Configuration
The items available under this section depend on whether you are creating a new trigger or editing an existing trigger.
If you're creating a new trigger, in Query type select whether to run a live query (for alerts) or a scheduled search.
If is selected, choose an option from the Alert type drop-down: the recommended alert type is suggested based on the query. For example, if the query contains an aggregate function, you can see as the recommended type. Options are:
for filter queries
for aggregate queries without explicit bucketing
for scheduled searches that run at fixed times
(not recommended). For information about recommended alternatives to Legacy alerts, see What trigger type to choose. In case one of the other alert types does not fit your needs, use a scheduled search.
For help choosing the alert type, see What trigger type to choose.
Note
If the recommended alert type is ignored and another type is selected, the query editor shows a notification that the query is forbidden for that alert type if the query is not valid for the alert type.
For information about each trigger type, see Triggers.
 |
Figure 207. Query type for a new trigger
If you're editing an existing trigger,
Trigger query contains the query
as configured. Click to modify the query; this redirects to the
Search page.
 |
Figure 208. Query area when editing a trigger
Important
It is not possible to change the Query type or Alert type when editing triggers. If you need to reuse other properties of the trigger, duplicate the trigger and change the query type or alert type. For more information, see Duplicate Trigger.
Time window
Time window is available for aggregate alerts, legacy alerts, and scheduled searches.
Time window allows you to set the time interval for the alert (in seconds, minutes, and so on). In Aggregate alerts, available options are Preset (choose from a predefined list) or Custom interval to set other preferred time intervals.
When using Custom interval in Aggregate alerts, please be aware that only the following inputs are valid:
1-80 minutes in intervals of 1 minute (1, 2, 3, ..., 80)
82-180 minutes in intervals of 2 minutes (82, 84, 86, ..., 180)
1-24 hours in intervals of 1 hour (1, 2, 3, ..., 24)
Representing the values with a different unit is also possible. These are examples of valid options:
82 minutes or 4,920 seconds
24 hours or 86,400 seconds
12 hours or 720 minutes
For scheduled searches, the maximum allowed time window is 10 years.
In case invalid inputs outside of the allowed ranges are entered, the UI displays a warning message:
 |
Figure 209. Invalid Search Interval
Throttling
Important
Throttling is optional for Filter alerts, and required for Aggregate alerts and Legacy alerts.
Throttling enables how often an alert can trigger, so that it will not trigger again until after the throttle period has passed. The throttle period can be set along with the other properties when creating a new alert. You can throttle all actions or specify a field to throttle on. For general information about throttling, see Throttling. For information about throttling for a specific type of alert, go to Triggers and select an alert type.
The following options are available:
Throttle period
Set the period during which the alert can be triggered. The alert will be triggered at most once per period.
The throttle period is optional for Filter alerts, but it is mandatory for Aggregate alerts and Legacy alerts.
The maximum allowed throttle period is 1 week for Legacy alerts and Filter alerts. For aggregate alerts, the maximum allowed throttle period is 24 hours.
The unit used for the throttle period can go from seconds to weeks.
Throttle all actions
Once the alert has triggered, it will not trigger again until after the throttle period has passed.
Field-based throttling
Once the alert triggers for the field specified in Throttle field name, no further events with the same values for that field will be sent again until the throttle period has passed. See details at Field-Based Throttling.