You can create alert rules in Log Service to notify specific users when specific events occur on your business. Each alert rule is associated with one or more charts in a dashboard and monitors the query results that are plotted in the charts.
You can create an alert rule for a query statement on the search and analysis page. After the alert rule is created, the chart that plots the query result is automatically created in a specified dashboard. You can also create an alert rule for one or more existing charts in a dashboard. After you create an alert rule, Log Service evaluates the alert rule at an interval by checking the query results of the associated charts. If the query results meet the trigger condition that is specified in the alert rule, Log Service triggers an alert and sends alert notifications.
The following table lists the limits of alert rules in Log Service.
|Associated chart||An alert rule is associated with 1 to 3 charts. This means that Log Service performs a maximum of 3 queries for each alert rule evaluation.|
|Field value size||If the size of a field value exceeds 1,024 characters, Log Service checks only the first 1,024 characters during an alert rule evaluation.|
|Log Service sends a maximum of 100 emails to each email address within 24 hours, for example, from 18:00 on July 19, 2020 to 18:00 on July 20, 2020.|
|Query time range||The length of a query time range cannot exceed 24 hours.|
Query statements in alert rules
- If a query statement consists of only a search statement, the query statement returns
the log entries that meet the search condition.
For example, if the query time range is the most recent 15 minutes, the error statement returns the log entries that are collected in the most recent 15 minutes and contain the error keyword. Each log entry consists of key-value pairs. You can set a trigger condition based on the value of a key.Note During an alert rule evaluation, if a search statement returns more than 100 log entries (for example, 154 log entries are returned), Log Service checks only whether the first 100 log entries meet the trigger condition. If one of the 100 log entries meets the trigger condition, Log Service triggers an alert.
- If a query statement consists of a search statement and an analytic statement, the
query statement analyzes the log entries that meet the search condition and returns
the analysis result.
For example, the * | select sum(case when status='ok' then 1 else 0 end) *1.0/count(1) as ratio statement returns the percentage of the log entries in which the value of the status field is ok. If you set the trigger condition of an alert rule to ratio < 0.9, Log Service triggers an alert when the percentage is less than 90%.