How it works...

Alert rules automatically run log searches at regular intervals that you define in the rule. If the log search returns results that match the defined criteria, then an alert record is created and an action can be performed, based on what you define in the alert rule.

The following properties are required in an alert rule:

• Search query: The query upon which an alert rule is based will run every time the alert rule executes.
• Time window: The time range of current time for which records are returned by the search query. This time window can range between 5 minutes and 24 hours. For instance, if you set the range to the default 15 minutes and the query is run at 12:00 PM, the search query will return only records created between 11:45 PM and 12:00 PM.
• Alert frequency: This determines how often the search query is run. The alert rule frequency can be between 5 minutes and 24 hours. Importantly, the alert rule frequency should be less than or equal to the time window, in order for the query to accurately return relevant records.
• Threshold: This depends on the type of alert rule created, and when defined, determines when search query results will generate alerts. See the following Alert rule types section.
• Suppress alerts: This feature helps to reduce noise. When enabled, and after the alert rule creates a new alert, it disables actions for the rule for a length of time that you define in minutes or hours.