts, though, you can disable an individual Alert from the Alerts tab in the User Interface. See the Managing Alerts page in this section to learn how to disable an Alert.