This topic describes how to label alerts for an intelligent inspection task. The intelligent inspection feature of Log Service supports the automated, intelligent, and adaptive inspection of exceptions in log data. After you label alerts for an intelligent inspection task, the task can adjust the inspection model based on your feedback to ensure that you receive only positive alerts.

Prerequisites

Procedure

  1. In the Log Service console, specify DingTalk as the notification channel.
    1. Log on to the Log Service console.
    2. In the Projects section, click the name of the project that you want to view.
    3. In the left navigation sidebar, choose Jobs > Intelligent Inspection.
    4. In the Intelligent Inspection pane, click the intelligent inspection task for which you want to label alerts.
    5. In the upper-right corner of the Intelligent Inspection page, click Modify.
    6. In the Modify Intelligent Inspection Task wizard, click Next twice to go to the Alert Configuration step.
    7. In the Alert Configuration step, select the Simple Mode alert policy, enter the webhook URL in the Request URL field, and then click Complete.

      The Request URL parameter specifies the webhook URL that is generated in the specified DingTalk group. For more information, see Custom webhook URL.

      Note The intelligent inspection feature provides a built-in alert template named SLS Anomaly Detection Content Template. This alert template is used to render metric charts and provides a channel for your feedback on alerts. DingTalk is a notification channel that can adapt to the frontend. Therefore, we recommend that you specify DingTalk as the notification channel. If you want to receive alerts over a different notification channel, see the "Specify a notification channel rather than DingTalk" section of this topic.

      The following table describes the parameters that you must configure.

      AlertConfig
      Parameter Description
      Alert Policy The policy that is used to merge, silence, and denoise alerts. If you select Simple Mode, you do not need to configure an alert policy. By default, Log Service uses the sls.builtin.dynamic alert policy.
      Action Policy The policy that is used to manage the notification channel and the frequency at which Log Service sends alerts. If you select Simple Mode, you need only to configure an action group.
      After you configure an action group, Log Service creates an action policy named Rule name-Action policy. Log Service uses the action policy to send all alerts that are triggered based on the specified alert rule. For more information, see Notification methods.
      Notice You can modify the action policy on the Action Policy tab. For more information, see Create an action policy. If you add evaluation criteria when you modify the action policy, the value of the Alert Policy parameter is automatically changed to Standard Mode.
    After you configure the preceding parameters, you can receive alerts in the specified DingTalk group.
  2. Label each alert that you receive in the specified DingTalk group.
    • If the alert is positive, click Confirm.
    • If the alert is false, click False Positive.

    The following figure shows a sample alert.

    Alert in DingTalk
    Parameter Description
    DataSource The data source that is observed by the intelligent inspection task.
    AnomalyObject The entity that is considered abnormal.
    AnomalyScore The score of the exception that is detected in the specified metric.
    AnomalyImage The trend of the specified metric within one observation length before the detected exception occurs.
    After you label an alert, your feedback is sent to the intelligent inspection task. The intelligent inspection task can adjust the inspection model based on your feedback to ensure that you receive only positive alerts.

Specify a notification channel rather than DingTalk

If you want to receive and label alerts over a different notification channel rather than DingTalk, you must configure an alert template for the notification channel.

  1. Parse the alert template that is used for the DingTalk notification channel.

    This alert template contains the following content:

    ## DataSource
    + Project: ${results[0].project}
    + LogStore: ${results[0].store}
    
    ## AnomalyObject
    + Entity: ${labels}
    
    ## AnomalyScore
    + Score: ${annotations.anomaly_score}
    
    ## AnomalyImage
    ![image](${annotations.__plot_image__})
    
    [[Data Details](${query_url})]
    [[Job details](${alert_url})]
    
    [[Confirm](${annotations.__ensure_url__})]
    [[False Positive](${annotations.__mismatch_url__})]

    For more information about the variables in this alert template, see Template variables.

  2. Configure an alert template for the notification channel based on the alert template that is used for the DingTalk notification channel.

    For more information, see Step 2.