Log Insight has always supported user alerts as well as the ability to enable content pack alerts. Previously, enabled content pack alerts were statically copied into a private user space. In Log Insight 4.0, users have the ability to subscribe to alerts in addition to copying them. Read on to learn more!
A couple of problems existed with the way content pack alerts were enabled in Log Insight.
- Alerts were saved privately to a single user.
- This meant the same alert may be enabled multiple times
- It also meant until 4.0 that super admins did not have a good way to control user alerts (now they can as described here)
- Enabled content pack alerts were not tied back to the content pack and so could not receive updates
- This often meant that users had stale/inefficient/buggy alerts enabled and did not know
Log Insight takes Customer eXperience (CX) seriously and does not like changing the default behavior of the product at the expense of CX. The Log Insight team also knows that there are use cases were cloning an alert is desirable. As such, the ability to clone still exists, but bulk options now allow subscribing. Let me explain.
The solution was two-fold:
- Allow users to subscribe to alerts while maintaining the ability to copy alerts
- Create a system notification for duplicated alerts (covered in this post)
Let’s walk through the details of #1. To start, let’s go to Manage Alerts on Interactive Analytics and select a content pack alert to Enable:
By selecting the checkbox and the Enable button, we receive the following pop-up:
We enter in how we wish to be contacted and then select the Enable button. You will now see that we have subscribed to the alert (i.e. dynamic alert). You can tell as it says “(Content Pack Alert)” next to Enabled. This is the new feature in Log Insight 4.0 and a change in behavior from previous versions of Log Insight (i.e. this use to result in not tying back to the content pack definition).
So, how do we copy content pack alerts (i.e. static alert)? To do this, select the pencil icon next to the content pack alert you wish to copy — let’s us the same content pack alert as the previous example:
Again, we need to enter how we wish to be contacted and select Save to my Alerts:
Now, we can see we have two alerts enabled, however the second one does not state “(Content Pack Alert)”:
This second alert follows the same behavior as previous versions of Log Insight and allows users to continue statically copying content pack alerts in Log Insight 4.0.
There is another important difference between subscribing to a content pack alert and copying it. If you have subscribed to a content pack alert and attempt to edit the alert you cannot edit the name of the alert:
If you copy a content pack alert than you can rename it:
One final note, if users have subscribed to content pack alerts and a super admin attempts to upgrade the associated content pack then the super admin is notified that they may be modifying user alerts. This is expected behavior and just a warning for the admin:
IMPORTANT: Any content pack alerts that have been subscribed to will be upgraded when the associated content pack is upgraded. In addition, any threshold changes made by the user will be overridden as well. The notes and notify sections will not be modified.
Log Insight 4.0 introduces the ability to subscribe to content pack alerts. Here are the details:
- You can selectively or bulk subscribe to content pack user alerts by using the Enable button on the Manage Alerts dialog box on Interactive Analytics.
- If you subscribe to content pack alerts than any time a content pack is updated, your saved alert will automatically receive any updates to the alert definition — including overriding any threshold set by the user.
- You cannot change the name of content pack alerts that you subscribe to.
- You can copy a content pack alert into your own private user space by using the pencil icon next to the alert.
- You can no longer copy a content pack alert into your own private user space in bulk from the Manage Alerts dialog box.
- You can import content pack alerts into your own private user space in bulk on the /contentpack page just like before.
- No changes are made to existing enabled alerts upon upgrade to Log Insight 4.0 (i.e. they remain copied alerts).
As you can see, subscribing to content pack alerts is very powerful and very easy. In fact, I would say it is a best practice. Unless you have good reason to clone a content pack alert, you should always subscribe to it to ensure you get the latest definition and to reduce the number of queries running on the system.
© 2017, Steve Flanders. All rights reserved.
2 comments on “Log Insight 4.0: Subscribing to Content Pack Alerts”
Steve, in some of your screenshots you’re showing alerts from a Log Insight content pack (for Log Insight itself). Where are you getting that content pack? It’s not built-in to v4.0 at least, and the “General” content pack doesn’t have those alerts defined.
Hey Chip — Good catch! A LI content pack has not been released at this time. The primary reason is because it is not supported to send LI logs to itself. There is a feature request to support this on loginsight.vmware.com.