After you create an alert monitoring rule, Log Service checks query and analysis results based on the configurations such as the check frequency and trigger condition that you specify in the rule. If alerts are triggered, Log Service denoises the alerts and sends alert notifications based on the alert policy and action policy that you select.

Procedure

  1. Log on to the Log Service console.
  2. In the Projects section, click the name of the project that you want to view.
  3. Choose Log Storage > Logstores. On the Logstores tab, click the Logstore that you want to view.
  4. On the Search & Analysis page, choose Save as Alert > New Version Alert.
  5. In the Alert Monitoring Rule panel, configure the parameters and click OK.
    Parameter Description
    Rule Name Specify the name of the alert monitoring rule.
    Check Frequency Specify the frequency at which query and analysis results are checked.
    • Hourly: Query and analysis results are checked every hour.
    • Daily: Query and analysis results are checked at a specified point in time every day.
    • Weekly: Query and analysis results are checked at a specified point in time on a specified day of each week.
    • Fixed Interval: Query and analysis results are checked at a specified interval.
    • Cron: Query and analysis results are checked at an interval that is specified by a cron expression.

      A cron expression can specify an interval that is accurate to the minute. The cron expression is based on the 24-hour clock. For example, 0 0/1 * * * indicates that query and analysis results are checked at an interval of 1 hour from 00:00.

    Query Statistics Specify a query statement.

    If you specify multiple query statements, you can configure the Set Operations parameter to associate the query and analysis results of the statements. For more information, see Multi-set operations.

    Group Evaluation Log Service can group query and analysis results.
    • If you set this parameter to Custom Tag, Log Service groups query and analysis results based on the fields that you configure. After Log Service groups the query and analysis results, Log Service checks whether the query and analysis results in each group meet the trigger condition. If the query and analysis results in each group meet the trigger condition in each check period, an alert is triggered for each group.

      You can configure multiple fields. Separate the fields with commas (,).

    • If you set this parameter to No Grouping, only one alert is triggered in each check period when the trigger condition is met.
    • If you set this parameter to Auto Tag, Log Service automatically groups the query and analysis results of time series data.
    Trigger Condition Specify the trigger condition and severity of an alert.
    • Trigger condition
      • Data is returned: If data is returned in the query and analysis results, an alert is triggered.
      • the query result contains: If the query and analysis results contain N data entries, an alert is triggered.
      • data matches the expression: If the query and analysis results contain data that matches a specified expression, an alert is triggered.
      • the query result contains: If the query and analysis results contain N data entries that match a specified expression, an alert is triggered.
    • Severity

      This parameter is used to denoise alerts and manage alert notifications. When you create an alert policy or an action policy, you can add severity-based conditions. For more information, see Specify alert severities.

      • If you specify a trigger condition and a severity, all alerts that are triggered based on the alert monitoring rule have the same severity.
      • If you specify more than one trigger condition, you can specify a severity for each condition. You can click Create to specify more trigger conditions.

    For more information about the syntax of conditional expressions in alert monitoring rules, see Syntax of trigger conditions in alert rules.

    Add Tag Log Service allows you to add labels as identifying attributes to alerts. Labels are key-value pairs. This parameter is used to denoise alerts and manage alert notifications. When you create an alert policy or an action policy, you can add label-based conditions. For more information, see Labels and annotations.
    Add Annotation Log Service allows you to add annotations as non-identifying attributes to alerts. Annotations are key-value pairs. This parameter is used to denoise alerts and manage alert notifications. When you create an alert policy or an action policy, you can add annotation-based conditions. For more information, see Labels and annotations.

    If you turn on Auto-Add Annotations, fields such as __count__ and __topic__ are automatically added to alerts. For more information, see Auto-Add switch.

    Recovery Notifications If you turn on Recovery Notifications, a recovery alert is triggered each time an alert is cleared. The severity of a recovery alert is the same as the severity of the alert for which the recovery alert is triggered. For more information, see Recovery notifications.
    Threshold of Continuous Triggers Specify the threshold to trigger an alert. If the number of consecutive times the specified trigger condition is met reaches the value of this parameter, an alert is triggered. The system does not count the number of times when the specified trigger condition is not met.
    No Data Alert If you turn on No Data Alert, an alert is triggered when the number of times no data is returned exceeds the value of Threshold of Continuous Triggers. If multiple query statements are executed, the number of times is counted based on the associated query and analysis results of the query statements. For more information, see No-data alerts.
    Alert Policy Alert policies are used to merge, denoise, and suppress alerts.
    • If you select Simple Mode or Standard Mode, you do not need to configure alert policies. In this case, Log Service uses the built-in alert policy sls.builtin.dynamic to manage alerts.
    • If you select Advanced Mode, you can select a built-in or custom alert policy to manage alerts. For more information about how to create an alert policy, see Create an alert policy.
    Action Policy Action policies are used to manage alert notification methods and the frequency at which alert notifications are sent.
    • If you set Alert Policy to Simple Mode, you need only to configure an action group for this parameter.
      After you configure the action group, Log Service creates an action policy named Rule name-Action policy. Alert notifications are sent based on the action policy for all alerts that are triggered based on the alert monitoring rule. For more information about how to configure alert notification methods, see Notification methods.
      Notice You can modify an action policy on the Action Policy tab. For more information, see Create an action policy. If you add conditions when you modify an action policy, the value of the Alert Policy parameter is automatically changed to Standard Mode.
    • If you set Alert Policy to Standard Mode or Advanced Mode, you can select a built-in or custom action policy to send alert notifications. For more information about how to create an action policy, see Create an action policy.

      If you set Alert Policy to Advanced Mode, you can enable or disable Custom Action Policy. For more information, see Dynamic action policy mechanism.

    Repeat Interval If duplicate alerts are triggered in the specified period, the action policy that you select is executed only once, and only one alert notification is sent.