This topic outlines the variables available in the new version of alert templates and explains how to reference them.
Reference methods
Variables should be referenced using their full names. If a variable is invalid or not found, Simple Log Service (SLS) will replace it with an empty string. If a variable's value is an object, it is converted to a JSON string. Ensure that variable names follow these rules: Must use letters, digits, and underscores, and cannot start with a digit.
If a variable name conforms to the rules, reference the variable in the
{{alert.xxx}}format.If a variable name does not conform to the rules, reference the variable name in a different format. For example, if you want to reference the
__tag__:__namespace__variable, use{{alert.annotations["__tag__:__namespace__"] }}.
When you configure an action policy, you must select an alert template. The alert template specifies the content and subject of alert notifications. When you configure the Content and Subject parameters for an alert template, reference variables in the {{ alert.xxx }} format. Before SLS sends an alert notification, SLS replaces the variables that are referenced in the Content and Subject parameters with the actual values. For example, SLS replaces {{ alert.project }} with the name of the project to which the configured alert rule belongs.
You can also use control flows and built-in functions to manipulate and process variables. For more information about the syntax and built-in functions that are supported by the new version of alert templates, see Syntax for new alert templates and Built-in functions in alert templates.
Alert attributes
Variable | Description | Type | Value example | Reference example |
aliuid | The ID of the Alibaba Cloud account to which the project belongs. | string | 117918634953**** |
|
alert_instance_id | The execution ID of the alert that is triggered. | string | ee16a8f435485f3f-5be6b81edc520-3d6**** | The execution ID of the alert that is triggered is |
alert_id | The ID of the alert rule. Each alert rule must have a unique ID in the project to which the alert rule belongs. | string | alert-12345 | The ID of the alert rule is |
alert_name | The name of the alert rule. | string | Test alert rule | The name of the alert rule based on which the alert is triggered is |
alert_type | The type of the alert.
| string | sls_alert | The type of the alert is |
region | The region. | string | cn-hangzhou | The alert is triggered in the |
project | The project to which the alert rule belongs. | string | my-project | The alert rule based on which the alert is triggered belongs to the |
next_eval_interval | The length of time before the next evaluation activity starts. Unit: seconds. | int | 300 | The next evaluation activity starts after |
alert_time | The time at which the current evaluation activity starts. | int | 1616744734 | The current evaluation activity starts at |
fire_time | The time at which the alert is triggered for the first time. | int | 1616059834 | The alert is triggered at |
status | The status of the alert.
| string | firing | The status of the alert is |
resolve_time | The time at which the alert is cleared.
| int | 0 | The alert is cleared at |
severity | The severity level of the alert.
| int | 10 | The severity level of the alert is |
labels | The labels of the alert. | map | {"env":"test"} | The labels of the alert are |
annotations | The annotations of the alert. | map | { "title": "Alert title","desc": "Alert description" } | The annotations of the alert are |
results | The parameters and intermediate results that are returned. The value of this variable is an array. For more information about the value of this variable, see QueryData structure. | array | See the "Appendix" section at the end of this topic. | The first query starts at |
fire_results | The data records for which the alert is triggered. Up to 100 data records can be returned in response to a set operation on data. If the value of fire_results exceeds 2 KB in size and the value of a single query result field exceeds 1 KB in size, the value of fire_results is truncated, and the excess part is discarded. For more information, see An alert is triggered for a large number of raw logs, and the query and analysis results fail to be completely displayed in alert notifications. What do I do? | array | See the "Appendix" section at the end of this topic. | The alert is triggered for the following data records: |
fire_results_count | The total number of data records for which the alert is triggered. The value of this variable may be greater than 100. For example, if you perform a CROSS JOIN operation on data, SLS may trigger an alert for more than 100 data records. | int | 3 | The alert is triggered for a total of |
condition | The trigger condition based on which the alert is triggered. The condition is an expression. SLS replaces the variables in the trigger condition with the values that trigger the alert. Each value is enclosed in a pair of brackets []. The value of this variable is in the | string |
| The trigger condition based on which the alert is triggered is |
raw_condition | The original trigger condition. The variables in the trigger condition are not replaced. The value of this variable is in the | string |
| The original trigger condition is |
policy | The ID of the alert policy or action policy. For more information about the value of this variable, see Policy structure. | map | See the "Appendix" section at the end of this topic. | The ID of the alert policy is |
dashboard | The name of the dashboard that is associated with the alert. | string | mydashboard | The name of the dashboard that is associated with the alert is |
alert_url | The URL of the details page of the alert. | string | https://sls.console.alibabacloud.com/lognext/project/test-xxxx/alert/alert-1617164106-940166 | The URL of the details page of the alert is |
query_url | The URL of the source web page that is accessed for the first query. | string | https://sls.console.alibabacloud.com/lognext/project/test-xxx/logsearch/test-alert-access?encode=base64&endTime=1617175989&queryString=KiB8IHNlbGVjdCBjb3VudCgxKSBhcyBjbn****&queryTimeType=99&startTime=1617175089 | The URL of the source web page that is accessed for the first query is |
alert_history_dashboard_url | The URL of the Alert History Statistics dashboard. | string | https://sls.console.alibabacloud.com/lognext/project/test-xx/dashboard/internal-alert-analysis | The URL of the Alert History Statistics dashboard is |
dashboard_url | The URL of the dashboard that is associated with the alert. | string | https://sls.console.alibabacloud.com/next/project/myproject/dashboard/mydashboard | The URL of the dashboard that is associated with the alert is |
fingerprint | The fingerprint of the alert. For more information, see Deduplicate alerts based on fingerprints. | string | 478325709134bc5c | The fingerprint of the alert is |
signin_url | The URL of the page on which you can view the details of the alert without the need to log on to the SLS console. For more information, see View alert details in logon-free mode. | string | https://sls.console.alibabacloud.com/console/AlertAjax/slsSignIn.json?token=xxxx |
|
Policy structure
The following table describes the variables that can be referenced in the policy variable.
Variable | Description | Type | Value example |
alert_policy_id | The ID of the alert policy | string | sls.test-alert |
action_policy_id | The ID of the action policy that you configure in the alert rule. This variable is available only when you select Dynamic Action Policy for the alert policy. | string | sls.test-action |
repeat_interval | The period during which the action policy is executed only once and SLS sends only one alert notification if duplicate alerts are triggered. This variable is available only when you select Dynamic Action Policy for the alert policy. | string | 4h |
QueryData structure
The following table describes the variables that can be referenced in the results variable.
Variable | Description | Type | Value example |
store_type | The storage type.
| string | log |
region | The region where the destination logstore or Metricstore resides. If the value of the store_type variable is meta, this variable is empty. | string | cn-hangzhou |
project | The project to which the destination logstore or Metricstore belongs. If the value of the store_type variable is meta, this variable is empty. | string | sls-test-alert |
store | The name of the destination logstore or Metricstore. | string | test-logstore |
query | The query statement. | string | error | select count(1) as cnt |
start_time | The beginning of the time range to query. If the value of the store_type variable is meta, this variable is empty. | int | 1616741485 |
end_time | The end of the time range to query. If the value of the store_type variable is meta, this variable is empty. | int | 1616745085 |
raw_results | The data records that are queried. The value of this variable is an array. Up to 100 data records can be returned. If the value of raw_results exceeds 2 KB in size and the value of a single query result field exceeds 1 KB in size, the value of raw_results is truncated, and the excess part is discarded. | array | |
raw_results_count | The number of data records that are queried. The number can be greater than 100. | int | 20 |
fire_result | The first data record among the data records for which the alert is triggered. The result set for which the alert is triggered may contain multiple data records. SLS returns only the first data record of the result set for this variable. | map | |
query_url | The URL of the data records that are queried. If the value of the store_type variable is meta, this variable is empty. | string | https://sls.console.alibabacloud.com/lognext/project/test-xxx/logsearch/test-alert-access?encode=base64&endTime=1617175989&queryString=KiB8IHNlbGVjdCBjb3VudCgxKSBhcy*******&queryTimeType=99&startTime=1617175089 |
dashboard_url | The URL of the dashboard that is associated with the query. | string | https://sls.console.alibabacloud.com/next/project/myproject/dashboard/mydashboard |
role_arn | The Alibaba Cloud Resource Name (ARN) of the service role that is used. | string | acs:ram::117918634953****:role/aliyunslsalertmonitorrole |
FAQ
Appendix
resultssample[{ "store_type": "log", "region": "cn-hangzhou", "project": "sls-alert-test", "store": "test", "query": "* | select count(1) as cnt", "start_time": 1616741485, "end_time": 1616745085, "dashboard_id": "mydashboard", "raw_results": [{ "cnt": "4" }], "raw_result_count": 1, "fire_result": { "cnt": "4" }, "truncated": false, "role_arn": "" }]fire_resultssample[{ "host": "example.com", "host__1": "example.com", "pv": "836", "slbid": "slb-02", "status": "200" }, { "host": "example.com", "host__1": "example.com", "pv": "836", "slbid": "slb-02", "status": "200" }]policysample{ "alert_policy_id": "sls.test-alert", "action_policy_id": "sls.test-action", "repeat_interval": "5m0s" }
Example
The following example shows how to define notification content using a new content template:
Alert content:
{ "alert_id": "test-alert", "alert_name": "PV/UV Alert", "project": "project-1", "status": "firing", "severity": 6, "labels": { "app": "nginx", "host": "host-1" }, "results": [ { "project": "project-1", "logstore": "logstore-1", "query": "* | select count(*) as pv" }, { "project": "project-2", "logstore": "logstore-2", "query": "* | select count(distinct user_id) as uv" } ] }Alert template configuration:
- Alert ID: {{ alert.alert_id }} - Alert Name: {{ alert.alert_name }} - Project: {{ alert.project }} - Status: {% if alert.status == "firing" %}FIRING{% else %}RESOLVED{% endif %} - Labels: {%- for key, val in alert.labels.items() %} - {{ key }}: {{ val }} {%- endfor %} - Query: {{ alert.results[0].query }}Output result:
- Alert ID: test-alert - Alert Name: PV/UV Alert - Project: project-1 - Status: FIRING - Labels: - app: nginx - host: host-1 - Query: * | select count(*) as pv