You can configure an alert monitoring rule for query and analysis results. If the conditions of the alert monitoring rule are met, an alert is triggered and an alert notification is sent. This topic provides an example on how to configure an alert monitoring rule for website access logs in Log Service.

Prerequisites

Simulated Layer 7 access logs of Server Load Balancer (SLB) are imported to Log Service. To import simulated Layer 7 access logs of SLB, log on to the Log Service console. On the Simulated Data Import tab in the Import Data section, select SLB Layer-7 Access Logs - Cloud Products.

Background information

After you import Layer 7 access logs of SLB, Log Service automatically generates a dashboard named SLB Operation Logs and displays the metrics that are related to Layer 7 access logs of SLB on the dashboard. In this example, the request success ratio and request_time trend charts on the SLB Operation Logs dashboard are monitored. If the request success rate is lower than 90% and the response time is greater than 60 seconds, an alert is triggered and an alert notification is sent to a user group named LogServiceOperations by using a text message.

Step 1: Create users and a user group

Users and user groups can be specified as the recipients of alert notifications. In this example, two users named Alice and Kumar and a user group named LogServiceOperations are created. Alice and Kumar are added to the LogServiceOperations user group.

  1. Log on to the Log Service console.
  2. Go to the User Management page.
    1. In the Projects section, click the project that you want to manage.
    2. In the left-side navigation pane, click Alerts.
    3. On the Alert Center page, choose Alert Management > User Management.
      User management
  3. Create users.
    1. Click Add Users.
    2. On the Add Users tab, enter the information about the users that you want to add and click OK.

      The following table describes the parameters and provides examples.

      # ID, Username, Enabled, Country code-phone number, Receive text message, Receive phone call
      10001,Kumar,true,86-1381111*****,true,true
      10002,Alice,true,86-1381111*****,true,true
      Parameter Description Example
      ID The ID of the user. The ID must be unique. The ID must meet the following requirements:
      • The ID must start with a letter.
      • The ID must be 5 to 60 characters in length.
      • The ID can contain digits, letters, underscores (_), hyphens (-), and periods (.).
      10001 and 10002
      Username The name of the user.

      The name must be 1 to 20 characters in length. The name cannot contain the following characters:

      "\$|~?&<>{}`'

      Kumar and Alice
      Enabled Specifies whether to allow Log Service to send alert notifications to the user.
      • true: Log Service is allowed to send alert notifications to the user.
      • false: Log Service is not allowed to send alert notifications to the user.
      true
      Country code-phone number The country code and phone number of the user. The country code can contain only digits and must be 1 to 4 characters in length. 86-1381111***** and 86-1381112*****
      Receive text message Specifies whether to allow Log Service to send text messages to the phone number.
      • true: Log Service is allowed to send text messages to the phone number.
      • false: Log Service is not allowed to send text messages to the phone number.
      true
      Receive phone call Specifies whether to allow Log Service to call the phone number.
      • true: Log Service is allowed to call the phone number.
      • false: Log Service is not allowed to call the phone number.
      true
  4. Create a user group.
    1. On the Alert Center page, choose Alert Management > User Group Management.
    2. On the User Group Management tab, click Create.
    3. In the Add User Group dialog box, set the parameters and click OK.

      The following table describes the parameters and provides examples.

      Parameter Description Example
      ID The ID of the user group. The ID must be unique. The ID must meet the following requirements:
      • The ID must start with a letter.
      • The ID must be 5 to 60 characters in length.
      • The ID can contain digits, letters, underscores (_), hyphens (-), and periods (.).
      group-01
      Group Name The name of the user group.

      The name can be up to 20 characters in length. The name cannot contain the following special characters:

      \$|~?&<>{}`'"

      LogServiceOperations
      Available Members The users that you created. Kumar and Alice
      Selected Members The users that you added to the user group. Kumar and Alice
      Enabled Specifies whether to allow Log Service to send alert notifications to the user group.
      • If you turn on Enabled, Log Service is allowed to send alert notifications to the user group.
      • If you turn off Enabled, Log Service is not allowed to send alert notifications to the user group.
      Enabled: turned on

Step 2: Create an alert monitoring rule for logs

Alert monitoring rules are used to monitor the query and analysis results of logs. For example, you can create an alert monitoring rule to monitor the request success ratio and request_time trend charts. If the request success rate is lower than 90% and the response time is greater than 60 seconds, an alert is triggered.

  1. Choose Log Storage > Logstores. On the Logstores tab, click the Logstore that you want to view.
  2. On the Search & Analysis page, choose Save as Alert > New Version Alert.
  3. In the Alert Monitoring Rule panel, set the parameters and click OK.

    The following table describes the parameters and provides examples.

    Create an alert monitoring rule
    Parameter Description Example
    Rule Name The name of the alert monitoring rule. Website Logs_Alert Monitoring Rule
    Check Frequency The frequency at which query and analysis results are checked.
    • Hourly: Query and analysis results are checked every hour.
    • Daily: Query and analysis results are checked at a specified point in time every day.
    • Weekly: Query and analysis results are checked at a specified point in time on a specified day of each week.
    • Fixed Interval: Query and analysis results are checked at a specified interval.
    • Cron: Query and analysis results are checked at an interval that is specified by a cron expression.

      A cron expression can specify an interval that is accurate to minutes. The time is in the 24-hour clock format. For example, 0 0/1 * * * indicates that query and analysis results are checked every hour from 00:00.

    Daily, 00:00
    Query Statistics Click the field. In the Query Statistics dialog box, set the parameters of a query statement.
    • Associated Report: On this tab, you can select a dashboard to monitor data.
    • Advanced Settings: On the Advanced Settings tab, you can select Logstore, Metricstore, or Resource Data from the Type drop-down list to specify the type of data that you want to monitor.
      • Logstore: Logs are stored in Logstores. For information about how to query and analyze logs, see Query and analyze logs.
      • Metricstore: Time series data is stored in Metricstores. For information about how to query and analyze time series data, see Query and analyze time series data.
      • Resource Data: The external data that you want to associate with the alert monitoring rule. For more information, see Create resource data.

    If you specify multiple query statements, you can set the Set Operations parameter to associate the query and analysis results of the specified statements. For more information, see Multi-set operations.

    • 0: Select the request success ratio chart on the SLB Operation Logs dashboard.
    • 1: Select the request_time trend chart on the SLB Operation Logs dashboard.
    • Set the Set Operations parameter to CROSS JOIN.
    Group Evaluation Log Service can group query and analysis results.
    • Custom Label: Log Service groups query and analysis results based on the fields that you specify. After Log Service groups the query and analysis results, Log Service checks whether the query and analysis results in each group meet the trigger condition. If the query and analysis results in each group meet the trigger condition in each check period, an alert is triggered for each group.

      Separate multiple fields with commas (,).

    • No Grouping: Only one alert is triggered in each check period when the trigger condition is met.
    • Auto Label: If you select Metricstore from the Type drop-down list in the Query Statistics dialog box, Log Service automatically groups query and analysis results. Metricstore indicates that the query and analysis results of time series data are monitored.

      After Log Service groups the query and analysis results, Log Service checks whether the query and analysis results in each group meet the trigger condition. If the query and analysis results in each group meet the trigger condition in each check period, an alert is triggered for each group.

    No Grouping
    Trigger Condition The trigger condition and alert severity.
    • Trigger condition
      • Data is returned: If data is returned in the query and analysis results, an alert is triggered.
      • the query result contains: If the query and analysis results contain N data entries, an alert is triggered.
      • data matches the expression: If the query and analysis results contain data that matches a specified expression, an alert is triggered.
      • the query result contains: If the query and analysis results contain N data entries that match a specified expression, an alert is triggered.
    • Severity

      This parameter is used to denoise alerts and manage alert notifications. You can add severity-based conditions when you create an alert policy or an action policy. For more information, see Specify severity levels for alerts.

      • If you specify a trigger condition, you can specify a severity for the condition. In this case, all alerts that are triggered based on the alert monitoring rule have the same severity.
      • If you specify more than one trigger condition, you can specify a severity for each condition. You can click Create to specify more trigger conditions.

    For more information about the syntax of conditional expressions in alert monitoring rules, see Syntax of trigger conditions in alert rules.

    • data matches the expression
    • $0.success_ratio <90&&$1.Average response time\(s\) >60
    • Severity: Medium
    Note If a field contains parentheses (), you must use backslashes (\) to escape the parentheses ().
    Add Annotation Log Service allows you to add annotations as non-identifying attributes to alerts. Annotations are in the key-value pair format. This parameter is used to denoise alerts and manage alert notifications. You can add annotation-based conditions when you create an alert policy or an action policy. For more information, see Labels and annotations.

    If you turn on Auto-Add Annotations, fields such as __count__ are automatically added to alerts. For more information, see Auto-Add switch.

    • Title: Monitor the request success rate and average response time of a website
    • Description: Request success rate: ${success_ratio},Average response time: ${avg_upstream_response_time(s)}
    • Auto-Add Annotations: turned on
    Threshold of Continuous Triggers Specify the threshold to trigger an alert. If the number of consecutive times that the specified trigger condition is met reaches the value of this parameter, an alert is triggered. The system does not count the number of times when the specified trigger condition is not met. 1
    Alert Policy Alert policies are used to merge, silence, and inhibit alerts.
    • If you select Simple Mode or Standard Mode, you do not need to configure an alert policy. By default, Log Service uses the built-in alert policy sls.builtin.dynamic to manage alerts.
    • If you select Advanced Mode, you can select a built-in or custom alert policy to manage alerts. For information about how to create an alert policy, see Create an alert policy.
    Simple Mode
    Action Policy Action policies are used to manage alert notification methods and the frequency at which alert notifications are sent.
    • If you set the Alert Policy parameter to Simple Mode, you need to configure only an action group for this parameter.

      After you configure an action group, Log Service automatically creates an action policy whose name is in the Rule name-Action policy format. Alert notifications are sent based on the action policy for all alerts that are triggered based on the alert monitoring rule. For information about how to configure alert notification methods, see Notification methods.

      You can also turn on Enable Intelligent Merging to group and merge duplicate, redundant, or relevant alerts into a group. Log Service sends only one alert notification for each group in a specified period of time. This helps you denoise alerts. For more information, see Intelligent grouping and merging of alerts.

      Notice You can modify an action policy on the Action Policy tab. For more information, see Create an action policy. If you add conditions when you modify an action policy, the value of the Alert Policy parameter is automatically changed to Standard Mode.
    • If you set the Alert Policy parameter to Standard Mode or Advanced Mode, you can select a built-in or custom action policy to send alert notifications. For information about how to create an action policy, see Create an action policy.

      If you set the Alert Policy parameter to Advanced Mode, you can turn on or turn off Custom Action Policy. For more information, see Dynamic action policy mechanism.

    • Notification Method: SMS Message
    • Recipient: LogServiceOperations
    • Alert Template: SLS builtin content template
    • Period: Any Time
    Repeat Interval If duplicate alerts are triggered in the specified period, the action policy that you select is executed only once, and Log Service sends only one alert notification. 5 Minutes

Step 3: View alert records

After you create an alert monitoring rule, Log Service monitors the query and analysis results based on the rule. If the query and analysis results meet the specified trigger condition, an alert is triggered. You can view alert records on the Monitoring Rule Center tab.

  1. Go to the Global Alert Rule Center page.
    1. In the left-side navigation pane, click Alerts.
    2. On the Alert Center page, choose Alert Management > Monitoring Rule Center.
  2. In the Alert rule latest status section, view the alert monitoring rules that are executed.
    View alert monitoring rules