All Products
Search
Document Center

Simple Log Service:Create an alert rule for logs

Last Updated:Mar 29, 2024

After you create an alert rule, Simple Log Service checks query and analysis results based on the configurations that you specify in the rule. The configurations include the check frequency and trigger condition. If alerts are triggered, Simple Log Service denoises the alerts and sends alert notifications based on the alert policy and action policy that you specify.

Prerequisites

  • Data is collected.

    Log data and metric data can be collected. For more information, see Data collection overview and Collect metric data from hosts.

    Important Before you can create an alert monitoring rule based on a query statement, you must store logs in a Standard Logstore. For more information, see Manage a Logstore.
  • If log data is collected, you must create indexes for the data. For more information, see Create indexes.

Procedure

  1. Log on to the Simple Log Service console.

  2. In the Projects section, click the project that you want to manage.

    image

  3. In the left-side navigation pane, click Log Storage. In the Logstores list, click the Logstore that you want to manage.

    image

  4. On the query and analysis page, click the 告警图标 icon.

    image

  5. In the Alert Monitoring Rule panel, configure the following parameters and click OK.

    Parameter

    Description

    Rule Name

    Specify the name of the alert rule.

    Check Frequency

    Specify the frequency at which query and analysis results are checked. Valid values:

    • Hourly: Query and analysis results are checked every hour.

    • Daily: Query and analysis results are checked at a specified point in time every day.

    • Weekly: Query and analysis results are checked at a specified point in time on a specified day of each week.

    • Fixed Interval: Query and analysis results are checked at a specified interval.

    • Cron: Query and analysis results are checked at an interval that is specified by a cron expression. For more information about the syntax of cron expressions, see Cron expressions.

      A cron expression can specify an interval that is accurate to the minute. The cron expression is based on the 24-hour clock. For example, 0 0/1 * * * specifies that query and analysis results are checked at an interval of 1 hour from 00:00.

    Query Statistics

    Click the input box. In the Query Statistics dialog box, configure query statement-related settings.

    • Associated Report tab: Select a dashboard to monitor data.

    • Advanced Settings tab:

      • Select a type of data that you want to monitor from the Type drop-down list. Valid values:

        • Logstore: Logs are stored. For more information about query and analysis configurations, see Query and analyze logs.

        • Metricstore: Metrics are stored. For more information about query and analysis configurations, see Query and analyze metric data.

        • Resource Data: The external data that you want to associate with the alert rule can be specified. For more information, see Create resource data.

      • If you set Type to Logstore or Metricstore and specify a query statement, you can specify whether to enable Dedicated SQL. For more information, see Enable Dedicated SQL.

        • Auto: By default, Dedicated SQL is not enabled. If the number of concurrent queries exceeds the upper limit or the query results are inaccurate, Simple Log Service automatically retries the queries by using Dedicated SQL.

        • Enable: Dedicated SQL is enabled for query and analysis.

        • Disable: Dedicated SQL is disabled.

    If you specify multiple query statements, you can configure the Set Operations parameter to associate the query and analysis results of the statements. For more information, see Multi-set operations.

    Group Evaluation

    Simple Log Service can group query and analysis results. For more information, see Use the group evaluation feature. Valid values:

    • Custom Label: Simple Log Service groups query and analysis results based on the fields that you specify. After Simple Log Service groups the query and analysis results, Simple Log Service checks whether the query and analysis results in each group meet the trigger condition. If the query and analysis results in each group meet the trigger condition in each check period, an alert is triggered for each group.

      You can specify multiple fields.

    • No Grouping: Only one alert is triggered in each check period when the trigger condition is met.

    • Auto Label: If you select Metricstore from the Type drop-down list in the Query Statistics dialog box, Simple Log Service automatically groups query and analysis results. A value of Metricstore specifies that the query and analysis results of metrics are monitored.

      After Simple Log Service groups the query and analysis results, Simple Log Service checks whether the query and analysis results in each group meet the trigger condition. If the query and analysis results in each group meet the trigger condition in each check period, an alert is triggered for each group.

    Trigger Condition

    Specify the trigger condition and severity of an alert.

    • Trigger condition

      • Data is returned: If data is returned in the query and analysis results, an alert is triggered.

      • the query result contains: If the query and analysis results contain N data entries, an alert is triggered.

      • data matches the expression: If the query and analysis results contain data that matches a specified expression, an alert is triggered.

      • the query result contains and matches: If the query and analysis results contain N data entries that match a specified expression, an alert is triggered.

    • Severity

      This parameter is used to denoise alerts and manage alert notifications. You can add severity-based conditions when you create an alert policy or an action policy. For more information, see Specify severity levels for alerts.

      • If you specify one trigger condition, you can specify a severity for the condition. In this case, all alerts that are triggered based on the alert rule have the same severity.

      • If you specify more than one trigger condition, you can specify a severity for each condition. You can click Create to specify additional trigger conditions.

    For more information about the syntax of conditional expressions in alert rules, see Syntax of trigger conditions in alert rules.

    Add Label

    Simple Log Service allows you to add labels as identifying attributes to alerts. Labels are in the key-value pair format. This parameter is used to denoise alerts and manage alert notifications. You can add label-based conditions when you create an alert policy or an action policy. For more information, see Labels and annotations.

    Add Annotation

    Simple Log Service allows you to add annotations as non-identifying attributes to alerts. Annotations are in the key-value pair format. This parameter is used to denoise alerts and manage alert notifications. You can add annotation-based conditions when you create an alert policy or an action policy. For more information, see Labels and annotations.

    If you turn on Auto-Add Annotations, fields such as __count__ are automatically added to alerts. For more information, see Auto-Add switch.

    Recovery Notifications

    If you turn on Recovery Notifications, a recovery alert is triggered each time an alert is cleared. For example, an alert rule is created to monitor the CPU metrics of each host. If the CPU utilization of a host exceeds 95%, an alert is triggered. Then, if the CPU utilization decreases to 95% or less, a recovery notification is sent. For more information, see Recovery notifications.

    Advanced Settings > Threshold of Continuous Triggers

    Specify the threshold at which an alert is triggered. If the number of consecutive times that the specified trigger condition is met reaches the value of this parameter, an alert is triggered. The system does not count the number of times when the specified trigger condition is not met.

    Advanced Settings > No Data Alert

    If you turn on No Data Alert, an alert is triggered when the number of times that no data is returned exceeds the value of Threshold of Continuous Triggers. If multiple query statements are executed, the number of times is counted based on the associated query and analysis results of the query statements. For more information, see No-data alert.

    Destination

    Specify the location to which alerts are sent. You can specify one or more locations. Valid values:

    • Eventstore: Alerts are sent to a specified Eventstore.

    • CloudMonitor Event Center: Alerts are sent to the Event Center of CloudMonitor. Then, CloudMonitor manages the alerts and sends alert notifications.

    • Simple Log Service Notification: Alerts are sent to the notification feature of Simple Log Service. Then, Simple Log Service manages the alerts based on the specified alert policy and action policy.

    Destination - Eventstore

    • Enable: If you turn on Enable, alerts are sent to the Eventstore that you specify.

    • Region: the region of the Eventstore to which alerts are sent.

    • Project: the project of the Eventstore to which alerts are sent.

    • Eventstore: the Eventstore to which alerts are sent.

    • Authorization Method

      • Default Role: Click Authorize. Then, follow the on-screen instructions to complete authorization. This way, the AliyunLogETLRole system role is assumed to send alerts to the Eventstore. For more information, see Default role.

      • Custom Role: A custom role is assumed to send alerts to the Eventstore. Enter the Alibaba Cloud Resource Name (ARN) of the custom role. For more information, see Custom role.

    Destination - CloudMonitor Event Center

    • Enable: If you turn on Enable, alerts are sent to the Event Center of CloudMonitor. For more information, see View system events.

    Destination - Simple Log Service Notification

    • Enable: If you turn on Enable, alerts are sent to the notification feature of Simple Log Service for management and notification.

    • Alert Policy

      Simple Mode

      • By default, Simple Log Service uses the built-in alert policy sls.builtin.dynamic to manage alerts.

      • You need to only configure an action group.

        After you configure an action group, Simple Log Service automatically creates an action policy named in the Rule name-Action policy format. Alert notifications are sent based on the action policy for all alerts that are triggered based on the alert rule. For more information, see Notification methods.

        Important

        You can modify an action policy on the Action Policy tab. For more information, see Create an action policy. If you add conditions when you modify an action policy, the value of Alert Policy is automatically changed to Standard Mode.

      Standard Mode

      • By default, Simple Log Service uses the built-in alert policy sls.builtin.dynamic to manage alerts.

      • You can select a built-in or custom action policy to send alert notifications. For more information about how to create an action policy, see Create an action policy.

      • Repeat Interval: If duplicate alerts are triggered in the specified period, the action policy that you select is executed only once, and only one alert notification is sent.

      Advanced Mode

      • You can select a built-in or custom alert policy to manage alerts. For more information about how to create an alert policy, see Create an alert policy.

      • You can select a built-in or custom action policy to send alert notifications. For more information about how to create an action policy, see Create an action policy. You can turn on or turn off Custom Action Policy. For more information, see Dynamic action policy mechanism.

      • Repeat Interval: If duplicate alerts are triggered in the specified period, the action policy that you select is executed only once, and only one alert notification is sent.