In an alert rule, the execution result of an evaluate expression is used to check whether the condition to trigger an alert is met and evaluate the dynamic severity of the alert. This topic describes how to use evaluate expressions.
Overview
In an alert rule, you can specify the results of query statements as the input and the fields in the results of set operations as variables. If the evaluate expression returns true, an alert is triggered.
Limits
The evaluate expressions that you can specify in an alert rule have the following limits:
Negative numbers must be enclosed in parentheses (). Example:
x+(-100)<100
.Numeric values are converted to 64-bit floating-point numbers. If the numbers are used in comparison, errors may occur. For example, you can compare two numbers to check whether the numbers are equal.
Variable names can contain only letters and digits, and must start with a letter.
An evaluate expression must be 1 to 128 characters in length.
An alert is triggered only when an evaluate expression returns true and the number of consecutive times that the trigger condition is met reaches the value of the Threshold of Continuous Triggers parameter. For example, if an evaluate expression is
100+100
, the calculation result is 200, which is not the value true. In this case, no alert is triggered.true, false, dollar sign ($), and period (.) are reserved words for evaluate expressions. You cannot use the reserved words as variables.
Syntax
The following table describes the types of syntax that is supported by the evaluate expression of an alert rule.
Field names are the names of the fields that are returned in a result set. We recommend that you use strings as field names. We recommend that you do not use a field name that contains only digits or a field name that contains special characters. Special characters include the percent sign (%). If a field name contains special characters or only digits, the field name must be enclosed in brackets []. Examples:
[5xx percentage (%)] > 20
[404] > 20
Syntax type | Operator | Operation method | Example | ||
Operation between variables | Operation between a non-string constant and a variable | Operation between a string constant and a variable | |||
Arithmetic operators | addition (+), subtraction (-), multiplication (*), division (/), and modulus (%) | Before an arithmetic operator is applied, the left and right operands are converted to 64-bit floating-point numbers. | Before an arithmetic operator is applied, the left and right operands are converted to 64-bit floating-point numbers. | Not supported. |
|
Comparison operators | Comparison operators: greater-than (>), greater-than-or-equal-to (>=), less-than (<), less-than-or-equal-to (<=), equal-to (==), and not-equal-to (!=) | Simple Log Service uses the following comparison rules that are sorted in the precedence order:
| The left and right operands are converted to 64-bit floating-point numbers and then compared. | The left and right operands are converted to strings and then compared based on the alphabetical order. |
|
Regular expression operators: regex match (=~) and regex not match (!~) Note
| Before a regular expression operator is applied, the left and right operands are converted to strings. | Not supported. | Before a regular expression operator is applied, the left and right operands are converted to strings. | Regex match: | |
Logical operators | Logical operators: AND (&&) and OR (||) | The left and right operands must be sub-expressions, and the result of the operation must be a Boolean value. For example, the evaluate expression is | The left and right operands must be sub-expressions, and the result of the operation must be a Boolean value. For example, the evaluate expression is | The left and right operands must be sub-expressions, and the result of the operation must be a Boolean value. For example, the evaluate expression is |
|
Not operator | Not operator (!) | The required operand must be a sub-expression, and the result of the operation must be a Boolean value. For example, the evaluate expression is You cannot directly use this operator for the fields in the results of set operations. | The required operand must be a sub-expression, and the result of the operation must be a Boolean value. For example, the evaluate expression is You cannot directly use this operator for the fields in the results of set operations. | The required operand must be a sub-expression, and the result of the operation must be a Boolean value. For example, the evaluate expression is You cannot directly use this operator for the fields in the results of set operations. |
|
contains function | contains function | Before the contains function is run, the left and right operands are converted to strings. | Not supported. | Before the contains function is run, the left and right operands are converted to strings. |
|
Parentheses | Parentheses () | Parentheses () are used to override the standard precedence order in calculation. | Parentheses () are used to override the standard precedence order in calculation. | Parentheses () are used to override the standard precedence order in calculation. |
|
Evaluate the results of set operations
Simple Log Service supports associated monitoring for up to three data sets and evaluates the results of set operations.
Results of set operations
In an alert rule, you can specify the results of query statements as the input and the fields in the results of set operations as variables to evaluate whether an alert can be triggered. For more information about set operations, see Associate the results of multiple query and analysis operations. The following table describes the results of set operations.
The results of set operations that are performed on query and analysis results are evaluated. Set operations include the CROSS JOIN and LEFT JOIN operations.
If query and analysis results do not contain duplicate fields, you can reference fields in an evaluate expression without the need to add prefixes to the fields. The prefixes include $0, $1, and $2. Example:
name == 'sls'
.If query and analysis results contain duplicate fields, you can reference fields in an evaluate expression by adding prefixes to the fields. The prefixes include $0, $1, and $2. Example:
$0.name == 'sls' || $1.name == 'ecs'
.
Category | Subcategory | Description |
Log | A query statement that does not contain SELECT | Only a search statement is used to query logs. When you specify an evaluate expression for a trigger condition, you can reference the fields that are contained in the query results. |
A query statement that contains SELECT * FROM log | When you specify an evaluate expression for a trigger condition, you can reference the fields for which Enable Analytics is turned on. | |
A query statement that contains SELECT * FROM (SELECT...) | When you specify an evaluate expression for a trigger condition, you can reference the fields that are contained in the specified SELECT subquery. | |
Metric | A query statement that contains SELECT promql(...) | The promql_query(string) and promql_query_range(string, string) functions can always return the following fields: metric, labels, time, and value. Simple Log Service expands the labels field in the map format. When you specify an evaluate expression for a trigger condition, you can reference the following fields: metric, labels, time, and value. You can also reference the subfields of the labels field. |
A query statement that contains SELECT a, b FROM (SELECT promql(...)) | When you specify an evaluate expression for a trigger condition, you can reference the fields for which Enable Analytics is turned on. | |
A query statement that contains SELECT * FROM log | When you specify an evaluate expression for a trigger condition, you can reference the fields for which Enable Analytics is turned on. | |
Resource data | None | The value of a field in resource data can be of the string, floating-point number, or numeric type. The JSON type is not supported. When you specify an evaluate expression for a trigger condition, you can reference the ID of a field in resource data. |
Configure a trigger condition
In a trigger condition, the evaluate expression is used to evaluate the results of set operations. If the evaluate expression returns true, an alert is triggered. The trigger conditions support the following options:
Data is returned: If the results of set operations contain data, an alert is triggered.
the query result contains: If the results of set operations contain a specific number of data entries, an alert is triggered. Supported comparison operators include greater-than (>), less-than (<), and equal-to (==). For example, if you specify the query result contains>10 as the trigger condition and the results of set operations contain four data entries, no alert is triggered because the number of data entries in the results does not meet the specified trigger condition.
data matches the expression: If the results of set operations contain data that matches a specified evaluate expression, an alert is triggered. For example, if you specify data matches the expression, pv>1000 as the trigger condition and the results of set operations contain only one data entry whose page view (PV) is 900, no alert is triggered because the data in the results does not meet the specified trigger condition.
the query result contains and matches: If the results of set operations contain a specific number of data entries that match a specified evaluate expression, an alert is triggered. For example, if you specify the query result contains and matches>3, pv>1000 as the trigger condition and the results of set operations contain four data entries whose PV is 900, 1100, 1200, and 1001, an alert is triggered because the data in the results meets the specified trigger condition.
Examples
Example 1
If the request success rate is less than 90% and the average response time of requests is longer than 60 seconds within a 15-minute period, an alert is triggered. Configuration details:
Query Statistics:
s0: Calculate the request success rate, which is indicated by success_ratio. Query statement:
* | select round(sum(if(status < 300, 1, 0)) * 100.0 / count(1) , 2) as success_ratio
.s1: Calculate the average response time of requests per minute. Query statement:
* | select date_format(date_trunc('minute',__time__), '%m-%d %H:%i') as t,avg(request_time) as "Average response time(s)" group by t order by t asc limit 2000
Trigger Condition: Specify $0.success_ratio < 90 && $1.Average response time\(s\) > 60
as the evaluate expression.
Example 2
If the number of times that the HTTP status code 500 is returned exceeds 10 within a 15-minute period, an alert is triggered. Configuration details:
Query Statistics: Calculate the number of times that each status code is returned. Query statement: * | select status, COUNT(*) as total group by status
.
Trigger Condition: Specify status == 500 && total > 10
as the evaluate expression.