You can configure an alert monitoring rule for query and analysis results. If the conditions of the alert monitoring rule are met, an alert is triggered, and an alert notification is sent. This topic provides an example on how to configure an alert for website access logs in Log Service.

Background information

In this example, the request success ratio and request_time trend charts in the Website Audit Center dashboard are monitored. When the request success ratio is lower than 90% and the response time is longer than 60 seconds, an alert is triggered, and an alert notification is sent to a user group named LogServiceOperations by text message.

Step 1: Create users and a user group

You can create users and user groups and specify them as the recipients of alert notifications. In this example, create two users named Alice and Kumar and a user group named LogServiceOperations. Then, add the two users to the user group.

  1. Log on to the Log Service console.
  2. Go to the User Management page.
    1. In the Projects section, click the name of the project in which you want to configure an alert. In this example, the project name is datalab-12****408-cn-chengdu.
    2. In the left-side navigation pane, click Alerts.
    3. On the Alert Center page, choose Alert Management > User Management.
      User Management
  3. Create users.
    1. Click Add Users.
    2. On the Add Users tab, enter the information about the users that you want to add and click OK.

      The following table describes the parameters and provides examples of parameter values.

      # ID,Username,Enabled,Country code-mobile phone number,Receive text message,Receive phone call
      1001,Kumar,true,86-1381111*****,true,true
      1002,Alice,true,86-1381111*****,true,true
      Parameter Description Example
      ID The ID of the user. The ID must be unique. The ID must meet the following requirements:
      • The ID must start with a letter.
      • The ID must be 5 to 60 characters in length.
      • The ID can contain digits, letters, underscores (_), hyphens (-), and periods (.).
      1001 and 1002
      Username The name of the user.

      The name must be 1 to 20 characters in length. The name cannot contain the following characters:

      "\$|~?&<>{}`'

      Kumar and Alice
      Enabled Specifies whether to allow Log Service to send alert notifications to the user.
      • true: Log Service is allowed to send alert notifications to the user.
      • false: Log Service is not allowed to send alert notifications to the user.
      true
      Country code-mobile phone number The country code and phone number of the user. The country code can contain only digits and must be 1 to 4 characters in length. 86-1381111***** and 86-1381112*****
      Receive Text Message Specifies whether to allow Log Service to send text messages to the phone number.
      • true: Log Service is allowed to send text messages to the phone number.
      • false: Log Service is not allowed to send text messages to the phone number.
      true
      Receive Phone Call Specifies whether to allow Log Service to call the phone number.
      • true: Log Service is allowed to call the phone number.
      • false: Log Service is not allowed to call the phone number.
      true
  4. Create a user group.
    1. On the Alert Center page, choose Alert Management > User Group Management.
    2. On the User Group Management tab, click Create.
    3. In the Add User Group dialog box, configure the parameters and click OK.

      The following table describes the parameters and provides examples of parameter values.

      Parameter Description Example
      ID The ID of the user group. The ID must be unique. The ID must meet the following requirements:
      • The ID must start with a letter.
      • The ID must be 5 to 60 characters in length.
      • The ID can contain digits, letters, underscores (_), hyphens (-), and periods (.).
      group-01
      Group Name The name of the user group.

      The name can be up to 20 characters in length. The name cannot contain the following special characters:

      \$|~?&<>{}`'"

      LogServiceOperations
      Available Members The users that you created. Kumar and Alice
      Selected Members The users that you added to the user group. Kumar and Alice
      Enabled Specifies whether to allow Log Service to send alert notifications to the user group.
      • If you turn on Enabled, Log Service is allowed to send alert notifications to the user group.
      • If you turn off Enabled, Log Service is not allowed to send alert notifications to the user group.
      Enabled: turned on

Step 2: Configure an alert monitoring rule for logs

You can configure an alert monitoring rule to monitor the query and analysis results of logs. For example, you can configure an alert monitoring rule to monitor the request success ratio and request_time trend charts. When the request success ratio is lower than 90% and the response time is longer than 60 seconds, an alert is triggered.

  1. Choose Log Storage > Logstores. On the Logstores tab, click the Logstore that you want to view.
  2. On the Search & Analysis page, choose Save as Alert > New Version Alert.
  3. In the Alert Monitoring Rule panel, configure the parameters and click OK.

    The following table describes the parameters and provides examples of parameter values.

    Configure an alert monitoring rule
    Parameter Description Example
    Rule Name Specify the name of the alert monitoring rule. Website Logs_Alert Monitoring Rule
    Check Frequency Specify the frequency at which query and analysis results are checked.
    • Hourly: Query and analysis results are checked every hour.
    • Daily: Query and analysis results are checked at a specified point in time every day.
    • Weekly: Query and analysis results are checked at a specified point in time on a specified day of each week.
    • Fixed Interval: Query and analysis results are checked at a specified interval.
    • Cron: Query and analysis results are checked at an interval that is specified by a cron expression.

      A cron expression can specify an interval that is accurate to the minute. The cron expression is based on the 24-hour clock. For example, 0 0/1 * * * indicates that query and analysis results are checked at an interval of 1 hour from 00:00.

    Daily, 00:00
    Query Statistics Specify a query statement.

    If you specify multiple query statements, you can configure the Set Operations parameter to associate the query and analysis results of the statements. For more information, see Multi-set operations.

    • 0: Select the request success ratio chart of the Website Audit Center dashboard.
    • 1: Select the request_time trend chart of the Website Audit Center dashboard.
    • Set the Set Operations parameter to CROSS JOIN.
    Group Evaluation Log Service can group query and analysis results.
    • If you set this parameter to Custom Tag, Log Service groups query and analysis results based on the fields that you configure. After Log Service groups the query and analysis results, Log Service checks whether the query and analysis results in each group meet the trigger condition. If the query and analysis results in each group meet the trigger condition in each check period, an alert is triggered for each group.

      You can configure multiple fields, and the fields are separated by commas (,).

    • If you set this parameter to No Grouping, only one alert is triggered in each check period when the trigger condition is met.
    • If you set this parameter to Auto Tag, Log Service automatically groups the query and analysis results of time series data.
    No Grouping
    Trigger Condition Specify the trigger condition and severity of an alert.
    • Trigger condition
      • Data is returned: If data is returned in the query and analysis results, an alert is triggered.
      • the query result contains: If the query and analysis results contain N data entries, an alert is triggered.
      • data matches the expression: If the query and analysis results contain data that matches a specified expression, an alert is triggered.
      • the query result contains: If the query and analysis results contain N data entries that match a specified expression, an alert is triggered.
    • Severity

      This parameter is used to denoise alerts and manage alert notifications. When you create an alert policy or an action policy, you can add severity-based conditions. For more information, see Specify severity levels for alerts.

      • If you specify a trigger condition, you can specify a severity for the condition. In this case, all alerts that are triggered based on the alert monitoring rule have the same severity.
      • If you specify more than one trigger condition, you can specify a severity for each condition. You can click Create to specify more trigger conditions.

    For more information about the syntax of conditional expressions in alert monitoring rules, see Syntax of trigger conditions in alert rules.

    • data matches the expression
    • $0.success_ratio <90&&$1.Average response time\(s\) >60
    • Severity: Medium
    Note If a field contains parentheses (), you must use backslashes (\) to escape the parentheses ().
    Add Annotation Log Service allows you to add annotations as non-identifying attributes to alerts. Annotations are key-value pairs. This parameter is used to denoise alerts and manage alert notifications. When you create an alert policy or an action policy, you can add annotation-based conditions. For more information, see Labels and annotations.

    If you turn on Auto-Add Annotations, fields such as __count__ and __topic__ are automatically added to alerts. For more information, see Auto-Add switch.

    • Title: Monitor the request success ratio and average response time of a website
    • Description: Request success ratio: ${success_ratio}, Average response time: ${Average response time(s)}
    • Auto-Add Annotations: turned on
    Threshold of Continuous Triggers Specify the threshold to trigger an alert. If the number of consecutive times the specified trigger condition is met reaches the value of this parameter, an alert is triggered. The system does not count the number of times when the specified trigger condition is not met. 1
    Alert Policy Alert policies are used to merge, silence, and inhibit alerts.
    • If you select Simple Mode or Standard Mode, you do not need to configure alert policies. In this case, Log Service uses the built-in alert policy sls.builtin.dynamic to manage alerts.
    • If you select Advanced Mode, you can select a built-in or custom alert policy to manage alerts. For more information about how to create an alert policy, see Create an alert policy.
    Simple Mode
    Action Policy Action policies are used to manage alert notification methods and the frequency at which alert notifications are sent.

    If you set Alert Policy to Simple Mode, you need only to configure an action group for this parameter.

    After you configure the action group, Log Service automatically creates an action policy named Rule name-Action policy. Alert notifications are sent based on the action policy for all alerts that are triggered based on the alert monitoring rule. For more information about how to configure alert notification methods, see Notification methods.

    Notice You can modify an action policy on the Action Policy tab. For more information, see Create an action policy. If you add conditions when you modify an action policy, the value of the Alert Policy parameter is automatically changed to Standard Mode.
    • Notification Method: SMS Message
    • Recipient: LogServiceOperations
    • Alert Template: SLS builtin content template
    • Period: Any Time
    Repeat Interval If duplicate alerts are triggered in the specified period, the action policy that you select is executed only once, and only one alert notification is sent. 5 Minutes

Step 3: View the alert records

After you configure an alert monitoring rule, Log Service monitors the query and analysis results based on the rule. If the query and analysis results meet the specified trigger condition, an alert is triggered. You can view the alert records on the Monitoring Rule Center tab.

  1. Go to the Global Alert Rule Center page.
    1. In the left-side navigation pane, click Alerts.
    2. On the Alert Center page, choose Alert Management > Monitoring Rule Center.
  2. In the Alert rule latest status section, view the alert monitoring rules that are executed.
    View alert monitoring rules