Overview - Query and visualization| Alibaba Cloud Documentation Center

Overview

Edit in GitHub

Last Updated: Aug 10, 2020 Edit in GitHub

You can create alert rules in Log Service to notify specific users when specific events occur on your business. Each alert rule is associated with one or more charts in a dashboard and monitors the query results that are plotted in the charts.

You can create an alert rule for a query statement on the search and analysis page. After the alert rule is created, the chart that plots the query result is automatically created in a specified dashboard. You can also create an alert rule for one or more existing charts in a dashboard. After you create an alert rule, Log Service evaluates the alert rule at an interval by checking the query results of the associated charts. If the query results meet the trigger condition that is specified in the alert rule, Log Service triggers an alert and sends alert notifications.

Limits

The following table lists the limits of alert rules in Log Service.


Item	Description
Associated chart	An alert rule is associated with 1 to 3 charts. This means that Log Service performs a maximum of 3 queries for each alert rule evaluation.
Field value size	If the size of a field value exceeds 1,024 characters, Log Service checks only the first 1,024 characters during an alert rule evaluation.
Trigger condition	A trigger condition must be 1 to 128 characters in length. During an alert rule evaluation, if a query result includes more than 100 rows, Log Service checks only whether the first 100 rows meet the trigger condition. During an alert rule evaluation, Log Service evaluates the trigger condition for a maximum of 1,000 times.
Email	Log Service sends a maximum of 100 emails to each email address within 24 hours, for example, from 18:00 on July 19, 2020 to 18:00 on July 20, 2020.
Query time range	The length of a query time range cannot exceed 24 hours.

Query statements in alert rules

An alert rule is associated with one or more charts in a dashboard. Each chart plots the result of a query statement. The query statement consists of a search statement and an analytic statement or consists of only a search statement. For more information, see Search syntax.

If a query statement consists of only a search statement, the query statement returns the log entries that meet the search condition.
For example, if the query time range is the most recent 15 minutes, the error statement returns the log entries that are collected in the most recent 15 minutes and contain the error keyword. Each log entry consists of key-value pairs. You can set a trigger condition based on the value of a key.

Note During an alert rule evaluation, if a search statement returns more than 100 log entries (for example, 154 log entries are returned), Log Service checks only whether the first 100 log entries meet the trigger condition. If one of the 100 log entries meets the trigger condition, Log Service triggers an alert.
If a query statement consists of a search statement and an analytic statement, the query statement analyzes the log entries that meet the search condition and returns the analysis result.
For example, the * | select sum(case when status='ok' then 1 else 0 end) *1.0/count(1) as ratio statement returns the percentage of the log entries in which the value of the status field is ok. If you set the trigger condition of an alert rule to ratio < 0.9, Log Service triggers an alert when the percentage is less than 90%.