All Products
Search

This Product

    Simple Log Service:Evaluate inspection results in alert notifications

    Document Center

    Simple Log Service:Evaluate inspection results in alert notifications

    Last Updated:Sep 03, 2024

    You can improve algorithms to receive expected alert notifications based on the alerts of an intelligent inspection job. In this example, the DingTalk notification method is used to receive alert notifications.

    Prerequisites

    Background information

    After you create an intelligent inspection job, Log Service automatically generates a Logstore named internal-ml-log in the specified project to store the inspection results that are returned by all intelligent inspection jobs in the project. If you configure alerts for the intelligent inspection job, the alerting system automatically identifies the Logstore and generates the following resources that are required for alerts:

    • Alert policy: sls.builtin.dynamic

    • Action policy: sls.app.ml.builtin

    • Alert template: sls.app.ml.anomaly.en

    You can use the preceding built-in alert resources or use custom alert resources. For more information, see Introduction to the alerting feature.

    Procedure

    1. In the Log Service console, configure DingTalk as a notification method.

      Note

      If you set the notification method to DingTalk when you created the intelligent inspection job, skip this step.

      1. Log on to the Simple Log Service console.

      2. In the Log Application section, click Intelligent Anomaly Analysis.

      3. In the instance list, click the ID of the instance that you want to manage.

      4. On the Intelligent Inspection page, find the intelligent inspection job and click the Modify icon in the Actions column.

      5. In the Modify Intelligent Inspection Job wizard, click Next to go to the Alert Configuration step.

      6. In the Alert Configuration step, select Simple Mode in the Alert Policy section, configure the Request URL parameter, and then click Complete.

        Set the Request URL parameter to the webhook URL of the DingTalk chatbot that you created.

        Note

        The intelligent inspection feature provides a built-in alert template whose name is SLS Anomaly Detection Content Template and ID is sls.app.ml.anomaly.en. The alert template can be used to display metric data in charts and allows you to evaluate the inspection results in alert notifications. DingTalk is suitable for frontend interfaces. We recommend that you set the notification method to DingTalk. For information about how to use other notification methods to receive alert notifications, see Use other notification methods.

        The following table describes the parameters.

        Parameter

        Description

        Alert Policy

        Alert policies are used to merge, silence, and suppress alerts.

        • If you select Simple Mode or Standard Mode, you do not need to configure an alert policy. By default, Log Service uses the sls.builtin.dynamic alert policy to manage alerts.

        • If you select Advanced Mode, you can select an action policy and an alert policy based on your business requirements. For information about how to create an alert policy, see Create an alert policy.

        Action Policy

        Action policies are used to manage alert notification methods and the frequency at which alert notifications are sent.

        • If you set the Alert Policy parameter to Simple Mode, you need only to configure an action group.

          After you configure an action group, Log Service automatically creates an action policy named Rule name-Action policy. Alert notifications are sent based on the action policy for all alerts that are triggered based on the related alert monitoring rule. For information about how to configure alert notification methods, see Notification methods.

          Important

          You can modify an action policy on the Action Policy tab. For more information, see Create an action policy. If you add conditions when you modify an action policy, the value of the Alert Policy parameter is automatically changed to Standard Mode.

        • If you set the Alert Policy parameter to Standard Mode or Advanced Mode, you can select a built-in action policy or custom action policy to send alert notifications. For information about how to create an action policy, see Create an action policy.

          If you set the Alert Policy parameter to Advanced Mode, you can turn on or turn off Custom Action Policy. For more information, see Dynamic action policy mechanism.

      After you complete the configuration, you can receive alert notifications in the DingTalk group for which you created the DingTalk chatbot.

    2. In the specified DingTalk group, evaluate the inspection results in an alert notification.

      1. In the alert notification, click View Details.

        Alert notification

        Parameter

        Description

        DataSource

        The data source of the intelligent inspection job.

        AnomalyObject

        The entity in which an anomaly occurs.

        AnomalyScore

        The score of the anomaly in the specified metric.

        AnomalyImage

        The trend of the specified metric in an observation period before an anomaly occurs.

        Data Details

        Click the URL to view the data source.

        Job details

        Click the URL to view the details of the intelligent inspection job.

        View Details

        Log Service allows you to view alert details without the need to log on to the Log Service console. For more information, see View alert details in logon-free mode.

      2. In the Alert Details dialog box, check whether the alert meets your business requirements and evaluate the inspection results in the alert notification.

        • If the alert meets your business requirements, click Confirm.

        • If the alert does not meet your business requirements, click Ignore.

      After you evaluate the inspection result in an alert notification, the evaluation result is sent to the intelligent inspection job. The intelligent inspection job improves the inspection algorithm based on the evaluation result to ensure that you can receive expected alert notifications.

    Use other notification methods

    If you want to evaluate the inspection results in alert notifications that are sent by using other notification methods, such as WebHook-Custom, you can select other notification methods when you configure alerts. For more information, see Notification methods. Before you select another notification method, you must configure an alert template for the notification method. To configure an alert template, perform the following steps:

    1. Parse the alert template that is configured for the DingTalk notification method.

      The alert template for DingTalk contains the following content:

      ## DataSource
+ Project: ${results[0].project}
+ LogStore: ${results[0].store}

## AnomalyObject
+ Entity: ${labels}

## AnomalyScore
+ Score: ${annotations.anomaly_score}

## AnomalyImage
![image](${annotations.__plot_image__})

[[Data Details](${query_url})]
[[Job details](${alert_url})]

[[Confirm](${annotations.__ensure_url__})]
[False Positive[](${annotations.__mismatch_url__})]

      For information about the variables in the alert template, see Variables in new alert templates.

    2. Configure an alert template for another notification method based on the alert template for DingTalk.

      In the alert template list, find the alert template named SLS Anomaly Detection Content Template and configure the alert template. For more information, see Step 2.

      When you configure an alert template, you can use the default notification content or customize notification content. For more information, see Default alert templates and Custom notification content.