Simple Log Service:Differences between the old and new versions of the alerting module

Architecture

In the new version, if alerts are triggered based on an alert rule, the alerts are denoised based on the alert policy of the alert rule, and then dispatched by using the notification methods that are specified in the action policy of the alert rule. You can also manage alert events and escalate alerts in the new version.

• Workflow in the old version

  

• Workflow in the new version

  

Features

In the new version, existing features are optimized, and new features are introduced.

• Optimized features

  Feature	Old version	New version
  Log data monitoring	If data is returned, an alert is triggered.	You can specify whether to trigger an alert if data is returned.
  	If a specified condition is met, an alert is triggered.	You can specify whether to trigger an alert if the number of returned data entries reaches a specified value.
  Metric data monitoring	If data is returned, an alert is triggered. The search and analysis syntax is complex. If a specified condition is met, an alert is triggered.	You can specify whether to trigger an alert if data is returned. You can also specify whether to trigger an alert if the number of returned data entries reaches a specified value.
  	If data is returned, an alert is triggered.	You can specify whether to trigger an alert if data is returned.
  	If a specified condition is met, an alert is triggered.	You can specify whether to trigger an alert if the number of returned data entries reaches a specified value.
  	The join operations are not supported for multiple query statements.	The join operations are supported for multiple query statements.
  Chart association	When you create an alert rule, you must associate the rule with at least one chart.	When you create an alert rule, you do not need to associate the rule with a chart.
  Associated monitoring for Logstores or Metricstores	For multiple query statements, the join operations support only CROSS JOIN and No Merge.	For multiple query statements, the join operations support CROSS JOIN, No Merge, JOIN, LEFT JOIN, RIGHT JOIN, FULL JOIN, LEFT EXCLUDE JOIN, and RIGHT EXCLUDE JOIN.
  Alert deduplication	In a time window, duplicate alerts that are triggered based on the same alert rule are removed.	Duplicate alerts can be removed based on specified labels. You can also specify an interval after which notifications are sent for duplicate alerts.

• New features

  The following table describes the new features related to alert monitoring, alert management, notification management, and alert analysis.

  Category	Feature	Description
  Alert monitoring	Associated monitoring for Logstores and Metricstores	You can use SQL JOIN clauses and perform set operations on intermediate query results.
  	Blacklist and whitelist monitoring	You can use resource data to associate whitelist or blacklist objects.
  	Associated monitoring for data	You can perform set operations on data across projects, regions, and Alibaba Cloud accounts. For more information, see Specify query statements.
  	Alert severity	You can configure alert severities in static or dynamic mode. You can also specify the severity for a no-data alert. For more information, see Specify severity levels for alerts.
  	Label and annotation	You can configure custom labels and annotations. You can specify a variable as the value of an annotation. For more information, see Add labels and annotations.
  	Multi-group monitoring	You can group the query and analysis results that are obtained for an alert rule. The results in each group are separately evaluated against the trigger conditions of the rule, and alert notifications are sent by group. For more information, see Use the group evaluation feature.
  	No-data alert	You can configure settings to send notifications for no-data alerts. For more information, see No-data alert.
  	Alert recovery	You can configure settings to send notifications for alerts that are cleared. For more information, see Configure recovery notifications.
  Alert management	Alert denoising	You can manage global alerts. You can configure silence and suppression policies for alerts. You can also group and merge alerts. For more information, see Alert management overview.
  Notification management	Dynamic alert dispatch	You can configure dynamic dispatch settings for alerts. This way, alert notifications can be dynamically dispatched to specified users, user groups, or on-duty groups by using a specified notification method. For more information, see Manage methods to send alert notifications.
  	Recipient management	You can specify users, user groups, or on-duty groups as recipients. For more information, see Create users and user groups and Create an on-duty group.
  	Calendar support	The system automatically identifies non-business days, business days, and holidays in countries such as China and the United States to dynamically adjust notification settings. For more information, see Reset the calendar.
  	Shift plan	You can configure various rotating shifts and substitute shifts based on your business requirements. You can configure a custom calendar for an on-duty group and specify custom holidays. For more information, see Rotating and substitute shifts.
  	Notification method quota	You can configure quotas for notifications that are sent by using text messages, voice calls, or emails. You can also specify a separate notification quota for users and user groups. For more information, see Alert notification quotas.
  Alert analysis	Alert Rule Center, Alert Pipeline Center, and Troubleshooting Center dashboards	You can view the following information on the dashboards: overall running status of alert rules, trigger statistics about alert rules, entire pipeline of triggered alerts, and statistics about alert-related errors that occur. You can filter alerts by region, project, and alert severity.
  	Global storage	Alert data is globally stored. You can view received and processed alerts and also related logs.

Configuration items

Changes are made to the following configurations items: parameters in alert rules, notification methods, and variables in alert templates.

• Parameters in alert rules

  After the alerting module is upgraded, the following parameters are added. Other parameters remain unchanged.

  Parameter	Default value
  Group Evaluation	No Grouping
  Set Operations	INNER JOIN
  Trigger Condition	the query result contains
  Severity	Medium
  No Data Alert	Off
  Recovery Notifications	Off

• Notification methods

  After the alerting module is upgraded, the new version of the alerting module extracts a mobile number or an email address as a user identifier to create a user, extracts the content of a notification as an alert template, and generates an action policy based on the configuration of a notification method. By default, the sls.builtin.dynamic built-in action policy is used.

  Note

  • If a user is created for a mobile number or an email address after the upgrade, duplicate mobile numbers or email addresses automatically match the user, and no more users are created. The system sends alert notifications to the user.

  • If an alert template is extracted from the content of a notification after the upgrade, duplicate notifications automatically match the alert template, and no more alert templates are extracted. The system sends alert notifications based on the alert template.

  • If an action template is generated based on the configuration of a notification method after the upgrade, duplicate notification methods automatically match the action template, and no more action templates are generated. The system sends alert notifications based on the action template.

  Notification method	New version	Old version
  Text message	Username + Mobile number + Alert template	Mobile number + Content
  Voice call	Username + Mobile number + Alert template	Mobile number + Content
  Email	Username + Email address + Alert template	Email address + Content
  DingTalk	Username + Mobile number + Alert template	Request URL + @Mobile number in DingTalk + Content

• Variables in alert templates

  In the new version, the alert template variables are adjusted to keep consistent with the variables that are used in alert policies. New variables are also added. The following table describes the differences between the variables in the old and new versions.

  Variable in the old version	Variable in the new version	Description
  Aliuid	aliuid	The ID of the Alibaba Cloud account to which a project belongs.
  Project	project	The project to which an alert rule belongs.
  AlertID	alert_instance_id	The execution ID of an alert.
  AlertDisplayName	alert_name	The display name of an alert rule.
  Condition	condition	The conditional expression that triggers an alert. The variables in the trigger condition are replaced by the values that trigger the alert. Each value is enclosed in a pair of brackets ([]).
  RawCondition	raw_condition	The original conditional expression. The variables in the trigger condition are not replaced.
  Dashboard	dashboard	The name of the dashboard that is associated with an alert rule.
  DashboardUrl	dashboard_url	The URL of the dashboard that is associated with an alert rule.
  FireTime	fire_time	The time when an alert is triggered.
  FullResultUrl	query_url	The URL that is used to query the details of an alert.
  Results	results	The query parameters and results. The value is of the array type. For more information about the fields in the results variable, see Appendix: Structure of the results variable. Note The variable can contain the information of up to 100 alert notifications.

  For more information, see Template variables and Variables in original alert templates.

Appendix: Structure of the results variable