The alerting module is upgraded to support alert monitoring, alert management, and notification management. This topic compares the old and new versions of the alerting module in terms of the architecture, features, and configurations.
Upgraded architecture
In the new version, if alerts are triggered based on an alert monitoring rule, these alerts are denoised based on a specified alert policy. Then, the alerts are dispatched by using the notification methods that are specified in the action policy. The alerting module can also be used to manage alert incidents and escalate alerts.
Old workflow
New workflow
Upgraded features
The upgraded features include optimized features and new features.
Optimized features
Feature
Old version
New version
Log monitoring
If data is returned for a query, an alert is triggered.
You can specify whether to trigger an alert if data is returned for a query.
If a specified condition is met, an alert is triggered.
You can specify whether to trigger an alert if the number of returned data entries reaches a specified value.
Time series data monitoring
If data is returned for a query, an alert is triggered. The syntax of search and analytic statements is complex.
You can specify whether to trigger an alert if data is returned for a query. You can also specify whether to trigger an alert if the number of returned data entries reaches a specified value.
If data is returned for a query, an alert is triggered.
You can specify whether to trigger an alert if data is returned for a query.
If a specified condition is met, an alert is triggered.
You can specify whether to trigger an alert if the number of returned data entries reaches a specified value.
Union queries are not supported.
Union queries are supported.
Report association
When you create an alert monitoring rule, you must associate the rule with at least one chart.
When you create an alert monitoring rule, you do not need to associate the rule with a chart.
Associated monitoring of Logstores or Metricstores
When you perform a union query, you can use only the CROSS JOIN and No Merge operation.
When you perform a union query, you can use various set operations. The set operations include CROSS JOIN, No Merge, JOIN, LEFT JOIN, RIGHT JOIN, FULL JOIN, LEFT EXCLUDE JOIN, and RIGHT EXCLUDE JOIN.
Alert deduplication
In a time window, the duplicate alerts that are triggered based on the same alert monitoring rule are removed.
Duplicate alerts can be removed based on specified labels. You can also specify the frequency at which alert notifications are sent.
New features
The following table describes the new features in terms of alert monitoring, alert management, notification management, and alert analysis.
Category
Feature
Description
Alert monitoring
Associated monitoring for Logstores and Metricstores
You can use SQL JOIN clauses or set operations to perform associated monitoring based on query results.
Blacklist and whitelist monitoring
You can use resource data to associate whitelist or blacklist objects.
Associated monitoring for data
You can use set operations on data across projects, regions, and Alibaba Cloud accounts. For more information, see Multi-set operations.
Alert severity
You can configure static or dynamic settings for alert severities. You can also specify the severity for a no-data alert. For more information, see Specify severity levels for alerts.
Label and annotation
You can customize labels and annotations. You can set a label value to a variable. For more information, see Labels and annotations.
Multi-group monitoring
You can group query results that are obtained based on an alert monitoring rule. Each group is evaluated. Alert notifications are sent by group. For more information, see Use the group evaluation feature.
No-data alert
If no data is returned for a query, an alert is triggered and an alert notification is sent. The incident status can be automatically switched and displayed. You can specify notification methods. For more information, see No-data alert.
Alert clearance
If an alert is cleared, a recovery notification is sent. The incident status can be automatically switched and displayed. You can specify notification methods. For more information, see Recovery notifications.
Alert management
Alert denoising
You can manage global alerts. You can configure silence policies and suppression policies for alerts. You can also group and merge alerts. For more information, see Overview.
Alert incident management
You can switch the phases of incidents, specify incident handlers, and configure auto dispatch of incident handlers. For more information, see Alert incident management.
Notification management
Dynamic dispatch
You can configure dynamic dispatch based on alerts. Then, alert notifications can be dynamically dispatched to the specified users, user groups, or on-duty groups of a specified notification method. For more information, see Manage methods to send alert notifications.
Recipient management
You can specify users, user groups, or on-duty groups as recipients. For more information, see Create users and user groups and Create an on-duty group.
Calendar
Non-business days, business days, and holidays in China and the United States can be automatically identified to dynamically adjust notification methods. For more information, see Reset the calendar.
Shift plan
You can schedule rotating shifts and substitute shifts based on your business requirements. You can configure a custom calendar for an on-duty group. You can customize holidays. Custom holidays can be automatically identified. For more information, see Rotating shifts and substitute shifts.
Notification method quota
You can specify the quotas of SMS messages, voice calls, and emails. You can also specify these quotas for specified users or user groups. For more information, see Alert notification quotas.
Alert analysis
Monitoring Rule Center, Alert Link Center, and Troubleshooting Center dashboards
The Monitoring Rule Center dashboard displays the running statuses of alert monitoring rules and the statuses of alerts. The Alert Link Center dashboard displays the entire pipeline of alerts that are triggered based on the related alert monitoring rules. The Troubleshooting Center dashboard displays the statistics of errors that occur in the alert monitoring system, alert management system, and notification management system. You can filter and view alert statuses by region, project, and alert severity.
Global storage
The global storage of alert data allows you to view related incidents or logs in an efficient manner.
Parameter changes
The parameters that are required when you configure alerts, notification methods, and alert template variables are changed.
Alert monitoring
After the alerting module is upgraded, the parameters described in the following table are added. Other parameters remain unchanged.
Parameter
Default value
Group Evaluation
No Grouping
Set Operations
CROSS JOIN
Trigger Condition
Data is returned
Severity
Medium
No Data Alert
Off
Recovery Notifications
Off
Notification management
After the alerting module is upgraded, a mobile number or email address is extracted as a user identifier to create a user, and the content of a notification is extracted and used as the content of an alert template. An action policy is generated based on the specified notification method. By default, the sls.builtin.dynamic policy is used.
NoteThe same mobile number or email address of a notification method automatically matches the related user that is upgraded. The user is then used to send alert notifications.
The same notification content of a notification method automatically matches the related alert template that is upgraded. The alert template is then used to send alert notifications.
The same notification method automatically matches the related action policy that is upgraded. The action policy is then used to send alert notifications.
Notification method
New version
Old version
SMS message
Username + Mobile number + Alert template
Mobile number + Content
Voice call
Username + Mobile number + Alert template
Mobile number + Content
Email
Username + Email address + Alert template
Email address + Content
DingTalk
Username + Mobile number + Alert template
Request URL + @Mobile number in DingTalk + Content
Alert template variables
In the new version, the alert template variables are adjusted to be consistent with the variables that are used in alert policies, and multiple variables are added. The following table compares the variables in the old and new versions.
Variable in the old version
Variable in the new version
Description
Aliuid
aliuid
The ID of the Alibaba Cloud account to which a project belongs.
Project
project
The project to which an alert rule belongs.
AlertID
alert_instance_id
The ID of an alert.
AlertDisplayName
alert_name
The display name of an alert rule.
Condition
condition
The conditional expression that triggers an alert. The variables in the trigger condition are replaced by the values that trigger the alert. Each value is enclosed in a pair of brackets [].
RawCondition
raw_condition
The original conditional expression that triggers an alert.
Dashboard
dashboard
The name of the dashboard that is associated with an alert rule.
DashboardUrl
dashboard_url
The URL of the dashboard that is associated with an alert rule.
FireTime
fire_time
The time when an alert is triggered.
FullResultUrl
query_url
The URL that is used to query the details of an alert.
Results
results
The parameters and results of a query. The value is of the array type. For information about the fields in the results variable, see the Structure of the results variable section in this topic.
NoteThe results variable can contain the information of up to 100 alerts.
For more information, see Template variables and Variables in original alert templates.
Structure of the results variable
Field in the old version | Field in the new version | Description |
Query | query | A query statement. |
LogStore | store | The destination Logstore of a query. |
StartTime | start_time | The time when a query starts. |
StartTimeTs | start_time_ts | The time when a query starts. The time is in the UNIX timestamp format. |
EndTime | end_time | The time when a query ends. |
EndTimeTs | end_time_ts | The time when a query ends. The time is in the UNIX timestamp format. |
RawResults | raw_results | The query result that is formatted in an array. Each element in the array is a log entry. The length of the array varies based on the size of log content. An array can contain a maximum of 100 elements. |
RawResultsAsKv | raw_results_as_kv | The query result that is formatted in key-value pairs. Note This field can only be used as a template variable. However, no data is stored to a Logstore for this field. |
RawResultCount | raw_result_count | The number of raw log entries that are returned. |
FireResult | fire_result | The log entry that records the triggers of an alert. If no alert is triggered, the parameter value is null. |
FireResultAsKv | fire_result_as_kv | The log entry that records the triggers of an alert. The log entry is formatted in key-value pairs. Note This field can only be used as a template variable. However, no data is stored to a Logstore for this field. |