Integrate Simple Log Service alerts - Application Real-Time Monitoring Service

This topic describes how to integrate alerts that are generated in Simple Log Service into the Alert Management sub-service of Application Real-Time Monitoring Service (ARMS).

Background information

You can use webhooks to integrate alerts that are generated in Simple Log Service into Alert Management. This way, you can use Alert Management to handle the alerts in a centralized manner.

You can use one of the following methods to integrate alerts that are generated in Simple Log Service into Alert Management:

Method 1: Integrate all alerts of a specified project into Alert Management. For more information, see the Create an integration and integrate Simple Log Service alerts section.
Method 2 (recommended): Integrate specified alerts generated in Simple Log Service into Alert Management. For more information, see the Create an integration and integrate Simple Log Service alerts and Integrate the specified alert rules of Simple Log Service sections.

Create an integration and integrate Simple Log Service alerts

Log on to the ARMS console. In the left-side navigation pane, choose Alert Management > Integrations.
On the Alert Integrations tab of the Integrations page, click Log Service.
In the dialog box that appears, enter the name and description of the integration, and specify the automatic recovery time of alert events.
Note If an alert event is not triggered again within the specified period of time, the alert event is automatically cleared.
The All Projects list of the Projects Enabling Alert Events section displays all the Simple Log Service projects that belong to your Alibaba Cloud account. Select the projects whose alerts you want to integrate, click the icon, and then click Save.
Note
ARMS automatically traverses all alert rules that are configured for the selected projects and change the request URLs of all the rules to https://alerts.aliyuncs.com/api/v1/cm/callback/{{token}}. {{token}} specifies the key that is automatically created when you create an integration.
After you complete the preceding operations, you can view the Simple Log Service integration that you created on the Alert Integrations tab.

Integrate the specified alert rules of Simple Log Service

Important

You can integrate specified alert rules only into an existing Simple Log Service integration.

On the Alert Integrations tab of the Integrations page, find the Simple Log Service integration into which you want to integrate specified alert rules, and copy the URL of the integration.
Log on to the Simple Log Service console.
In the Projects section, click the name of the project whose alert rules you want to integrate. In the left-side navigation pane, click the icon.
On the Alert Center page, choose Notification Objects > Webhook Integration. On the Webhook Integration tab, click Create.
In the dialog box that appears, add a webhook for Alert Management. Set the Name parameter to Alert Management and the Type parameter to Universal Webhook. Then, configure other parameters as prompted.

On the Alert Center page, choose Notification Policy > Alert Template. On the Alert Template tab, find an alert template and click Edit in the Actions column. In the dialog box that appears, click the Webhook-Custom tab, enter the following content, and then click Confirm.

{
  "uid": "{{ alert.aliuid }}",
  "project": "{{ alert.project }}(https://sls.console.aliyun.com/#/project/{{ alert.project }}/categoryList)",
  "trigger": "{{ alert.alert_name }}",
  "condition": "{{ alert.condition }}",
  "context": "{{ alert.results[0].raw_results }}",
  "message": " [Uid] {{ alert.aliuid }}\n\n>  [Project] [{{ alert.project }}](https://sls.console.aliyun.com/#/project/{{ alert.project }}/categoryList)\n\n> [Trigger] {{ alert.alert_name }}\n\n> [Condition] {{ alert.alert_name }}\n\n> [Message] Notification Content\n\n> [Context] {{ alert.results[0].raw_results }}\n\n> [View Details]({{ alert.query_url }})"
}

On the Alert Center page, click the Alert Rule tab. On the Alert Rule tab, find the alert rule that you want to modify and click Edit in the Actions column. In the panel that appears, expand Advanced Settings. Set the Destination parameter to Simple Log Service Notification, set the Alert Policy parameter to Simple Mode and configure the notification method for the webhook as prompted. Then, click OK.

Modify the integration

Alert Management provides field mappings between Grafana alert sources and ARMS alert events. You can also add or modify the mappings between fields on the Edit Integration page.

On the Alert Integration tab, find the integration that you want to manage and click Edit in the Actions column.
In the Event Mapping section, click Send Test Data.
In the Send Test Data dialog box, enter the alert content of a third-party alert source in the JSON format and click Send.
Note
- If the message Uploaded. No events are generated. Configure mappings based on the original data. appears, the fields of the alert source are not mapped to the fields of ARMS alert events. The data that is sent is displayed in the left-side box. This allows you to select the source fields when you configure mappings.
- If the message Uploaded. appears, the alert content is reported to the Alert Event History page. For more information, see View historical alert events.
In the Send Test Data dialog box, click Disable.
In the left part of the Event Mapping section, click the data records for which you want to configure mappings to view the details.

In the right part of the Event Mapping section, configure field mappings between the alert source and ARMS.

Optional:In the Select Root Node section, specify whether to enable batch processing.
If an array node exists in the alert data, you can specify the array node as the root node. The data that belongs to the root node is processed in batches.
After you select Use Batch Processing, select the array node to be batch processed as the root node.
Note If multiple array nodes exist in the alert data, you can select only one of the array nodes for batch processing.
Optional:Select Configure Alert Recovery Events and configure field conditions for clearing alerts.
After ARMS receives events, it searches for alerts that contain specified field values and clears these alerts. The field that you specify to clear alerts must be a field that is equivalent to the alert severity in the event. You cannot use the $.severity field to clear alerts. For example, if the field that you specify to clear alerts is {$.eventType ="resolved"}, the system automatically clears all alerts whose value of eventType is resolved in the integration.

In the Map Source Fields to Target Fields section, map the fields of the alert source to the alert fields of ARMS.

Click the mapping icon to change the method for field mapping.

Direct: The specified field of the alert source is directly mapped to the specified alert field of ARMS.
Series: You can use delimiters to concatenate multiple fields of the alert source into one field, and then map this field to the specified alert field of ARMS. Only special characters can be used as delimiters.
Conditional: The specified alert source fields are mapped to the ARMS alert fields only when the field values meet the specified conditions.
Mapping table: The alert source severity is mapped to the ARMS alert severity. The mapping table contains only the severity field.

The following table describes the alert fields of ARMS.

Alert field	Description
alertname	The name of the custom alert.
severity	The severity level of the alert. You must configure mappings for this field. The mapping method must be set to Direct.
message	The description of the alert. The description is used as the content of the alert message. The description cannot exceed 15,000 characters in length.
value	The sample value of a metric.
imageUrl	The URL of the line chart that contains Grafana metrics. The URL is used to map the line chart.
check	The check item of the alert. Examples: CPU, JVM, Application Crash, and Deployment.
source	The source of the alert.
class	The type of the object that triggers the alert event, for example, host.
service	The source service of the alert. Example: Login Service.
startat	The timestamp that represents the start time of the event.
endat	The timestamp that represents the end time of the event.
generatorUrl	The URL of the event details.

Configure field deduplication for alert events.
To reduce duplicate data, the system uses relevant fields as the basis for deduplication. ARMS Alert Management allows you to preview the deduplication grouping results of historical event data that is displayed in the Event Mapping section. You can change the fields to be deduplicated.
Note You can configure deduplication only for events that are not cleared.
1. In the Event Deduplication section on the Integration Details page, select the fields that are used for deduplication.
  If multiple events have the same value for a specified field, the events are merged into one alert notification.
2. Click Deduplication Test to preview the alert group after deduplication.
  Note The deduplication test takes effect only on the latest 10 data records that are uploaded in the left part of the Event Mapping section.
After you configure the settings, click Save.

View the details about an alert event

In the left-side navigation pane of the ARMS console, choose Alert Management > Alert Event History.
On the Alert Event History page, click the name of the alert event to view the event details. For more information, see View historical alert events.

Add service alerts

If you want to add project alerts to the existing Simple Log Service integration, perform the following steps:

On the Alert Integrations tab of the Integrations page, find the Simple Log Service integration, and choose More > Select Service in the Actions column.
In the Select Project dialog box, select the project that you want to add, click the icon, and then click Save.

Manage integrations

In the left-side navigation pane, choose Alert Management > Integrations. On the Alert Integration tab, you can perform the following operations on the integrations that you created:

View the details of an integration: Find the integration and then click the row. On the Integration Details page, view the integration details.
Update a key: Find the integration and then choose More > Update Key in the Actions column. In the message that appears, click OK.
Important
After you update the key, add the alerts of Simple Log Service projects to the integration again. For more information, see Add service alerts.
Modify an integration: Find the integration and then click Edit in the Actions column. On the Integration Details page, modify the integration information and then click Save.
Enable or disable an integration: Find the integration and then click Disable or Enable in the Actions column.
Delete an integration: Find the integration and then click Delete in the Actions column. In the message that appears, click OK.
Add an event processing flow to an integration: Find the integration and click Add Event Processing Flow in the Actions column. For more information, see Work with event processing flows.
Create a notification policy: Find the integration for which you want to create a notification policy, and click More in the Actions column. In the list that appears, click Create Notification Policy. For more information, see Create and manage a notification policy.

What to do next

After you create a notification policy, the system generates alerts and sends alert notifications for reported alert events based on the notification policy that you created. For more information, see Create and manage a notification policy. On the Alert Sending History page, you can view the alerts that are generated based on the configured notification policy. For more information, see View historical alerts.