Forum Discussion

jonathanbarrow's avatar
jonathanbarrow
Icon for Neophyte rankNeophyte
7 months ago

How do I configure an alert, for a specific Instance name?

For the life of me I can't figure out to make the type of alert our org needs. I have a datasource named "Event Log Errors v3" This has a ton of different instances being generated and it's applie...
jonathanbarrow's avatar
jonathanbarrow
Icon for Neophyte rankNeophyte

So in that code, the 1234 is the actual wildalias name you'd be looking for in your example. I wonder how that would work as I think the WildAlias in this scenario would be that long instance name we're using now, right? 

This is the instance name we're trying to alarm off of.

"Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin|Microsoft-Windows-TerminalServices-RemoteConnectionManager|2|1069"

Anonymous's avatar
Anonymous
7 months ago

Yes, 1234 in the expression above would be the whole name. And the 5 would be the value of the .count datapoint you want to threshold on. ge() means greater than or equal to. This assumes the datapoint is called "count".

I think the problem with this is that the eq() function is looking for numbers, not a string. So it may always return 0. If that's the case, we may need to look into simplifying either the wildvalue (first part of discovery line before the ##) or the wildalias (second part of discovery line, the instance display name) down to a number. 

In your name above is 1069 enough to uniquely identify that one instance? Or is it possible to have a 1069 with two different strings in the name before the 1069?

  • Anonymous's avatar
    Anonymous
    7 months ago

    For example, is it possible for these both to exist? Or will "1069" always be paired with "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin|Microsoft-Windows-TerminalServices-RemoteConnectionManager|2"

    "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin|Microsoft-Windows-TerminalServices-RemoteConnectionManager|2|1069"

    "Something else entirely|2|1069"

    • jonathanbarrow's avatar
      jonathanbarrow
      Icon for Neophyte rankNeophyte
      7 months ago

      1069 will always be there, this logic builds the instance name for this code using the following naming scheme.

      Log Name | Provider logging the error | Error level (2 = error, 1 = critical, 3 = warning) | Event ID

      So in theory, yes another log or provider could output a 1069 as well.

    • jonathanbarrow's avatar
      jonathanbarrow
      Icon for Neophyte rankNeophyte
      7 months ago

      Testing this out...

       

      • Mike_Moniz's avatar
        Mike_Moniz
        Icon for Professor rankProfessor
        7 months ago

        Is the count alert threshold you want for all of these instances, all going to be the same? Like you want to alert if 20 different event id counts go >= 2? Or could some of them be 5 counts, or 10 counts, etc?

        Also if the count is just going to be 1, I would just look to use EventSources for alerting.