Investigate
Logs
Configure alerting
Alerts

Create alerts for log queries

Use alerts to notify individuals when a Logs query matches a particular event. You create alerts by defining a query to match on and an action to trigger when LogScale identifies a matching event in the alert query.

Unlike scheduled searches, each alert query runs continuously, which causes an action to trigger immediately when an event matches the query. Alerts can be one of the following types:

  • Standard alerts trigger when an aggregate query generates a result set, which includes one or more rows of results. For example, the following query matches any logs in the production environment where the http_response tag isn't 200, and groups the results by the http_path and http_response tags:

    environment = production
#http_response != 200
| groupBy([http_path, http_response])

  • Filter alerts trigger when the alert query filters an event, causing each matching event to trigger an alert. For example, the following query matches any logs where the severity equals ERROR for the payment_service service in the production environment:

    severity = ERROR
|service="payment_service"
|env="production"

For more information about alerts, see Alerts (opens in a new tab) in the LogScale documentation.

Prerequisites

Create an action in LogScale to initiate when an alert triggers, such as notifying a PagerDuty group or sending a message to a Slack channel. You can create the alert first, but then need to create an action and edit the alert to assign an action to it.

Create an alert

To create an alert in Logs:

  1. In the navigation menu select Exploring > Logs Explorer.

  2. Click Logs Automation to display the Logs alerting capabilities.

  3. On the Logs Automation page, click Alerts and then click New alert.

  4. In the New alert pane, select Standard alert or Filter alert as your alert type.

  5. Enter a name for the alert, and include any variables you want to use as placeholders in the alert name. See message template and variables (opens in a new tab) in the LogScale documentation for more information.

  6. In the Query section, enter a query for the alert to match on.

  7. Select an action to determine what happens when the alert triggers.

  8. Set a throttle period to control how often an alert triggers. See setting alert throttle period (opens in a new tab) in the LogScale documentation for more information.

    Setting a throttle period isn't available for filter alerts.

  9. Click Create alert to create your alert.

When the alert query matches events, the action associated with the alert triggers and notifies the groups or individuals defined in the action.

ActionsScheduled searches