Transform an Infrastructure Condition Into an NRQL Alert Condition

Customers will often want to use Infrastructure data for NRQL alert conditions which offer greater flexibility and control on what to alert on than the standard Infra Alert Condition. But what if you already have an Infrastructure Alert Condition and just want to know what query to use to replicate it. Infrastructure conditions are NRQL queries on the backend so we can find this using our browser developer tools following the steps below:

  1. Open your Infrastructure condition in the browser. You may need to select manage as opposed to clicking directly on the actual condition so it doesn’t open the condition within an additional window.
  2. Open your browser development tools.
  3. Click refresh on your browser.
  4. Select the Network tab and search for NRQL.
  5. Under headers you will find the request payload which includes the NRQL query behind the Infrastructure condition.

  1. You can omit latest(host).

NOTE: Sometimes this process will give you a query that has extra escape characters, which will cause the query to not show any data in the query builder. This will be especially prevalent with process data, because you might get a clause that looks like this:

WHERE commandLine = 'C:\\\\Program Files\\\\...'

If you do, you need to remove two of the slashes from each group of four slashes. Like so:

WHERE commandLine = 'C:\\Program Files\\...'

This is because NRQL requires only one escape character, but when embedding the query in a web page we apparently need to also escape the escape characters.

For Infrastructure data you are likely going to be using the Event Flow aggregation method as explained in the post below:

Relic Solution: How Can I Figure Out Which Aggregation Method To Use?