After you create an alert monitoring rule, Log Service checks query and analysis results based on the configurations that you specify in the rule. The configurations include the check frequency and trigger condition. If alerts are triggered, Log Service denoises the alerts and sends alert notifications based on the alert policy and action policy that you specify.

Procedure

  1. Log on to the Log Service console.
  2. In the Projects section, click the name of the project that you want to view.
  3. Choose Log Storage > Logstores. On the Logstores tab, click the Logstore that you want to view.
  4. On the Search & Analysis page, choose Save as Alert > New Version Alert.
  5. In the Alert Monitoring Rule panel, configure the parameters and click OK. The following table describes the parameters.
    Metric Description
    Rule Name Specify the name of the alert monitoring rule.
    Check Frequency Specify the frequency at which query and analysis results are checked.
    • Hourly: Query and analysis results are checked every hour.
    • Daily: Query and analysis results are checked at a specified point in time every day.
    • Weekly: Query and analysis results are checked at a specified point in time on a specified day of each week.
    • Fixed Interval: Query and analysis results are checked at a specified interval.
    • Cron: Query and analysis results are checked at an interval that is specified by a cron expression.

      A cron expression can specify an interval that is accurate to the minute. The cron expression is based on the 24-hour clock. For example, 0 0/1 * * * specifies that query and analysis results are checked at an interval of 1 hour from 00:00.

    Query Statistics Click the input box. In the Query Statistics dialog box, configure information about a query statement.
    • Associated Report: On this tab, you can select a dashboard to monitor data.
    • Advanced Settings: On the Advanced Settings tab, you can select Logstore, Metricstore, or Resource Data from the Type drop-down list to specify the type of data that you want to monitor.
      • Logstore: Logs are stored. For more information about query and analysis configurations, see Query and analyze logs.
      • Metricstore: Time series data is stored in Metricstores. For information about how to query and analyze time series data, see Query and analyze time series data.
      • Resource Data: The external data that you want to associate with the alert monitoring rule. For more information, see Create resource data.
      If you set the Type parameter to Logstore or Metricstore and a query statement is configured, you can specify whether to enable Dedicated SQL. For more information, see Enable Dedicated SQL.
      • Auto: By default, Dedicated SQL is not used. If the number of concurrent queries is limited or the query results are inaccurate, Log Service automatically tries to use Dedicated SQL.
      • Enable: Dedicated SQL is used for data query and analysis.
      • Disable: Dedicated SQL is disabled.

    If you specify multiple query statements, you can configure the Set Operations parameter to associate the query and analysis results of the statements. For more information, see Multi-set operations.

    Group Evaluation Log Service can group query and analysis results. For more information, see Use the group evaluation feature.
    • Custom Label: Log Service groups query and analysis results based on the fields that you specify. After Log Service groups the query and analysis results, Log Service checks whether the query and analysis results in each group meet the trigger condition. If the query and analysis results in each group meet the trigger condition in each check period, an alert is triggered for each group.

      You can specify multiple fields.

    • No Grouping: Only one alert is triggered in each check period when the trigger condition is met.
    • Auto Label: If you select Metricstore from the Type drop-down list in the Query Statistics dialog box, Log Service automatically groups query and analysis results. Metricstore specifies that the query and analysis results of time series data are monitored.

      After Log Service groups the query and analysis results, Log Service checks whether the query and analysis results in each group meet the trigger condition. If the query and analysis results in each group meet the trigger condition in each check period, an alert is triggered for each group.

    Trigger Condition Specify the trigger condition and severity of an alert.
    • Trigger condition
      • Data is returned: If data is returned in the query and analysis results, an alert is triggered.
      • the query result contains: If the query and analysis results contain N data entries, an alert is triggered.
      • data matches the expression: If the query and analysis results contain data that matches a specified expression, an alert is triggered.
      • the query result contains: If the query and analysis results contain N data entries that match a specified expression, an alert is triggered.
    • Severity

      This parameter is used to denoise alerts and manage alert notifications. You can add severity-based conditions when you create an alert policy or an action policy. For more information, see Specify severity levels for alerts.

      • If you specify a trigger condition, you can specify a severity for the condition. In this case, all alerts that are triggered based on the alert monitoring rule have the same severity.
      • If you specify more than one trigger condition, you can specify a severity for each condition. You can click Create to specify more trigger conditions.

    For more information about the syntax of conditional expressions in alert monitoring rules, see Syntax of trigger conditions in alert rules.

    Add Label Log Service allows you to add labels as identifying attributes to alerts. Labels are in the key-value pair format. This parameter is used to denoise alerts and manage alert notifications. When you create an alert policy or an action policy, you can add label-based conditions. For more information, see Labels and annotations.
    Add Annotation Log Service allows you to add annotations as non-identifying attributes to alerts. Annotations are in the key-value pair format. This parameter is used to denoise alerts and manage alert notifications. You can add annotation-based conditions when you create an alert policy or an action policy. For more information, see Labels and annotations.

    If you turn on Auto-Add Annotations, fields such as __count__ are automatically added to alerts. For more information, see Auto-Add switch.

    Recovery Notifications If you turn on Recovery Notifications, a recovery alert is triggered each time an alert is cleared. The severity of a recovery alert is the same as the severity of the alert for which the recovery alert is triggered. For more information, see Recovery notifications.
    Threshold of Continuous Triggers Specify the threshold at which an alert is triggered. If the number of consecutive times that the specified trigger condition is met reaches the value of this parameter, an alert is triggered. The system does not count the number of times when the specified trigger condition is not met.
    No Data Alert If you turn on No Data Alert, an alert is triggered when the number of times that no data is returned exceeds the value of Threshold of Continuous Triggers. If multiple query statements are executed, the number of times is counted based on the associated query and analysis results of the query statements. For more information, see No-data alert.
    Alert Policy Alert policies are used to merge, silence, and suppress alerts.
    • If you select Simple Mode or Standard Mode, you do not need to configure an alert policy. By default, Log Service uses the built-in alert policy sls.builtin.dynamic to manage alerts.
    • If you select Advanced Mode, you can select a built-in or custom alert policy to manage alerts. For information about how to create an alert policy, see Create an alert policy.
    Action Policy Action policies are used to manage alert notification methods and the frequency at which alert notifications are sent.
    • If you set the Alert Policy parameter to Simple Mode, you need to configure only an action group for this parameter.

      After you configure an action group, Log Service automatically creates an action policy whose name is in the Rule name-Action policy format. Alert notifications are sent based on the action policy for all alerts that are triggered based on the alert monitoring rule. For information about how to configure alert notification methods, see Notification methods.

      You can also turn on Enable Intelligent Merging to group and merge duplicate, redundant, or relevant alerts into a group. Log Service sends only one alert notification for each group in a specified period of time. This helps you denoise alerts. For more information, see Intelligent grouping and merging of alerts.

      Notice You can modify an action policy on the Action Policy tab. For more information, see Create an action policy. If you add conditions when you modify an action policy, the value of the Alert Policy parameter is automatically changed to Standard Mode.
    • If you set the Alert Policy parameter to Standard Mode or Advanced Mode, you can select a built-in or custom action policy to send alert notifications. For information about how to create an action policy, see Create an action policy.

      If you set the Alert Policy parameter to Advanced Mode, you can turn on or turn off Custom Action Policy. For more information, see Dynamic action policy mechanism.

    Repeat Interval If duplicate alerts are triggered in the specified period, the action policy that you select is executed only once and Log Service sends only one alert notification.