Creating Alerts

Figure 1, Search Query

The easiest way to create a new Alert is by constructing a query on the Search page of a repository, a query that finds events you want to be alerted, that returns results about which you want to be notified or have some other action taken. Then you save that query as an Alert. From there you would create one or more Actions for Humio to take when the Alert is triggered.

The other method would be to click on the Alerts tab for a repository, from anywhere in the Humio User Interface. This will show you a list of existing Alerts and Actions. When the Alerts tab on the left is selected, you’ll see a button labeled, + New Alert. You would click on that and it would show you a screen similar to the Search page with a query box for testing a query, and with input boxes on the right for entering Alert properties. It will look similar to the screenshot in Figure 5 at the bottom of this page.

Whichever way you come at it, the steps and requirements for creating an Alert are similar. The former way of starting from the Search page, though, is described below. The latter is described in the Managing Alerts section further down.

From Query to Alert

Figure 2, Save As Query

When you have a query on the Search page for a repository the way you want it, and you’d like to create an Alert based on it, click on Save as…. Figure 1 above shows a screenshot of how this might look. In this example, we’re searching for events in which the web server recorded an HTTP status code of 404: this indicates the page requested was not found.

The query is highlight at the top left. Notice that the time period is set to a live, continuous data range — not static data. You don’t need a query to alert you to something that already happened when you created the Alert. You generally need to be alerted about events that happen afterwards.

In the screenshot in Figure 1, you can see that we’ve selected one event. We’ve highlighted the statuscode field and it’s value. That confirms that the query is working. You would then convert this query to an Alert by clicking Save As… near the top right. It’s highlight in the cropped screenshot in Figure 2 here. From the choices presented then and there, select Alert.

Alert Properties

Figure 3, Create Alert

When you save a query as an Alert, you’ll be presented with a dialog box to enter properties for the new Alert. You can see this in Figure 3 here.

Using the example started in the first screenshot above, we’ve entered Not Found for the name since the Alert is related to users of the server’s web sites not finding the pages they want. We’ve entered a description that says more specifically what causes the Alert to be triggered.

At this point, you could add an Action for Humio to take when the Alert is triggered, if you have one that’s suitable for this Alert. Or you could skip it and add the Action later, which is what we did in this example. Adding an Action to an Alert is covered on the Create an Action documentation page.

The next property to set for a new Alert is Throttling. There may be times when several events are found in a short period of time that meet the search criteria. You probably don’t need to be alerted multiple times in a row. In the example here, we’re accepting the default throttle setting of once per hour. These choices, though, are covered in detail on the Throttling documentation page.

The last setting is a check-box at the bottom: It’s to enable or disable the Alert. It’s enabled by default, but can be disabled by unchecking this box. If you receive a notification of an Alert and need time to resolve the problem, you might want to disable the Alert until then, so it won’t bother you while you’re working on it.

When you’re finished setting the properties for the new Alert, click on the Save button.