Alerting based on Logs

Introduction to log alert definitions

Alert definitions are a streamlined and centralized mechanism to alert on collected metric data. After alert thresholds are configured, alerts are generated.

To create an alert definition:

1. Navigate to Infrastructure > Logs.
2. On the left side of this page, click the Menu icon.
3. From the MY LOGS VIEWS page, under QUICK LINKS, select Logs Configuration.
   The configuration page is displayed.
4. From the configurations page, select the ALERTING tab.
   The alert details page is displayed.

   

5. Click Add.

   

6. Enter the following information on the Definition Details page:
   • Name: Provide a unique name for the alert definition.
   • Filter Query: Build a valid LOGQL query to filter the logs for which you want to apply the alert definition.
     You can change the time-frame using the calendar icon. Also, you can view the logs in log explorer and view the logs as a list using the explorer and list icons.

Alert Conditions

• Critical alert when number of results: Select an operator from the drop-down and enter a value to set the thresholds. If the number of results in these conditions surpasses a predefined critical threshold, it triggers a critical alert.
  Examples: <3, >1, =2
• Warning alert when number of results: Select an operator from the drop-down and enter a value to set the thresholds. If the number of results in these conditions surpasses a predefined warning threshold, it triggers a warning alert.
  Examples: <3, >1, =2
Note: You can set both critical and warning thresholds or set only one threshold based on your requirements.

• If there is no data: If there is no data coming in, then you can choose one of the options:
• Do not trigger alert - No alert will be triggered, if no data comes in.
• Trigger critical alert - A critical alert will be triggered, if no data comes in.
• Trigger warning alert - A warning alert will be triggered, if no data comes in.

Alert Identification

The alert identification section defines the scope of the alert.

• Entity Type: Select either Resource or Client. Alerts can be on a specific resource like a server, or a client-level alert.
  Note: For Dynamic Change Detection, you can select the Entity Type only as Resource.
• Component: Select a component. This field is to identify the alert.


• Resource Attributes: Define a resource attribute to the alert. These attributes are added to the alert.
  Note: The resource attributes can be defined only for Resource entity type.
  • Select the attribute key and the attribute value from the dropdown boxes. These attributes can be seen in the alert details.
  Note: The maximum number of attributes you can select is 4, that is, host, name, UUID, and IP.
  If you select the attribute value as $name, it will go to the metric and get the value of name and display it in the alert details page.
  
  
• Labels: Assign a value to a label. These labels are reflected in the alert details page.
  • Enter the name of the label in the Name box.
  • Enter the value of the label in the Value box.

  Example: If name is id and value is 10, then it will be set as id is 10.

5. Click ADD DEFINITION. The alert definition is saved successfully.
   You can enable or disable an alert definition, from the Alerting page.

Notification Format

The Subject and Description entered here will reflect in the alert details page.

• Subject: Enter the subject for the alert.
• Description: Enter the alert description.

Delete an Alert Definition

1. Go to Infrastructure > Logs.
2. On the left side of this page, click the Menu icon.
3. From the MY LOGS VIEWS page, under QUICK LINKS, select Logs Configuration.
   The configuration page is displayed.
4. From the configurations page, select the ALERTING tab.
   The alert details page is displayed.
5. Select an alert definition.
6. Click Remove.
   The selected alert definition is deleted.