Not Incidents Not Opening

Hi All,

We are fairly new to the platform and my days of research and testing has not yielded anything useful.

We are monitoring event logs on a handful of servers (currently only in our testing environment). The data gets ingested without issue. However currently it is not opening incidents for us for all critical violations. When an event is raised with the “Error” or “Warning” value we need a incident opened so that it will send an email to our systems and dev teams.

I do have the incident preference on our policies set by condition and signal. Our current query is a simple NRQL query:

"SELECT count(*) FROM Log WHERE WinEventType = ‘Error’ AND ComputerName LIKE 'PV%'FACET StringInserts, message "

(I do also have another condition for Warning)

I do have a delay of 10 minutes setup and have tried various window durations but nothing seems to work. I seem to get random emails for events, some are days apart. We expect to get several a day.

I have manually triggered errors and ensured that they are being ingested well inside the window, most errors come in almost instantly. I have at one point expanded the delay up to 20 minutes but that did seem to help at all.

I don’t know if I need to adjust my query or not. It is showing the critical violations where I would expect, it just seems that for some reason its not opening incidents.

@cwilkins If the threshold is looking for a 0 to open you will need Loss of Signal set to open. If the threshold is looking for a number above 0 but would have a 0 when the data recovers you will need Loss of Signal set to close.

Take a look at this article, that will explain why count() and uniqueCount() will never return a value of 0.

Another note is that currently only Critical violations send notifications. Warnings do not.

Hi Shawna,

This is my current configuration. It does include a loss of signal. Do you see any issues with the configuration?

@cwilkins I don’t see any issues off hand. However, you might want to consider using
query returns a value
rather than
sum of query results.