Create alerts
Alerts are available in Hydrolix Search version 1.5.0 and later.
Alerts run an hdxsearch query on a schedule and trigger an action when a condition is met. Follow Splunk's Create alerts guide for the full creation workflow.
Scheduled alerts only
Only scheduled alerts are supported. hdxsearch is a generating command that runs a query, returns results, and exits. Splunk's real-time alert mode requires a continuously streaming search, which hdxsearch doesn't support. Use a short scheduled interval (for example, every minute) as the closest alternative.
Schedule⚓︎
Common cron expressions for reference:
| Schedule | Cron expression |
|---|---|
| Every hour | 0 * * * * |
| Every day at 8 AM | 0 8 * * * |
Check search duration against schedule interval
If you use a short schedule, make sure your search completes before the next run starts. If it doesn't finish in time, Splunk starts a new job while the previous one is still running, causing a backlog. Check the Job Inspector after the first few runs to confirm the search duration.
Set the trigger and action⚓︎
When using hdxsearch as the data source, Number of Results is greater than 0 is the most common trigger condition. It fires when any rows are returned. See Splunk's documentation on trigger conditions and throttling and alert actions for the full list of options.
Update an existing alert⚓︎
To migrate a scheduled alert to use hdxsearch, edit the alert and replace the search query. Apply the same conversion rules as for dashboard panels:
- Queries starting with
| indexor| fields- Replace those leading commands with an equivalent| hdxsearch table="project.table" fields="..."command. - Queries using
| tstats- Replace| tstatswith| hdxsearchpointing to a Hydrolix summary table that provides equivalent aggregated data.