After you create an alert monitoring rule, Log Service checks query and analysis results based on the check frequency and trigger condition that you specify in the rule. If an alert is triggered, the alert is denoised and an alert notification is sent based on the alert policy and action policy that you select.

Procedure

  1. Log on to the Log Service console.
  2. In the Projects section, click the name of the project that you want to view.
  3. Choose Log Storage > Logstores. On the Logstores tab, click the Logstore that you want to view.
  4. In the upper-right corner of the page, choose Save as Alert > New Alerting Feature (Public Preview).
  5. In the Alert Monitoring Rule panel, set the parameters and click OK.
    Parameter Description
    Rule Name Specify the name of the alert monitoring rule.
    Check Frequency Specify the frequency at which query and analysis results are checked.
    • Hourly: Query and analysis results are checked every hour.
    • Daily: Query and analysis results are checked at a specified point in time every day.
    • Weekly: Query and analysis results are checked at a specified point in time on a specified day of each week.
    • Fixed Interval: Query and analysis results are checked at a specified interval.
    • Cron: Query and analysis results are checked at an interval that is specified by using a CRON expression.

      If you use CRON expressions, the minimum precision is 1 minute. The time format is based on the 24-hour clock. For example, 0 0/1 * * * indicates that query and analysis results are checked every hour from 00:00.

    Query Statistics Specify a query statement.

    If you specify multiple query statements, you can set the Set Operations parameter to associate multiple query results. For more information, see Multi-set operations.

    Group Evaluation Log Service allows you to group query and analysis results.
    • If you set this parameter to Custom Tag, Log Service groups query and analysis results based on the fields that you specify. After Log Service groups the query and analysis results, Log Service checks whether the query and analysis results in each group meet the trigger condition. If the query and analysis results in each group meet the trigger condition in a check period, an alert is triggered for each group.

      You can specify multiple fields. Use commas (,) to separate the fields.

    • If you set this parameter to No Grouping, only one alert is triggered in each check period when the trigger condition is met.
    • If you set this parameter to Auto Tag, Log Service automatically groups the query and analysis results of time series data.
    Trigger Condition Specify the trigger condition of an alert.
    • Data is returned: If data is returned for a query, an alert is triggered.
    • the query result contains: If the number of returned rows of a query reaches N, an alert is triggered.
    • data matches the expression: If the returned data of a query matches a specified expression, an alert is triggered.
    • the query result contains: If the number of returned rows of a query reaches N, and the N rows of data match a specified expression, an alert is triggered.

    For more information, see Use an evaluate expression to specify a trigger condition.

    Severity Specify the alert severity. This parameter is used to denoise alerts and manage alert notifications. When you create an alert policy or action policy, you can add conditions based on severities. For more information, see Specify alert severities.
    • Simple mode: If you select a severity, all alerts that are triggered based on the alert monitoring rule have the same severity.
    • Conditional mode: You can click Create to specify a condition and the related severity. For information about conditional expressions, see Syntax of trigger conditions in alert rules.
    Add Label Log Service allows you to add labels as identifying attributes for alerts. Labels are formatted in key-value pairs. This parameter is used to denoise alerts and manage alert notifications. When you create an alert policy or an action policy, you can add conditions based on labels. For more information, see Labels and annotations.
    Add Annotation Log Service allows you to add annotations as non-identifying attributes for alerts. Annotations are formatted in key-value pairs. This parameter is used to denoise alerts and manage alert notifications. When you create an alert policy or an action policy, you can add conditions based on annotations. For more information, see Labels and annotations.
    Auto-Add If you turn on the Auto-Add switch, information such as __count__ and __topic__ are automatically added to the alert. For more information, see Labels and annotations.
    Recovery Notifications If you turn on the Recovery Notifications switch and the related alert is cleared, a recovery notification is sent. The severity of the recovery notification is the same as the severity of the alert. For more information, see Recovery notifications.
    Threshold of Continuous Triggers Specify the threshold of continuous triggers. An alert is triggered only when the specified trigger condition is met during continuous check periods. If the trigger condition is not met, no alert is triggered.
    No Data Alert If you turn on the No Data Alert switch, and no data is returned for a query, an alert is triggered. If no data is returned in the result of multiple queries for which set operations are used, an alert is also triggered. However, an alert is triggered only when the number of no-data results that are returned during continuous check periods exceeds the value of the Threshold of Continuous Triggers parameter. For more information, see No-data alerts.
    Alert Policy Select an alert policy to merge, denoise, and suppress alerts.
    • If you select Simple Mode or Standard Mode, you do not need to configure alert policies. By default, Log Service uses the sls.builtin.dynamic alert policy to manage alerts.
    • If you select Advanced Mode, you can select a built-in or custom alert policy to manage alerts. For information about how to create an alert policy, see Create an alert policy.
    Action Policy Action policies are used to manage alert notification methods and the frequency at which alert notifications are sent.
    • If you set Alert Policy to Simple Mode, you need only to configure an action group.
      After you configure an action group, Log Service creates an action policy named Rule name-Action policy. Alert notifications are sent based on the action policy for all alerts that are triggered based on the alert monitoring rule. For more information, see Notification methods.
      Notice You can modify the settings of an action policy on the Action Policy tab. For more information, see Create an action policy. If you add evaluation when you modify an action policy, the value of the Alert Policy parameter is automatically changed to Standard Mode.
    • If you set Alert Policy to Standard Mode or Advanced Mode, you can select a built-in or custom action policy to send alert notifications. For information about how to create an action policy, see Create an action policy.

      If you set Alert Policy to Advanced Mode, you can enable or disable Custom Action Policy. For more information, see Dynamic action policies.

    Cycle If duplicate alerts are triggered in the specified duration, the action policy that you select is executed only once, and only one alert notification is sent.