I still don't really understand the difference between the different time delays shown in the three screen shots below.
The first one is how often Orion will check the database to see if the conditions are met.
The second one is how long the alert will be delayed after the conditions have been met.
The last one is how long to wait before an escalation alert is sent, this basically turns the alert into an escalation in the even it wasn't previously handled.
To note, when configuring these it's important to keep your polling intervals in mind. For example, you typically don't want to set your alert checking interval to 1 Minute if your polling intervals are set to 5 Minutes because you will basically be checking the same data-point multiple times.
Hope this helps!
and this one:
and last this one:
As usual byrona, I find your responses short and to the point. Thank you.
One additional question though. Why might one use both the first and second timers in the same alert? They seem redundant.
I use the 2nd one to weed out false positives.
For example with APM I check URL's which sometimes will report as down due to latency. I set it to check for the alert every 5 minutes and I also tell it to not trigger an alert until the issue has existed for at least 4 minutes. By doing this it will have been checked and found to have been down for at least two polling cycles (to confirm it's really down) before I trigger an alert.
Always keep in mind that the alerting engine checks on a schedule that is independent from your polling/collection engine.
