This section describes how to set up alerts using the search interface.

To set up alerts using the search interface

1. Configure a target where you wish to send your content-based alerts.

   Alert targets are set up and modified by superusers or user groups that have been assigned read and write/perform access to the Policies object on the AAA > Access Control page.

   To specify an alert target:

   1. Go to Policies > Alert targets.

   2. Click .

      The new tab that opens allows you to record an alert target.

      Figure 18: Policies > Alert targets — Alert targets page

      

   3. Enter a name for your alert target.

      NOTE: Alert target names must be unique.

   4. In the Target email address field, enter the email address where you wish to send alerts.

      NOTE: You can specify only one email address per target. However, you can add multiple targets per alert, which allows you to send a specific alert to more than one email addresses (if required).

   5. In the Cooldown period field, enter the minimum amount of time (in seconds) that should pass between the sending of two alert messages to this target.

      The minimum value is 60 seconds, and the maximum value is 999999 seconds.

      NOTE: An alert message is sent only when a match is found between the contents of log messages and a search expression. This means that if no match is found, more time may pass between two alert messages than the interval specified as the cooldown period.

   6. Click to save your details.

      Expected result:

      You have successfully configured a target for your alert where alert messages will be sent.

2. Optional step: You can also specify the email address from which the alerts are sent to your targets. Configuring an email address from where you wish to receive emails can be useful for filtering purposes. If you do not specify such an email address, a default one will be used.

   For detailed instructions, see the steps describing how to specify a Send e-mails as email address in "Configuring e-mail alerts" in the Administration Guide.

3. Once you have set up a target or targets, navigate to the search interface by going to Search > Logspaces.

   Figure 19: Search > Logspaces — Setting up alerts on the search interface

   

4. In the Logspace name menu, select the relevant logspace.

5. In the Search expression field, enter the search expression that you wish to receive alerts about and click .

6. To configure additional details for the alert, click . The Content-based alerting panel is displayed.

   Figure 20: Search > Logspaces — Content-based alerting panel

   

   The Logspace field displays the name of the logspace that you have selected from the Logspace name menu. The Search expression field displays the search expression that you entered in the Search expression field.

7. Enter a name for your alert in the Alert name field.

   NOTE: Alert names must be globally unique. Using a prefix before alert names can help avoid specifying a name that is already in use.

8. Select a target from Targets. You can select multiple targets if you wish to distribute the alert to multiple email addresses.

   You can remove targets you have already added by clicking in front of the target's name.

9. To save your details, click .

   NOTE: If you wish to modify your alert later on, you can make changes via Search > Content-Based Alerts. For details, see Setting up alerts on the Search > Content-Based Alerts page.