Log Service provides the alerting feature. You can configure alert rules based on query and analysis results. After you create an alert rule, Log Service checks the related query and analysis result. If a query and analysis result meets the trigger condition that you specified in the alert rule, Log Service sends an alert notification.

Limits

The following table describes the limits of the alerting feature in Log Service.

Item Description
Associated query statements You can associate an alert rule with a maximum of three query statements.
Field value size If a field value exceeds 1,024 characters in length, Log Service extracts only the first 1,024 characters for data processing.
Trigger condition The trigger condition has the following limits:
  • Each trigger condition must be 1 to 128 characters in length.
  • If a query result includes more than 100 rows, Log Service only checks whether the first 100 rows meet the trigger condition.
  • Log Service checks whether a trigger condition is met for a maximum of 1,000 times for the specified query statements.
Query time range The maximum time range that you can specify for each query is 24 hours.
Voice calls If a voice call is not answered, Log Service sends an SMS notification.

You are charged only once for the voice call regardless of whether the call is answered. The SMS notification does not incur fees.

Query statements in alert rules

You can associate an alert rule with one or more search statements or query statements.
  • A search statement returns the log entries that meet the search condition. For more information, see Log search.
    For example, you can execute the error statement to search for the log entries that were generated in the previous 15 minutes and contain error. A total of 154 log entries are returned. Each log entry consists of key-value pairs. You can set a trigger condition based on the value of a key.
    Note If the number of returned log entries exceeds 100, Log Service checks only the first 100 log entries. If one of the log entries meets the condition, an alert is triggered.
  • A query statement consists of a search statement and an analytic statement. The analytic statement analyzes the log entries that meet the search condition and returns a result. For more information, see Log analysis.

    For example, the * | select sum(case when status='ok' then 1 else 0 end) *1.0/count(1) as ratio statement returns the percentage of the log entries in which the value of the status field is ok. If you set the trigger condition of an alert rule to ratio < 0.9, an alert is triggered if the percentage of the log entries whose status code is ok is less than 90%.