All Products
Search
Document Center

Simple Log Service:Create an alert monitoring rule for logs

Last Updated:Feb 23, 2024

After you create an alert monitoring rule, Simple Log Service checks query and analysis results based on the configurations that you specify in the rule. The configurations include the check frequency and trigger condition. If alerts are triggered, Simple Log Service denoises the alerts and sends alert notifications based on the alert policy and action policy that you specify.

Prerequisites

  • Data is collected.

    Log data and metric data can be collected. For more information, see Data collection overview and Collect metric data from hosts.

    Important Before you can create an alert monitoring rule based on a query statement, you must store logs in a Standard Logstore. For more information, see Manage a Logstore.
  • If log data is collected, you must create indexes for the data. For more information, see Create indexes.

Procedure

  1. Log on to the Simple Log Service console.

  2. In the Projects section, click the project that you want to manage.

  3. On the Log Storage > Logstores tab, click the Logstore that you want to manage.

  4. On the query and analysis page, click the 告警图标 icon.

  5. In the Alert Monitoring Rule panel, configure the following parameters and click OK.

    Parameter

    Description

    Rule Name

    Specify the name of the alert monitoring rule.

    Check Frequency

    Specify the frequency at which query and analysis results are checked. Valid values:

    • Hourly: Query and analysis results are checked every hour.

    • Daily: Query and analysis results are checked at a specified point in time every day.

    • Weekly: Query and analysis results are checked at a specified point in time on a specified day of each week.

    • Fixed Interval: Query and analysis results are checked at a specified interval.

    • Cron: Query and analysis results are checked at an interval that is specified by a cron expression.

      A cron expression can specify an interval that is accurate to the minute. The cron expression is based on the 24-hour clock. For example, 0 0/1 * * * specifies that query and analysis results are checked at an interval of 1 hour from 00:00.

    Query Statistics

    Click the input box. In the Query Statistics dialog box, configure query statement-related settings.

    • Associated Report: On this tab, you can select a dashboard to monitor data.

    • Advanced Settings: On the Advanced Settings tab, you can select Logstore, Metricstore, or Resource Data from the Type drop-down list to specify the type of data that you want to monitor.

      • Logstore: Logs are stored. For more information about query and analysis configurations, see Query and analyze logs.

      • Metricstore: Metrics are stored. For more information about query and analysis configurations, see Query and analyze metric data.

      • Resource Data: The external data that you want to associate with the alert monitoring rule can be specified. For more information, see Create resource data.

      If you set Type to Logstore or Metricstore and specify a query statement, you can specify whether to enable Dedicated SQL. For more information, see Enable Dedicated SQL.

      • Auto: By default, Dedicated SQL is not enabled. If the number of concurrent queries exceeds the upper limit or the query results are inaccurate, Simple Log Service automatically retries the queries by using Dedicated SQL.

      • Enable: Dedicated SQL is enabled for query and analysis.

      • Disable: Dedicated SQL is disabled.

    If you specify multiple query statements, you can configure the Set Operations parameter to associate the query and analysis results of the statements. For more information, see Multi-set operations.

    Group Evaluation

    Simple Log Service can group query and analysis results. For more information, see Use the group evaluation feature. Valid values:

    • Custom Label: Simple Log Service groups query and analysis results based on the fields that you specify. After Simple Log Service groups the query and analysis results, Simple Log Service checks whether the query and analysis results in each group meet the trigger condition. If the query and analysis results in each group meet the trigger condition in each check period, an alert is triggered for each group.

      You can specify multiple fields.

    • No Grouping: Only one alert is triggered in each check period when the trigger condition is met.

    • Auto Label: If you select Metricstore from the Type drop-down list in the Query Statistics dialog box, Simple Log Service automatically groups query and analysis results. A value of Metricstore specifies that the query and analysis results of metrics are monitored.

      After Simple Log Service groups the query and analysis results, Simple Log Service checks whether the query and analysis results in each group meet the trigger condition. If the query and analysis results in each group meet the trigger condition in each check period, an alert is triggered for each group.

    Trigger Condition

    Specify the trigger condition and severity of an alert.

    • Trigger condition

      • Data is returned: If data is returned in the query and analysis results, an alert is triggered.

      • the query result contains: If the query and analysis results contain N data entries, an alert is triggered.

      • data matches the expression: If the query and analysis results contain data that matches a specified expression, an alert is triggered.

      • the query result contains and matches: If the query and analysis results contain N data entries that match a specified expression, an alert is triggered.

    • Severity

      This parameter is used to denoise alerts and manage alert notifications. You can add severity-based conditions when you create an alert policy or an action policy. For more information, see Specify severity levels for alerts.

      • If you specify one trigger condition, you can specify a severity for the condition. In this case, all alerts that are triggered based on the alert monitoring rule have the same severity.

      • If you specify more than one trigger condition, you can specify a severity for each condition. You can click Create to specify additional trigger conditions.

    For more information about the syntax of conditional expressions in alert monitoring rules, see Syntax of trigger conditions in alert rules.

    Add Label

    Simple Log Service allows you to add labels as identifying attributes to alerts. Labels are in the key-value pair format. This parameter is used to denoise alerts and manage alert notifications. You can add label-based conditions when you create an alert policy or an action policy. For more information, see Labels and annotations.

    Add Annotation

    Simple Log Service allows you to add annotations as non-identifying attributes to alerts. Annotations are in the key-value pair format. This parameter is used to denoise alerts and manage alert notifications. You can add annotation-based conditions when you create an alert policy or an action policy. For more information, see Labels and annotations.

    If you turn on Auto-Add Annotations, fields such as __count__ are automatically added to alerts. For more information, see Auto-Add switch.

    Recovery Notifications

    If you turn on Recovery Notifications, a recovery alert is triggered each time an alert is cleared. The severity of a recovery alert is the same as the severity of the alert for which the recovery alert is triggered. For more information, see Recovery notifications.

    Threshold of Continuous Triggers

    Specify the threshold at which an alert is triggered. If the number of consecutive times that the specified trigger condition is met reaches the value of this parameter, an alert is triggered. The system does not count the number of times when the specified trigger condition is not met.

    No Data Alert

    If you turn on No Data Alert, an alert is triggered when the number of times that no data is returned exceeds the value of Threshold of Continuous Triggers. If multiple query statements are executed, the number of times is counted based on the associated query and analysis results of the query statements. For more information, see No-data alert.

    Destination

    Specify the location to which alerts are sent. You can specify one or more locations. Valid values:

    • Eventstore: Alerts are sent to a specified Eventstore.

    • CloudMonitor Event Center: Alerts are sent to the Event Center of CloudMonitor. Then, CloudMonitor manages the alerts and sends alert notifications.

    • Log Service Notification: Alerts are sent to the notification feature of Simple Log Service. Then, Simple Log Service manages the alerts based on the specified alert policy and action policy.

    Destination-Eventstore

    • Enable: If you turn on Enable, alerts are sent to the Eventstore that you specify.

    • Region: the region of the Eventstore to which alerts are sent.

    • Project: the project of the Eventstore to which alerts are sent.

    • Eventstore: the Eventstore to which alerts are sent.

    • Authorization Method

      • Default Role: Click Authorize. Then, follow the on-screen instructions to complete authorization. This way, the AliyunLogETLRole system role can be used to send alerts to the Eventstore. For more information, see Grant permissions to the default role.

      • Custom Role: A custom role is used to send alerts to the Eventstore. Enter the Alibaba Cloud Resource Name (ARN) of the custom role. For more information, see Grant permissions to a custom role.

    Destination-CloudMonitor Event Center

    • Enable: If you turn on Enable, alerts are sent to the Event Center of CloudMonitor.

    Destination-Log Service Notification

    • Enable: If you turn on Enable, alerts are sent to the notification feature of Simple Log Service for management and notification.

    • Alert Policy: Alert policies are used to merge, silence, and denoise alerts.

      • If you select Simple Mode or Standard Mode, you do not need to configure alert policies. By default, Simple Log Service uses the built-in alert policy sls.builtin.dynamic to manage alerts.

      • If you select Advanced Mode, you can select a built-in or custom alert policy to manage alerts. For more information about how to create an alert policy, see Create an alert policy.

    • Action Policy: Action policies are used to manage alert notification methods and frequencies.

      • If you set Alert Policy to Simple Mode, you need to only configure an action group for this parameter.

        After you configure an action group, Simple Log Service automatically creates an action policy named in the Rule name-Action policy format. Alert notifications are sent based on the action policy for all alerts that are triggered based on the alert monitoring rule. For more information, see Notification methods.

        Important

        You can modify an action policy on the Action Policy tab. For more information, see Create an action policy. If you add conditions when you modify an action policy, the value of Alert Policy is automatically changed to Standard Mode.

      • If you set Alert Policy to Standard Mode or Advanced Mode, you can select a built-in action policy or custom action policy to send alert notifications. For more information about how to create an action policy, see Create an action policy.

        If you set Alert Policy to Advanced Mode, you can turn on or turn off Custom Action Policy. For more information, see Dynamic action policy mechanism.

    • Repeat Interval: If duplicate alerts are triggered in the specified period, the action policy that you select is executed only once, and only one alert notification is sent.