This topic describes the terms that are used in the alerting feature of Simple Log Service.
Term | Description |
Logstore | Simple Log Service provides Logstores to store log data. You can use the SQL-92 syntax to query and analyze log data. Alert monitoring tasks are based on the query and analysis feature. |
Metricstore | Simple Log Service provides Metricstores to store time series data. You can use the PromQL syntax and SQL-92 syntax to query and analyze time series data. Alert monitoring tasks are based on the query and analysis feature. |
alert | An alert indicates an alert event. If an alert is triggered based on a specific alert monitoring rule, the alert event is sent to the alert management system and then to the notification management system. The alerting module of Simple Log Service provides subsystems, features, entities, and submodules such as the alert monitoring system and alert monitoring rules. |
alert monitoring system | The alert monitoring system is a subsystem that triggers alerts. The alert monitoring system contains alert monitoring rules and resource data. The alert monitoring system periodically monitors and evaluates query and analysis results based on alert monitoring rules. If an alert is triggered or cleared based on an alert monitoring rule, the alert monitoring system sends the alert or a recovery notification to the alert management system based on the monitoring rule orchestration. |
alert management system | The alert management system is a subsystem that denoises alerts and manages alert statuses. The alert management system contains alert policies, alert incidents, and alert dashboards. The alert management system dispatches, deduplicates, silences, and merges alerts based on alert policies, and then sends the processed alerts to the notification management system. The alert management system also allows you to switch incident phases and specify handlers for incidents. |
notification management system | The notification management system is a subsystem that manages notification methods and recipients. The notification management system contains action policies, alert templates, calendars, users, user groups, on-duty groups, and notification method quotas. The notification management system sends notifications to specified recipients by using specified notification methods. Recipients can be users, user groups, or on-duty groups. The notification management system also allows you to create custom alert templates. |
Alert monitoring system
Alerts are triggered in the alert monitoring system. The alert monitoring system contains alert monitoring rules and resource data. The following figure shows the architecture of the alert monitoring system.
Term | Description |
alert monitoring rule | An alert monitoring rule includes the settings that are configured to monitor data, such as query statements, objects that are queried and analyzed, and the related monitoring rule orchestration. The objects that are queried and analyzed include Logstores, Metricstores, and resource data. For more information, see Create an alert monitoring rule for logs. |
resource data | Simple Log Service provides an independent, modifiable, and tabular storage structure to store various resource configurations and custom data. You can use resource data to perform union queries. For example, you can use resource data to monitor blacklists and whitelists. For more information, see Create resource data. |
alert severity | An alert severity is a non-identifying attribute of an alert. Alert severities include critical, high, medium, low, and report. For more information, see Specify severity levels for alerts. |
group evaluation | When you create an alert monitoring rule, you must specify the Group Evaluation parameter. When the alert monitoring system calculates query and analysis results, it can group the results based on specified fields. The results in each group are evaluated based on the specified trigger condition. If the results in a group meet the trigger condition, an alert is triggered. You can use an alert monitoring rule to monitor multiple groups of query and analysis results at the same time. You can manage alerts and incidents for each group. For more information, see Use the group evaluation feature. |
evaluate expression | Evaluate expressions support specific syntax. Simple Log Service can check whether the specified trigger condition is met and evaluate the severity of an alert based on the result of an evaluate expression. To perform logical comparisons and calculations, you can use the fields of query and analysis results in an evaluate expression. If the result of an evaluate expression is true, the query and analysis results match the evaluate expression. For more information, see Syntax of evaluate expressions. |
alert label | An alert label is an identifying attribute of an alert. Labels are formatted in key-value pairs. You can add a label when you configure an alert monitoring rule. If an alert is triggered based on the rule, the label is added to the alert as an alert attribute. Labels can be referenced in alert templates. When you manage alerts and configure action policies, you can specify labels as alert attributes.
For more information, see Labels. |
alert annotation | An alert annotation is a non-identifying attribute of an alert. Annotations are formatted in key-value pairs. You can add an annotation when you configure an alert monitoring rule. If an alert is triggered based on the rule, the annotation is used as an alert attribute. Annotations can be referenced in alert templates. When you manage alerts and configure action policies, you can specify annotations as alert attributes. For more information, see Annotations. |
recovery notification | Recovery notifications are special alert notifications. In a recovery notification, the alert status is Resolved. In a normal alert notification, the alert status is Firing. For example, the recovery notification feature is enabled in an alert monitoring rule. If an alert is triggered in the last check, and the trigger condition is not met in the current check, a recovery notification is sent. If you configure multiple monitoring tasks, we recommend that you enable the recovery notification feature. This way, you can receive notifications at the first opportunity after alerts are cleared. For more information, see Recovery notifications. |
Alert management system
The alert management system denoises alerts and manages alert statuses. The alert management system contains alert policies, alert incidents, and alert dashboards. The following figure shows the architecture of the alert management system.
Term | Description |
alert policy | Alert policies are configuration entities of the alert management system. You can configure alert policies when you ingest external alerts and configure alert monitoring rules. After the alert management system receives alerts and recovery notifications, it denoises and merges the alerts based on alert policies. Then, the alert management system sends merge sets to the notification management system and the notification management system sends alert notifications. |
alert fingerprint | The alert management system calculates a fingerprint for each alert. Alerts with the same fingerprint are considered as the same alert. Fingerprints are calculated based on the identifying attributes of alerts. The identifying attributes include the Alibaba Cloud accounts to which alerts belong, projects in which alerts reside, IDs of monitoring rules, and labels. For more information, see Deduplicate alerts based on fingerprints. |
alert silence | You can configure a silence policy when you configure an alert policy. If an alert is triggered during the silence period and the alert matches the specified conditions, no alert notification is sent. For more information, see Silence policies. |
route consolidation policy | You can configure a route consolidation policy when you configure an alert policy. If the alert management system receives alerts that match the conditions of a route consolidation policy, the alert management system groups the alerts into different merge sets based on the route consolidation policy. Then, the alert management system delays and deduplicates the merge sets based on the route consolidation policy and sends them to the notification management system. For more information, see Merge alerts. |
merge set | A merge set stores alerts that are merged and grouped. Each merge set can have one or more fingerprints. The alert management system delays and deduplicates merge sets based on a route consolidation policy and sends them to the notification management system. |
alert incident | After alerts are sent to the alert management system, the alerts are grouped into different merge sets based on a route consolidation policy. An incident is automatically created for each merge set. You can switch incident phases and specify incident handlers in the Simple Log Service console. Incident statuses include confirmed, resolved, ignored, and pending evaluation. For more information, see Switch an incident phase. Simple Log Service can automatically update incident statuses. |
Notification management system
The notification management system manages the notification methods and recipients of alert notifications. The notification management system contains action policies, alert templates, calendars, users, user groups, on-duty groups, and notification method quotas. The following figure shows the architecture of the notification management system.
Term | Description |
action policy | Action policies are configuration entities of the notification management system. After alerts and recovery notifications are grouped into different merge sets based on route consolidation policies, the merge sets are sent to the notification management system. Then, the notification management system sends alert notifications to specified recipients by using specified notification methods. The recipients can be users, user groups, or on-duty groups. For information about how to configure an action policy, see Create an action policy. |
webhook integration | The webhook integration feature is used to manage the webhook notification methods. When you configure an action policy, you can use the webhooks that you created. Simple Log Service supports DingTalk webhooks, Enterprise WeChat webhooks, Lark webhooks, Slack webhooks, and universal webhooks. For more information, see Create a webhook. |
alert template | Simple Log Service sends alert notifications based on the content that is specified in alert templates. You can specify text content for each notification method in an alert template. You can also reference template variables to specify alert attributes. If you send alert notifications by using webhooks, you can specify notification formats based on specific protocols. For example, you can specify a content format to meet the requirements of Enterprise WeChat. For more information, see Create an alert template. |
calendar | The notification management system provides calendars. You can use the global default calendar or a custom calendar.
|
user | Users are recipients who receive alert notifications. The information of a user includes the user ID, username, phone number, and email address. When you configure action policies, you can specify users as recipients of alert notifications. You can specify users to handle incidents when you manage incidents. For information about how to create a user, see Create a user. |
user group | A user group is a configuration entity that represents users. The information of a user group includes the user group ID, user group name, and users. Each user group contains one or more users. When you configure action policies, you can specify user groups as recipients of alert notifications. For information about how to create a user group, see Create a user group. |
on-duty group | An on-duty group is a configuration entity that represents users and user groups. The information of an on-duty group includes the on-duty group ID, on-duty group name, rotating shifts, substitute shifts, and calendar settings. Each on-duty group contains one or more users or user groups. When you configure action policies, you can specify on-duty groups as recipients of alert notifications. For information about how to create an on-duty group, see Create an on-duty group. |
rotating shift | You can configure a rotating shift for users or user groups in an on-duty group. You can add multiple rotating shifts to an on-duty group. You can configure a rotating shift based on the days that you specify on the calendar. You can also configure a rotating shift for non-consecutive hours. For more information, see Rotating shifts and substitute shifts. |
substitute shift | You can configure a substitute shift for users or user groups in an on-duty group. You can add multiple substitute shifts to an on-duty group. For more information, see Rotating shifts and substitute shifts. |
notification method quota | Simple Log Service allows you to specify a daily quota on alert notifications that are sent to specified recipients by using SMS messages, voice calls, or emails. If the number of alert notifications sent to a recipient by using a specified notification method reaches the quota, the recipient can no longer receive alert notifications by using the notification method. You can specify a quota for alert notifications that a recipient can receive every day. For more information, see Configure notification quotas. |