Comparison between the features and parameters for the old and new versions of the alerting module of Simple Log Service - Simple Log Service

The alerting module is upgraded to support alert monitoring, alert management, and notification management. This topic compares the old and new versions of the alerting module in terms of the architecture, features, and configurations.

Upgraded architecture

In the new version, if alerts are triggered based on an alert monitoring rule, these alerts are denoised based on a specified alert policy. Then, the alerts are dispatched by using the notification methods that are specified in the action policy. The alerting module can also be used to manage alert incidents and escalate alerts.

Old workflow
New workflow

Upgraded features

The upgraded features include optimized features and new features.

Optimized features

Feature	Old version	New version
Log monitoring	If data is returned for a query, an alert is triggered.	You can specify whether to trigger an alert if data is returned for a query.
Log monitoring	If a specified condition is met, an alert is triggered.	You can specify whether to trigger an alert if the number of returned data entries reaches a specified value.
Time series data monitoring	If data is returned for a query, an alert is triggered. The syntax of search and analytic statements is complex.	You can specify whether to trigger an alert if data is returned for a query. You can also specify whether to trigger an alert if the number of returned data entries reaches a specified value.
	If data is returned for a query, an alert is triggered.	You can specify whether to trigger an alert if data is returned for a query.
	If a specified condition is met, an alert is triggered.	You can specify whether to trigger an alert if the number of returned data entries reaches a specified value.
	Union queries are not supported.	Union queries are supported.
Report association	When you create an alert monitoring rule, you must associate the rule with at least one chart.	When you create an alert monitoring rule, you do not need to associate the rule with a chart.
Associated monitoring of Logstores or Metricstores	When you perform a union query, you can use only the CROSS JOIN and No Merge operation.	When you perform a union query, you can use various set operations. The set operations include CROSS JOIN, No Merge, JOIN, LEFT JOIN, RIGHT JOIN, FULL JOIN, LEFT EXCLUDE JOIN, and RIGHT EXCLUDE JOIN.
Alert deduplication	In a time window, the duplicate alerts that are triggered based on the same alert monitoring rule are removed.	Duplicate alerts can be removed based on specified labels. You can also specify the frequency at which alert notifications are sent.

New features

The following table describes the new features in terms of alert monitoring, alert management, notification management, and alert analysis.

Category	Feature	Description
Alert monitoring	Associated monitoring for Logstores and Metricstores	You can use SQL JOIN clauses or set operations to perform associated monitoring based on query results.
	Blacklist and whitelist monitoring	You can use resource data to associate whitelist or blacklist objects.
	Associated monitoring for data	You can use set operations on data across projects, regions, and Alibaba Cloud accounts. For more information, see Multi-set operations.
	Alert severity	You can configure static or dynamic settings for alert severities. You can also specify the severity for a no-data alert. For more information, see Specify severity levels for alerts.
	Label and annotation	You can customize labels and annotations. You can set a label value to a variable. For more information, see Labels and annotations.
	Multi-group monitoring	You can group query results that are obtained based on an alert monitoring rule. Each group is evaluated. Alert notifications are sent by group. For more information, see Use the group evaluation feature.
	No-data alert	If no data is returned for a query, an alert is triggered and an alert notification is sent. The incident status can be automatically switched and displayed. You can specify notification methods. For more information, see No-data alert.
	Alert clearance	If an alert is cleared, a recovery notification is sent. The incident status can be automatically switched and displayed. You can specify notification methods. For more information, see Recovery notifications.
Alert management	Alert denoising	You can manage global alerts. You can configure silence policies and suppression policies for alerts. You can also group and merge alerts. For more information, see Overview.
Alert management	Alert incident management	You can switch the phases of incidents, specify incident handlers, and configure auto dispatch of incident handlers. For more information, see Alert incident management.
Notification management	Dynamic dispatch	You can configure dynamic dispatch based on alerts. Then, alert notifications can be dynamically dispatched to the specified users, user groups, or on-duty groups of a specified notification method. For more information, see Manage methods to send alert notifications.
	Recipient management	You can specify users, user groups, or on-duty groups as recipients. For more information, see Create users and user groups and Create an on-duty group.
	Calendar	Non-business days, business days, and holidays in China and the United States can be automatically identified to dynamically adjust notification methods. For more information, see Reset the calendar.
	Shift plan	You can schedule rotating shifts and substitute shifts based on your business requirements. You can configure a custom calendar for an on-duty group. You can customize holidays. Custom holidays can be automatically identified. For more information, see Rotating shifts and substitute shifts.
	Notification method quota	You can specify the quotas of SMS messages, voice calls, and emails. You can also specify these quotas for specified users or user groups. For more information, see Alert notification quotas.
Alert analysis	Monitoring Rule Center, Alert Link Center, and Troubleshooting Center dashboards	The Monitoring Rule Center dashboard displays the running statuses of alert monitoring rules and the statuses of alerts. The Alert Link Center dashboard displays the entire pipeline of alerts that are triggered based on the related alert monitoring rules. The Troubleshooting Center dashboard displays the statistics of errors that occur in the alert monitoring system, alert management system, and notification management system. You can filter and view alert statuses by region, project, and alert severity.
Alert analysis	Global storage	The global storage of alert data allows you to view related incidents or logs in an efficient manner.

Parameter changes

The parameters that are required when you configure alerts, notification methods, and alert template variables are changed.

Alert monitoring
After the alerting module is upgraded, the parameters described in the following table are added. Other parameters remain unchanged.
Parameter
Default value
Group Evaluation
No Grouping
Set Operations
CROSS JOIN
Trigger Condition
Data is returned
Severity
Medium
No Data Alert
Off
Recovery Notifications
Off

Notification management

After the alerting module is upgraded, a mobile number or email address is extracted as a user identifier to create a user, and the content of a notification is extracted and used as the content of an alert template. An action policy is generated based on the specified notification method. By default, the sls.builtin.dynamic policy is used.

Note

The same mobile number or email address of a notification method automatically matches the related user that is upgraded. The user is then used to send alert notifications.
The same notification content of a notification method automatically matches the related alert template that is upgraded. The alert template is then used to send alert notifications.
The same notification method automatically matches the related action policy that is upgraded. The action policy is then used to send alert notifications.

Notification method	New version	Old version
SMS message	Username + Mobile number + Alert template	Mobile number + Content
Voice call	Username + Mobile number + Alert template	Mobile number + Content
Email	Username + Email address + Alert template	Email address + Content
DingTalk	Username + Mobile number + Alert template	Request URL + @Mobile number in DingTalk + Content

Alert template variables

In the new version, the alert template variables are adjusted to be consistent with the variables that are used in alert policies, and multiple variables are added. The following table compares the variables in the old and new versions.

Variable in the old version	Variable in the new version	Description
Aliuid	aliuid	The ID of the Alibaba Cloud account to which a project belongs.
Project	project	The project to which an alert rule belongs.
AlertID	alert_instance_id	The ID of an alert.
AlertDisplayName	alert_name	The display name of an alert rule.
Condition	condition	The conditional expression that triggers an alert. The variables in the trigger condition are replaced by the values that trigger the alert. Each value is enclosed in a pair of brackets [].
RawCondition	raw_condition	The original conditional expression that triggers an alert.
Dashboard	dashboard	The name of the dashboard that is associated with an alert rule.
DashboardUrl	dashboard_url	The URL of the dashboard that is associated with an alert rule.
FireTime	fire_time	The time when an alert is triggered.
FullResultUrl	query_url	The URL that is used to query the details of an alert.
Results	results	The parameters and results of a query. The value is of the array type. For information about the fields in the results variable, see the Structure of the results variable section in this topic. Note The results variable can contain the information of up to 100 alerts.

For more information, see Template variables and Variables in original alert templates.

Structure of the results variable

Field in the old version	Field in the new version	Description
Query	query	A query statement.
LogStore	store	The destination Logstore of a query.
StartTime	start_time	The time when a query starts.
StartTimeTs	start_time_ts	The time when a query starts. The time is in the UNIX timestamp format.
EndTime	end_time	The time when a query ends.
EndTimeTs	end_time_ts	The time when a query ends. The time is in the UNIX timestamp format.
RawResults	raw_results	The query result that is formatted in an array. Each element in the array is a log entry. The length of the array varies based on the size of log content. An array can contain a maximum of 100 elements.
RawResultsAsKv	raw_results_as_kv	The query result that is formatted in key-value pairs. Note This field can only be used as a template variable. However, no data is stored to a Logstore for this field.
RawResultCount	raw_result_count	The number of raw log entries that are returned.
FireResult	fire_result	The log entry that records the triggers of an alert. If no alert is triggered, the parameter value is null.
FireResultAsKv	fire_result_as_kv	The log entry that records the triggers of an alert. The log entry is formatted in key-value pairs. Note This field can only be used as a template variable. However, no data is stored to a Logstore for this field.

Parameter	Default value
Group Evaluation	No Grouping
Set Operations	CROSS JOIN
Trigger Condition	Data is returned
Severity	Medium
No Data Alert	Off
Recovery Notifications	Off