All Products
Search

This Product

    Simple Log Service:New alert template parameters

    Document Center

    Simple Log Service:New alert template parameters

    Last Updated:Mar 25, 2026

    This topic describes the variables in the new version of alert templates and how to reference them.

    Reference syntax

    Important

    • When you reference a variable, its name must match exactly.

      • If a variable does not exist or is referenced incorrectly, SLS replaces it with an empty string by default.

      • If a referenced value is an object, SLS converts it to a JSON string.

    • Variable names must consist of letters, digits, and underscores (_), and must not begin with a digit.

      • If a variable name conforms to these conventions, you can retrieve its value using dot notation, such as {{alert.xxx}}.

      • If a variable name does not conform to these conventions, for example, it contains special characters like __tag__:__namespace__, you must use bracket notation to retrieve its value: {{alert.annotations["__tag__:__namespace__"] }}.

    When you configure an action policy, you must select an alert template. The alert template defines the content and subject of the alert notification. In the Content and Subject/Subject fields, you can reference variables using the {{ alert.xxx }} syntax. When SLS sends an alert notification, it replaces the variables in the Content and Subject/Subject with their actual values. For example, {{ alert.project }} is replaced with the name of the Project that contains the alert rule.

    image

    In addition to directly referencing variables, you can also use control flow structures and built-in functions to manipulate and process them. For more information about template syntax and built-in functions, see Content Template Syntax (New) and Built-in Template Functions.

    Alert attributes

    Parameter

    Description

    Type

    Value

    Usage

    aliuid

    The Alibaba Cloud account ID associated with the project.

    string

    117918634953****

    An alert rule for account {{ alert.aliuid }} is triggered.

    alert_instance_id

    The unique ID for this alert instance.

    string

    ee16a8f435485f3f-5be6b81edc520-3d6****

    The instance ID is {{ alert.alert_instance_id }}.

    alert_id

    The alert rule ID, which is unique within a project.

    string

    alert-12345

    The alert rule ID is {{ alert.alert_id }}.

    alert_name

    The name of the alert rule.

    string

    Test alert rule

    The alert rule {{ alert.alert_name }} is triggered.

    alert_type

    The type of the alert.

    • sls_alert: An alert triggered by an alert monitoring rule.

    • sls_pub: An external alert.

    • sls_ml: An alert triggered by intelligent inspection.

    string

    sls_alert

    The alert type is {{ alert.alert_type }}, formatted as {{ alert.alert_type | format_type }}.

    region

    The region where the alert was triggered.

    string

    cn-hangzhou

    The alert was triggered in the {{ alert.region }} region.

    project

    The project to which the alert rule belongs.

    string

    my-project

    An alert rule in the {{ alert.project }} project was triggered.

    next_eval_interval

    The interval before the next evaluation, in seconds.

    int

    300

    The next evaluation will occur in {{ alert.next_eval_interval }} seconds.

    alert_time

    The current evaluation time.

    int

    1616744734

    The current alert evaluation time is {{ alert.alert_time }}, formatted as {{ alert.alert_time | format_date }}.

    fire_time

    The time when the alert was first triggered.

    int

    1616059834

    The alert was first triggered at {{ alert.fire_time }}, formatted as {{ alert.fire_time | format_date }}.

    status

    The alert status.

    • firing: The alert is triggered.

    • resolved: The alert is resolved.

    string

    firing

    The alert status is {{ alert.status }}, formatted as {{ alert.status | format_status }}.

    resolve_time

    The alert resolution time.

    • If the alert status is firing, the value is 0.

    • If the alert status is resolved, the value is the actual resolution time.

    int

    0

    The alert was resolved at {{ alert.resolve_time }}, formatted as {{ alert.resolve_time | format_date }}.

    severity

    The alert severity.

    • 10: Critical

    • 8: High

    • 6: Medium

    • 4: Low

    • 2: Report

    int

    10

    The alert severity is {{ alert.severity }}, formatted as {{ alert.severity | format_severity }}.

    labels

    A map of key-value pairs that define the alert's labels.

    map

    {"env":"test"}

    The alert labels are {{ alert.labels | to_list }}.

    annotations

    A map of key-value pairs that provide additional information about the alert.

    map

    { "title": "Alert title","desc": "Alert description" }

    The alert annotations are {{ alert.annotations | to_list }}.

    results

    An array that contains the query and result data from the alert evaluation. For details on the data structure, see QueryData structure.

    array

    See the appendix at the end of this topic.

    The start time of the first query is {{ alert.results[0].start_time }}, the end time is {{ alert.results[0].end_time }}, the value of cnt is {{ alert.results[0].fire_result.cnt }}, and the query statement is {{ alert.results[0].query }}.

    fire_results

    The data that triggered the alert, which is the result of a set operation. A maximum of 100 data entries are returned.

    If the value of the fire_results variable exceeds 2 KB and the content of a query result field exceeds 1 KB, the excess data is truncated. For more information, see How do I handle incomplete log display in alert notifications?

    array

    See the appendix at the end of this topic.

    The data that triggered the alert is {{ alert.fire_results | to_json }}.

    fire_results_count

    The total number of data entries that triggered the alert. This value can be greater than 100. For example, the total number of entries after a Cartesian product operation.

    int

    3

    The total number of data entries that triggered the alert is {{ alert.fire_results_count }}.

    condition

    The evaluated trigger condition, where variables are replaced by the values that triggered the alert and enclosed in square brackets ([]). The format is Count:expression;Condition:expression.

    string

    Count:[5] > 3;Condition:[example.com]=='example.com'

    The trigger condition is {{ alert.condition }}.

    raw_condition

    The original trigger condition, where variables are not replaced with their actual values. The format is Count:expression;Condition:expression.

    string

    Count:__count__ > 3;Condition:host=='example.com'

    The original trigger condition is {{ alert.raw_condition }}.

    policy

    An object that contains the details of the triggered alert policy or action policy. For details on the data structure, see Policy structure.

    map

    See the appendix at the end of this topic.

    The alert policy ID is {{ alert.policy.alert_policy_id }}.

    dashboard

    The name of the dashboard associated with the alert.

    string

    mydashboard

    The associated dashboard is {{ alert.dashboard }}.

    alert_url

    A direct URL to the alert's details page in the console.

    string

    https://sls.console.alibabacloud.com/lognext/project/test-xxxx/alert/alert-1617164106-940166

    The alert URL is {{ alert.alert_url }}.

    query_url

    A URL to the search and analytics page, pre-filled with the first query from the alert evaluation.

    string

    https://sls.console.alibabacloud.com/lognext/project/test-xxx/logsearch/test-alert-access?encode=base64&endTime=1617175989&queryString=KiB8IHNlbGVjdCBjb3VudCgxKSBhcyBjbn****&queryTimeType=99&startTime=1617175089

    The URL for the first query is {{ alert.query_url }}.

    alert_history_dashboard_url

    The URL of the Alert History Statistics dashboard.

    string

    https://sls.console.alibabacloud.com/lognext/project/test-xx/dashboard/internal-alert-analysis

    The URL of the Alert History Statistics dashboard is {{ alert.alert_history_dashboard_url }}.

    dashboard_url

    The URL of the dashboard associated with the alert.

    string

    https://sls.console.alibabacloud.com/next/project/myproject/dashboard/mydashboard

    The URL of the associated dashboard is {{ alert.dashboard_url }}.

    fingerprint

    The alert fingerprint. For more information, see Deduplicate alerts based on fingerprints.

    string

    478325709134bc5c

    The alert fingerprint is {{ alert.fingerprint }}.

    signin_url

    A URL for viewing alert details without logging in to the console. For more information, see View alert details in logon-free mode.

    string

    https://sls.console.alibabacloud.com/console/AlertAjax/slsSignIn.json?token=xxxx

    [View Details]({{ alert.signin_url }})

    Policy structure

    The following table lists the variables that you can reference in a policy.

    Parameter

    Description

    Type

    Example

    alert_policy_id

    The ID of the alert policy.

    string

    sls.test-alert

    action_policy_id

    The ID of the action policy specified in the alert rule. This variable is available only when the alert policy uses a Dynamic Action Policy.

    string

    sls.test-action

    repeat_interval

    The repeat interval. This variable is available only when the alert policy uses a Dynamic Action Policy.

    string

    4h

    QueryData structure

    The following table describes the fields in the results variable.

    Parameter

    Description

    Type

    Value

    store_type

    The storage type. Valid values:

    • log: Log data.

    • metric: metric data.

    • meta: resource data.

    string

    log

    region

    The region of the target store.

    This field is empty when store_type is meta.

    string

    cn-hangzhou

    Project

    The Project of the target store.

    This field is empty when store_type is meta.

    string

    sls-test-alert

    store

    The name of the target store.

    string

    test-LogStore

    query

    The query statement.

    string

    error | select count(1) as cnt

    start_time

    The start of the query time range, as a Unix timestamp in seconds.

    This field is empty when store_type is meta.

    int

    1616741485

    end_time

    The end of the query time range, as a Unix timestamp in seconds.

    This field is empty when store_type is meta.

    int

    1616745085

    raw_results

    An array of up to 100 query result records.

    If the size of the raw_results value exceeds 2 KB, or if the content of a single field exceeds 1 KB, data is truncated.

    array

    		 
    [{
    "host": "example.com",
    "slbid": "slb-02",
    "status": "200"
}, {
    "host": "example.com",
    "slbid": "slb-01",
    "status": "200"
}]

    raw_results_count

    The total number of records returned by the query, which can be greater than 100.

    int

    20

    fire_result

    The first record in the result set that triggered the alert.

    map

    		 
    {
    "host": "example.com",
    "slbid": "slb-02",
    "status": "200"
}

    query_url

    The console URL to view the query results.

    This field is empty when store_type is meta.

    string

    https://sls.console.alibabacloud.com/lognext/project/test-xxx/logsearch/test-alert-access?encode=base64&endTime=1617175989&queryString=KiB8IHNlbGVjdCBjb3VudCgxKSBhcy*******&queryTimeType=99&startTime=1617175089

    dashboard_url

    The URL of the dashboard that is associated with the query.

    string

    https://sls.console.alibabacloud.com/next/project/myproject/dashboard/mydashboard

    role_arn

    The Alibaba Cloud Resource Name (ARN) of the service role.

    string

    acs:ram::117918634953****:role/aliyunslsalertmonitorrole

    FAQ

    Appendix

    • results structure

      [{
    "store_type": "Logstore",
    "region": "China (Hangzhou)",
    "project": "sls-alert-test",
    "store": "test",
    "query": "* | select count(1) as cnt",
    "start_time": 1616741485,
    "end_time": 1616745085,
    "dashboard_id": "mydashboard",
    "raw_results": [{
        "cnt": "4"
    }],
    "raw_result_count": 1,
    "fire_result": {
        "cnt": "4"
    },
    "truncated": false,
    "role_arn": ""
}]

    • fire_results structure

      [{
    "host": "example.com",
    "host__1": "example.com",
    "pv": "836",
    "slbid": "slb-02",
    "status": "200"
}, {
    "host": "example.com",
    "host__1": "example.com",
    "pv": "836",
    "slbid": "slb-02",
    "status": "200"
}]

    • policy structure

      {
    "alert_policy_id": "sls.test-alert",
    "action_policy_id": "sls.test-action",
    "repeat_interval": "5m0s"
}

    Example

    This example shows how to define notification content using a content template:

    • Alert content:

      {
    "alert_id": "test-alert",
    "alert_name": "PV/UV Alert",
    "project": "project-1",
    "status": "firing",
    "severity": 6,
    "labels": {
        "app": "nginx",
        "host": "host-1"
    },
    "results": [
        {
            "project": "project-1",
            "logstore": "logstore-1",
            "query": "* | select count(*) as pv"
        },
        {
            "project": "project-2",
            "logstore": "logstore-2",
            "query": "* | select count(distinct user_id) as uv"
        }
    ]
}

    • Alert template configuration:

      - Alert ID: {{ alert.alert_id }}
- Alert Name: {{ alert.alert_name }}
- Project: {{ alert.project }}
- Status: {% if alert.status == "firing" %}FIRING{% else %}RESOLVED{% endif %}
- Labels:
{%- for key, val in alert.labels.items() %}
    - {{ key }}: {{ val }}
{%- endfor %}
- Query: {{ alert.results[0].query }}

    • Output result:

      - Alert ID: test-alert
- Alert Name: PV/UV Alert
- Project: project-1
- Status: FIRING
- Labels:
    - app: nginx
    - host: host-1
- Query: * | select count(*) as pv