Hi everyone,
I have been facing a wired question about our alerts.
Basically the we have an alert triggers when the log contains error. The syntax looks like below:
index=[Index] _i...
See more...
Hi everyone,
I have been facing a wired question about our alerts.
Basically the we have an alert triggers when the log contains error. The syntax looks like below:
index=[Index] _index_earliest=-15m earliest=-15m
(host=[Hostname]) AND (level=ERR OR tag IN (error) OR ERR)
We had alert action set up to send message to Teams when it triggers. The wired thing is: The alert doesn't trigger but the search can still matches events manually. Like in the past 24 hours, we have 50 events can be matched by the search, but no alerts triggered. When I went and searched internal logs, I found the search dispatched successfully but shows
result_count=0, alert_actions=""
It looks likes the search never picked up the event to trigger an alert, but my manual search can find events. Anyone has had similar problem before? Much appreciated