Configuring the EQL query for an alert group

On the EQL query tab, you configure the EQL query for the alert group. If any records match the query, then alerts are displayed.

EQL query tab on the Create alert group dialog with no query provided

To configure the EQL query:

In the text area, enter the EQL query.
When entering the query, remember the following:
- All attribute names, including names of derived attributes, must be NCName-compliant. They cannot contain spaces or special characters.
- All statement and derived attribute names must be unique across all of the alert groups.
- Do not alias attributes from the physical data.
  For example, if the data source includes a "Region" attribute, then don't define the attribute under a different name, for example:
```
SELECT Region AS RegionList
```
  End users can only refine data using attributes that are present in the physical data. If you alias an attribute, then end users cannot use it to refine the data.
- Do not use the name of an attribute from the physical data source as the name of a derived attribute.
  For example, if you are creating a derived attribute that averages the values of an existing "Sales" attribute, do not define the new attribute as:
```
SELECT avg(Sales) as Sales
```
  Instead, use a different name, for example:
```
SELECT avg(Sales) as avgSales
```
  This is also to prevent end users from trying to refine by an attribute that is not in the physical data.
After you enter the query, to validate the query, click Test EQL.

If the query is not valid, then an error message is displayed.

If the query is valid, then a "success" message is displayed, and the Load button is enabled.
Click the Load button.
The dialog is updated to display:
- The metrics item(s) for the query. These are the values you are using for the comparison to determine whether to display an alert.
- The group-by items for the query. This determines the number of alerts that display for the group. Below the full list of group-by items is the list of items that can be used for refinement.