Document Center

All Products

Document Center

Log Service:Data structure of an alert monitoring rule

Last Updated:Oct 26, 2023

This topic describes the data structure of an alert monitoring rule.

Alert

Field	Type	Required	Description
name	String	Yes	The ID of the alert monitoring rule. The ID is displayed in the URL of the rule.
displayName	String	Yes	The name of the alert monitoring rule. The name is displayed in the alert list.
state	String	No	The status of the alert monitoring rule. Valid values: Enabled Disabled (default)
type	String	Yes	Set the value to Alert.
description	String	No	The compatibility field. Set the value to an empty string.
schedule	Schedule	Yes	The check frequency-related settings. For more information, see Schedule.
configuration	Configuration	Yes	The detailed settings of the alert monitoring rule. For more information, see Configuration.

Schedule

Field	Type	Required	Description
type	String	Yes	The type of the check frequency. Log Service checks query and analysis results based on the frequency that you specify. Valid values: FixedRate: Log Service checks query and analysis results at a fixed interval. Cron: Log Service checks query and analysis results at an interval that is specified by a cron expression. Weekly: Log Service checks query and analysis results at a specified point in time on a specified day of each week. Daily: Log Service checks query and analysis results at a specified point in time every day. Hourly: Log Service checks query and analysis results every hour.
interval	String	No	The fixed interval. Examples: 5m and 1h. If you set type to FixedRate, you must configure interval.
cronExpression	String	No	The cron expression, which can specify an interval accurate to the minute. The cron expression is based on the 24-hour clock. For example, `0 0/1 * * *` specifies that Log Service checks query and analysis results at an interval of 1 hour from 00:00. If you set type to Cron, you must configure cronExpression.
dayOfWeek	Integer	No	The day of the week. Valid values: 0 to 6, which specify Sunday to Saturday. If you set type to Weekly, you must configure dayOfWeek.
hour	Integer	No	The hour. Valid values: 0 to 23, which specify each hour in a day. If you set type to Weekly or Daily, you must configure hour.
runImmediately	Boolean	No	Specifies whether to run the alert monitoring rule immediately after the rule is created.

Configuration

Field	Type	Required	Description
version	String	Yes	Set the value to 2.0.
type	String	Yes	Set the value to default.
dashboard	String	No	The alert history dashboard. Recommended value: internal-alert-analysis.
queryList	AlertQuery	Yes	The list of query statements.
groupConfiguration	GroupConfiguration	Yes	The settings of group evaluation. For more information, see GroupConfiguration.
joinConfigurations	[]JoinConfiguration	No	The settings of set operations. For more information, see JoinConfiguration. If you specify only one query statement in queryList, you do not need to configure joinConfigurations. If you specify two to three query statements in queryList, you must configure joinConfigurations to associate the results of the query statements. For more information, see Multi-set operations.
severityConfigurations	[]SeverityConfiguration	Yes	The trigger condition. You must specify at least one trigger condition. For more information, see SeverityConfigurations.
labels	[]Tag	No	The label. For more information, see Tag.
annotations	[]Tag	No	The annotation. For more information, see Tag.
autoAnnotation	Boolean	Yes	Specifies whether to allow the system to automatically add annotations. true: If you use this value, the system automatically adds annotations such as __count__ to alerts. This is the default value. For more information, see Auto-Add switch. false: If you use this value, the system does not automatically add annotations to alerts.
sendResolved	Boolean	No	Specifies whether to trigger a recovery alert when an alert is cleared. true: If you use this value, a recovery alert is triggered when an alert is cleared. For more information, see Recovery notifications. false: If you use this value, no recovery alerts are triggered when an alert is cleared. This is the default value.
threshold	Integer	Yes	The threshold based on which an alert is triggered. If the number of consecutive times that the specified trigger condition is met reaches the specified threshold, an alert is triggered. The system does not count the number of times when the specified trigger condition is not met.
noDataFire	Boolean	No	Specifies whether to trigger an alert when the condition for no data is met. true: If you use this value, an alert is triggered when the number of times that no data is returned exceeds the value of Threshold of Continuous Triggers. If multiple query statements are executed, the number of times is counted based on the results of set operations that are performed on the query statements. For more information, see No-data alert. false: If you use this value, no alerts are triggered when the condition for no data is met. This is the default value.
noDataSeverity	Integer	No	The severity level of an alert that is triggered when the condition for no data is met. For more information, see Alert severities.
policyConfiguration	PolicyConfiguration	Yes	The settings of the alert policy. For more information, see PolicyConfiguration.
tags	[]String	No	The type of the custom alert monitoring rule. Note This field is supported in Log Service SDK for Java V0.6.74 and later.

AlertQuery

Field	Type	Required	Description
storeType	String	Yes	The type of the data source for the query. Valid values: log: Logstore data metric: Metricstore data meta: resource data
region	String	Yes	The region of the project in which the query is performed. If you set storeType to log or metric, set region to the region of the project. If you set storeType to meta, set project to an empty string.
project	String	Yes	The project in which the query is performed. If you set storeType to log or metric, set project to the project. If you set storeType to meta, set project to an empty string.
store	String	Yes	The Logstore, Metricstore, or resource data on which the query is performed. If you set storeType to log, set store to the name of the Logstore. If you set storeType to metric, set store to the name of the Metricstore. If you set storeType to meta, set store to the name of the resource data.
roleArn	String	No	The Alibaba Cloud Resource Name (ARN) of the RAM role that is required to access data. For more information, see Configure access control policies.
query	String	Yes	The query statement. If you set storeType to log or metric, set query to the query statement. If you set storeType to meta, set project to an empty string.
timeSpanType	String	No	The type of time. For more information, see Time ranges of query statements. If you set storeType to log or metric, you must configure timeSpanType.
start	String	No	The start time. If you set storeType to log or metric, you must configure start.
end	String	No	The end time. If you set storeType to log or metric, you must configure end.
powerSqlMode	String	No	Specifies whether to enable Dedicated SQL. Valid values: auto: The system automatically enables or disables Dedicated SQL. enable: Dedicated SQL is enabled. disable: Dedicated SQL is disabled.

GroupConfiguration

Field	Type	Required	Description
type	String	Yes	The type of group evaluation. Valid values: no_group: Query and analysis results are not grouped. custom: Query and analysis results are grouped based on the custom field that you specify. labels_auto: Query and analysis results are automatically grouped. This value is supported only for metrics.
fields	[]String	No	The field based on which query and analysis results are grouped. If you set type to custom, you must configure fields.

JoinConfiguration

Field	Type	Required	Description
type	String	Yes	The type of the set operation. Valid values: cross_join: Cartesian product. inner_join: inner join. left_join: left join. right_join: right join. full_join: full join. left_exclude: left exclusion. right_exclude: right exclusion. concat: concatenation. The system traverses all datasets in sequence. no_join: no join. The system uses only the first dataset.
condition	String	No	If you set type to inner_join, left_join, right_join, full_join, left_exclude or right_exclude, you must configure condition. Example: `$0.host == $1.ip`.

SeverityConfiguration

Field	Type	Required	Description
severity	Integer	Yes	The severity level of an alert. For more information, see Alert severities.
evalCondition	ConditionConfiguration	No	The trigger condition. For more information, see Syntax of evaluate expressions.
evalCondition.condition	String	Yes	The expression that is used to match data. If you do not need to match data, set the value to an empty string. In other scenarios, set the value to an expression. Example: `errCnt > 10`.
evalCondition.countCondition	String	Yes	The expression that is used to match the number of data entries. If you want the trigger condition to be met when data is returned in query and analysis results, set the value to an empty string. In other scenarios, set the value to an expression. Example: `__count__ > 3`.

Tag

Field	Type	Required	Description
key	String	Yes	The name of the field.
value	String	Yes	The value of the field.

PolicyConfiguration

Field	Type	Required	Description
alertPolicyId	String	Yes	The ID of the alert policy. In simple or standard mode, set the value to sls.builtin.dynamic, which is a built-in dynamic alert policy. In advanced mode, set the value to the ID of the alert policy.
actionPolicyId	String	Yes	The ID of the action policy. In advanced mode, if the alert policy does not use a dynamic action policy, set actionPolicyId to an empty string.
repeatInterval	String	Yes	The repeat interval. Examples: 5m and 1h.
useDefault	Boolean	Yes	The compatibility field. Set the value to false.

Reference data

Alert severities

Alert severity	Description
Critical	10
High	8
Medium	6
Low	4
Report	2

Time ranges of query statements

timeSpanType	start	end	Description
Custom	-15m	absolute	A 15-minute period of the Time Frame type.
Custom	-100s	-20s	A period of the Relative type that starts at the previous 100 seconds and ends at the previous 20 seconds.
Custom	-60s	now	A 60-second period of the Relative type.
Custom	-120m	Empty string	A 120-minute period of the Relative type.
Relative	-100s	-20s	A period of the Relative type that starts at the previous 100 seconds and ends at the previous 20 seconds.
Relative	-60s	now	A 60-second period of the Relative type.
Relative	-120m	Empty string	A 120-minute period of the Relative type.
Truncated	-15m	Arbitrary	A 15-minute period of the Time Frame type.
Today	Arbitrary	Arbitrary	A period that starts from 00:00 on the current day and ends at the current time.
Yesterday	Arbitrary	Arbitrary	A period that starts from 00:00 on the previous day and ends at 00:00 on the current day.