Issue description

Possible causes

• The alert profile may be disabled.
• Events related to alerts are not recorded natively.
• Events related to alert are not collected by the application.
• The daily alert limit has been reached for the respective alert profile.
• Alert dumps may be getting stored due to processing delays or latency in the system. 

Resolution

• Navigate to the Alerts tab > click More Tools > Select Manage Profiles.
• Ensure the relevant alert profile is enabled.

• Navigate to the Alerts tab > click More Tools > select Manage Profiles and edit the respective alert profile.
• Click the + symbol next to Criteria to view the criteria set for the alert profile.

• Verify if the criteria set matches your requirements.

1. The event is available in the Search tab but does not meet the criteria used
   
2. The event is not available in the Search tab. 
   
   

1.  The event is available in the Search tab but does not meet the criteria used: 

If this is the case, you need to build the criteria in the Search tab to get the desired results and choose Save As > Save as Alert. See the image below.
 
Trigger an event and check if the log is collected by the application and if the alert is recorded. If the log is collected but the alert is not yet recorded, jump to step four.

2.  Events are not available in the Search tab: 

1. Navigate to Settings > Log source configuration. Check the time the action happened and the Last Message time of the log source to ensure events in the specified time range are collected by the application. Wait or update the monitoring interval (if available) to have the log collected. If the logs are collected for the time specified, proceed with the next step.
2. Navigate to Settings > Admin Settings > Log Collection Filter and check if any filter policy configured may prevent log collection from the respective log sources, leading to the event not being collected.
3. Check if the events are recorded natively and set the required configurations to have them recorded.
   

• On the Manage Profiles page, set Date & Time Range as Today and check the number of alerts being recorded per day.
• Navigate to Settings > Admin Settings > Product Settings and check the Daily Email Limit to validate if the daily limit has been reached. If yes, you can either increase it (preferred) or disable it as per usability. (The default value is 10,000.)
  

• Check <Installation Directory>\Data\AlertDump for unprocessed alert files.
• The alert dump is a temporary storage location where alert log files will be placed temporarily before indexing them in Elasticsearch. A file in the alert dump indicates the alert engine has flagged an event as an alert but the event is yet to be indexed in Elasticsearch. Once indexed, the data for the alert will be visible in the user interface.
• It's unlikely for files to be sent to the alert dump but can occur in the following cases: 

1. Insufficient system resources: Refer to the System Requirements and use the System Resource Calculator to estimate your requirements.
2. Formation of CachedRecord due to resource starvation 

Validation and testing

• Generate a sample event that matches the alert criteria.
• Check if the alert is recorded in the Alerts tab.
• Verify that the alert count is logged under the profile for the current day.

Tips

• Regularly monitor alert counts and thresholds.
• Configure alert email recipients with correct addresses and domains.
• Test alert profiles periodically to ensure continuous functionality.

How to reach support