All Products
Search
Document Center

Simple Log Service:Use an evaluate expression to specify a trigger condition

Last Updated:Aug 25, 2023

This topic describes how to use an evaluate expression to specify a trigger condition. This topic also describes the related usage notes and limits.

Simple Log Service allows you to use an evaluate expression when you specify a trigger condition in an alert monitoring rule. For example, you set the Trigger Condition parameter to data matches the expression and you specify an evaluate expression. If data in the query and analysis results matches the specified evaluate expression, an alert is triggered. You can use dynamic variables, logical operators, and comparison operators in an evaluate expression. For more information about the syntax of evaluate expressions, see Syntax of evaluate expressions.

Configurations

In an alert monitoring rule, an evaluate expression is used to evaluate the results of set operations. If the results meet a trigger condition in the alert monitoring rule, an alert is triggered. The trigger conditions include the following options:

  • Data is returned: If data is returned in the results of set operations, an alert is triggered.

  • the query result contains: If the results of set operations contain a certain number of data entries, an alert is triggered. Supported comparison operators include greater than, less than, and equal to. For example, if you specify the query result contains>10 as the trigger condition, and the results of set operations contain four data entries, no alert is triggered because the number of data entries in the results does not meet the specified trigger condition.

  • data matches the expression: If the results of set operations contain data that matches a specified evaluate expression, an alert is triggered. For example, if you specify data matches the expression, pv>1000 as the trigger condition, and the results of set operations contain only one data entry whose PV is 900, no alert is triggered because the data in the results does not meet the specified trigger condition.

  • the query result contains: If the query and analysis results contain a certain number of data entries that match a specified evaluate expression, an alert is triggered. For example, if you specify the query result contains>3, pv>1000 as the trigger condition, and the results of set operations contain four data entries whose PV is 900, 1100, 1200, and 1001, an alert is triggered because the data in the results meets the specified trigger condition.

Trigger conditions

Variables

Note

The results of set operations that are performed on query and analysis results are evaluated. The set operations include the CROSS JOIN and LEFT JOIN operations.

  • If query and analysis results do not contain duplicate fields, you can quote fields in an evaluate expression without the need to add prefixes to the fields. The prefixes include $0, $1, and $2. Example: name == 'sls'.

  • If query and analysis results contain duplicate fields, you can quote fields in an evaluate expression by adding prefixes to the fields. The prefixes include $0, $1, and $2. Example: $0.name == 'sls' || $1.name == 'ecs'.

    For more information, see Multi-set operations.

Data type

Query statement

Description

Log data

A query statement that does not contain SELECT

Only a search statement is used to query logs.

If you specify an evaluate expression for a trigger condition, you can quote the fields that are contained in the query results.

A query statement that contains SELECT * FROM log

If you specify an evaluate expression for a trigger condition, you can quote the fields for which Enable Analytics is turned on.

A query statement that contains SELECT * FROM (SELECT...)

If you specify an evaluate expression for a trigger condition, you can quote the fields that are contained in the specified SELECT subquery.

Time series data

A query statement that contains SELECT promql(...)

The promql_query(string) and promql_query_range(string, string) functions can return the following fixed fields: metric, labels, time, and value. Simple Log Service expands the labels field in the map format.

If you specify an evaluate expression for a trigger condition, you can quote the following fields: metric, labels, time, and value. You can also quote the subfields of the labels field.

A query statement that contains SELECT a, b FROM (SELECT promql(...))

If you specify an evaluate expression for a trigger condition, you can quote the fields for which Enable Analytics is turned on.

A query statement that contains SELECT * FROM log

If you specify an evaluate expression for a trigger condition, you can quote the fields for which Enable Analytics is turned on.

Resource data

None

The value of a field in resource data can be of the string, floating-point number, or numeric type. The JSON type is not supported.

If you specify an evaluate expression for a trigger condition, you can quote the ID of a field in resource data.

Examples

  • Example 1: If the success rate of a task is lower than 90% and the latency exceeds 60 seconds in one day, an alert is triggered.

    Set the Trigger Condition parameter to data matches the expression, success < 90 && delay > 60.

    Example of a trigger condition
  • Example 2: If the number of times that the HTTP status code 500 is returned for requests in 15 minutes reaches 10, an alert is triggered.

    Set the Trigger Condition parameter to data matches the expression, status == 500 && total > 10.

    Example of a trigger condition