After you create an alert rule in a project, Log Service creates a Logstore. The Logstore stores the evaluation logs of the alert rules in the project. This topic describes the fields in alert rule evaluation logs.

Fields in the log of an alert rule evaluation

Field Description Example
AlertDisplayName The display name of the alert rule. Test alert rule
AlertID The unique ID of the alert rule execution. 0fdd88063a611aa114938f9371daeeb6-1671a52eb23
AlertName The name of the alert rule. The name is unique within a project. alert-1542111415-153472
Condition The trigger condition of the alert rule. $0.count > 1
Dashboard The dashboard with which the alert rule is associated. my-dashboard
FireCount The accumulative number of evaluations in which the trigger condition is met. The number has accumulated since the last alert notification. 1
Fired Indicates whether an alert was triggered. Valid values: true and false. true
LastNotifiedAt The time when the last alert notification was sent. The value is a Unix timestamp. 1542164541
NotifyStatus The notification status of the alert. Valid values:
  • Success: indicates that alert notifications were sent.
  • Failed: indicates that alert notifications failed to be sent.
  • NotNotified: indicates that no alert notification was sent.
  • PartialSuccess: indicates that some of the alert notifications were sent.
Success
Reason The reason why alert notifications failed to be sent or no notification was sent. result type is not bool
Results The information of the alert rule evaluation. The field is of the array type. For more information, see Subfields in the Results field.
[
  {
    "EndTime": 1542334900,
    "FireResult": null,
    "LogStore": "test-logstore",
    "Query": "* | select count(1) as count",
    "RawResultCount": 1,
    "RawResults": [
      {
        "__time__": "1542334840",
        "count": "0"
      }
    ],
    "StartTime": 1542334840
  }
]
Status The status of the alert rule evaluation. Valid values: Success and Failed. Success

Subfields in the Results field

Subfield Description Example
Query The query statement in the alert rule. * | select count(1) as count
LogStore The Logstore for which the alert rule is created. my-logstore
StartTime The start time of the query time range. 2019-01-02 15:04:05
StartTimeTs The start time of the query time range. The value is a Unix timestamp. 1542334840
EndTime The end time of the query time range. 2019-01-02 15:19:05
EndTimeTs The end time of the query time range. The value is a Unix timestamp. The query time range is [StartTime, EndTime). It means that the query time range includes the start time and excludes the end time. 1542334900
RawResults The query result that is formatted in an array. Each element in the array contains a log entry. An array can contain a maximum of 100 elements.
[
  {
    "__time__": "1542334840",
    "count": "0"
  }
]
RawResultsAsKv The query result that is formatted in key-value pairs.
Note This field can be used as a system variable. However, no data is stored for this field.
[foo:0]
RawResultCount The number of log entries in the query results. 1
FireResult The alert rule evaluation result that is formatted in an array. If no alert is triggered, the parameter value is null.
{
  "__time__": "1542334840",
  "count": "0"
}
FireResultAsKv The alert rule evaluation that is formatted in key-value pairs.
Note This field can be used as a variable. However, no data is stored for this field.
[foo:0]