/
Monitor Logs Insights: logtype.alerts and logtype.executions

Monitor Logs Insights: logtype.alerts and logtype.executions

Every Monitor in the system automatically generates two types of Logs to help you query and understand its activity: logtype.alerts and logtype.executions, as shown in the image

image-20250611-135158.png
Example of logtype.alert & logtype.executions Log

logtype.executions Log

Structure

The logtype.executions Log records every time a Monitor runs, including its status. To see the full structure of logtype.executions, run this query

* in logtype.executions

Log Columns

date, Monitor ID, Monitor Name, Monitor Status, risk, status, appLinkName, appLinkContext, numberOfFailAlerts, numberOfEvents, resultId, entities, lastUpdate, statusMessage, startTime, endTime

A key field in logtype.executions is the monitor status field, which tells you the outcome of each Monitor run. These are its possible values and their meaning

  • Initialized: The Monitor has been set up but hasn't run yet.

  • Succeeded: The Monitor ran and didn't trigger an Alert (it found no matching events).

  • Failed: The Monitor ran and triggered an Alert.

  • Error: The Monitor can't run because of a configuration problem.

Usage Example

To see Monitors that aren't in a Succeeded or Failed state, and get a better understanding of why, use this query:

status != "Succeeded" AND status != "Failed" in logtype.executions | count | group by Monitor Name, Monitor Status as Description in replace format ("Succeeded", "Monitor run and did not alert - no matching events", "Failed", "Monitor run and triggered alert", "Initialized", "Monitor created and initialized but did not run yet", "Error", "Monitor cannot run due to configuration error") | display only Monitor Name, Description

This query will

  1. Filter logtype.executions to show entries where the status isn't Succeeded or Failed.

  2. Count these occurrences.

  3. Group the results by Monitor Name and give a more descriptive Monitor Status based on the original status field.

  4. Finally, it will display only the Monitor Name and its Description (Monitor Status).

logtype.alerts Log

The logtype.alerts Log specifically records information about any Alerts that your Monitors have triggered.

Structure

To see the full structure of logtype.alerts, run this query

* in logtype.alerts

Log Columns

date, monitor id, monitor name, monitorRisk, monitorRiskTitle, monitorMessage, appLinkName, appLinkContext, monitorApptags, LOG_ALL_RECORD_COLUMNS_RAW, resultId, MONITOR_END_TIMESTAMP, MONITOR_RESULT_KEY, RemoteHost, count, monitorEndTime, MONITOR_EVENTS_COUNT, ALL_TABLE_CSV, APPTAGS, URL

The exact fields you'll find in logtype.alerts depend on how your Alert is configured, but they generally contain details relevant to the triggered Alert.