How to link to entries triggering a rule

blindahl · March 9, 2023, 8:36am

We have setup some Rules and Alerts that should trigger if we get error in our logs. In the mail that is sent when a rule is triggered it feels natural to include a link to Discover view with some filters setup and with the time interval that shows the error(s) that triggered the Rule+Alert.

We wonder if we're doing something fundamentally wrong because when adding some filters, the url to Discover view get so long that it sometimes exceed some limit that Outlook can handle.

Is it possible somehow to create a link to a Discover with some predefined filters that get a static, much shorter url that can be reused. The only thing we really want to vary is the time interval where we want to show only the interval where the errors appeared in our logs.

Wave · March 22, 2023, 7:45pm

You can create a permalink using the Share link in Discover. From there you can select to use a short url. Here is the relevant documentation.

blindahl · March 22, 2023, 8:03pm

But can you generate a permalink through API or something since I need to create the link including the time interval containing the entries that triggered the rule. Not sure how that would be done. Haven't found anything about that in the documentation.

Wave · March 22, 2023, 8:18pm

Yeah, that might not be currently possible. I'd imagine you could replace the time value and have the saved search just look back a set amount, but not sure. That might get you where you need to go.

Wave · March 23, 2023, 5:28pm

Ok, using 7.x here, but it should probably work find in 8.x as well. From Discover you should be able to Share the snap shot, from there you'll see a "time" section in the URL. You'll want to set the "to" section to an absolute time and have "from" be relative. For example this would search from today at 17:00 to back 4 days.

time:(from:now-4d%2Fd,to:'2023-03-23T17:00:00.000Z')

I was able to successfully change those settings in the URL and see them take effect in the browser. Good luck.

blindahl · March 31, 2023, 5:21am

Thanks for the response. The issue is that we have some filters we want to include and they take up quite a lot of space in the url and is quite cumbersome to maintain as well. But maybe we can utilize saved search somehow making things more manageable.

Wave · March 31, 2023, 9:19pm

Yeah that makes sense. I wonder if you could save the search with the filters on it and then reference that saved search in a visualization and then share the visualization and change the time there. Never tried that before but it might be possible.

system · April 28, 2023, 9:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.