alert
noun An alert is a mechanism that is designed to be triggered when certain conditions are met by the results of the search upon which it is based. Alerts can be based on both historical and real-time searches.
There are three types of alerts:
Per-result alerts are based on real-time alerts that run over all time and which alert each time the base search returns a result.
Scheduled alerts are based on historical, scheduled searches and are triggered when conditions are met by a scheduled run of the search, such as the number of total count of events returned exceeding a certain threshold number.
Rolling-window alerts are also based on real-time searches. They are triggered when conditions are met by events passing through a rolling "time window" of a width that you can define, such as 1 minute, 10 minutes, 2 hours, or anything else.
When an alert is triggered, it performs an alert action. This action can be the sending of the alert information to a designated set of email addresses, or the posting of the alert information to an RSS feed. Alerts can also be set up to run a custom script when they are triggered, such as the posting of an "alert event" to a syslog.
You can configure an alert so that records of its triggered alerts are available for review in the Alert Manager.
For more information
In the User Manual:
In the Admin Manual:
- How alerting works
- Set up alerts in savedsearches.conf
- Configure scripted alerts
- Send SNMP traps to other systems