• User-configured alerts do not trigger email notifications when specific log events occur.

• Running the same query manually in Explore Logs correctly displays the expected results.

• The "Send Test Alert" function works successfully, confirming SMTP settings are correct.

Aria Operations for Logs 8.18.x

This behavior typically occurs due to overly restrictive or mismatched alert definitions in two areas:

1. Non-Existent Field Requirements: The alert criteria include filters such as field Exists (e.g., vc_username Exists), but the specific log messages being ingested do not contain those fields.

2. Mismatched "Group By" Logic: The alert is configured to Group By specific fields that are not present in the log messages that match the primary filter. If the "Group By" field is missing from a message, the alert logic may fail to process that message into a notification.

To resolve this, simplify the alert criteria to match the actual structure of the log messages:

1. Verify Field Existence: 

   • Go to Explore Logs and examine the raw log message you expect to trigger the alert.

   • Ensure that every field used in your alert filter (using the Exists operator) is actually present in those specific logs.

2. Adjust "Group By" Settings:

   • Remove any fields from the Group By section that are not guaranteed to be in every matching log event.
   • If grouping is necessary, ensure the fields are common to all events returned by the query.
    

3. Simplify for Validation:

   • Reduce the alert to its minimum required filters (e.g., just the text match or basic identifier).

   • Once the alert fires successfully, add complexity (additional filters or grouping) one step at a time to identify which specific condition is breaking the logic.

Validation:

• Trigger a manual log event (e.g., an intentional failed login).

• Confirm the alert is received via email.