I’m trying to to create a custom alert with a query that works when using the regular log search function but when you add the query in Custom Alerts to the “Priority and Trigger” section. The query fails "Your query is invalid:where((query NOT “test.com” AND NOT “www.test2.com” ) AND (“sourcedata” ICONTAINS “TEST1” OR “TEST2” OR “TEST3”))
Anyone know why does this happen or what is wrong with my query?
Hi, nothings actually wrong with your query its just that not everything in Log Search query can be directly used in the Custom Alert trigger query creation. You need to re-work that one. I got the same issue yesterday. Details as below:
Hi n0p! Nowel is correct here. We do not have full parity of LEQL search capabilities between log search and custom alerts right now. The good news is we are actively working on it and expect to have an update released this quarter to address the problem.
The update will also mean you can search over lists rather than concatenating with logical operators. eg sourcedata icontains-any [TEST1, TEST2, TEST3] as well as the full list of comparison operators as described here: Use a Search Language | InsightIDR Documentation
In the meantime, you still have the power of regular expressions to satisfy these kinds of custom alerts.
I would respectfully offer that this is an opportunity to improve the InsightIDR documentation. According to the alert documentation here, it is possible to use LEQL to auto-populate or manually create alerts. I had the same question as @n0p, and have seen others with the same confusion as well. From the docs:
In the “Trigger” section, choose a saved query or optionally create a new query using keywords, regex or LEQL.
New queries require that you specify a calculation to use, and a key to apply the calculation. Any changes of the key based off of the calculation will trigger an alert.