Help Center/ Log Tank Service/ User Guide/ Log Alarms/ Configuring Log Alarm Rules
Updated on 2025-08-14 GMT+08:00

Configuring Log Alarm Rules

You can set alarm rules based on key words, search analysis, and SQL statistics for logs in log streams to monitor service status in real time. Currently, up to 200 keyword alarm rules can be created for each account.

Prerequisites

  • A log group and stream have been created. For details, see Managing Log Groups and Managing Log Streams.
  • To use field indexing for searching, analyzing, and collecting statistics on logs ingested to LTS, ensure that index settings are properly configured. For details, see Configuring Log Indexing. Correct index settings help you efficiently query and analyze log data and configure log alarm rules based on specific fields, such as the log severity, error code, and response time.

Configuring a Keyword Alarm Rule

LTS allows you to collect statistics on log keywords in log streams and set alarm rules to monitor them. By checking the number of keyword occurrences in a specified period, you can have a real-time view of the service running.

  1. Log in to the management console and choose Management & Deployment > Log Tank Service.
  2. Choose Log Alarms in the navigation pane.
  3. Click the Alarm Rules tab.
  4. Click Create. The Create Alarm Rule right panel is displayed.
  5. Configure alarm rule parameters.

    Table 1 Keyword alarm rule parameters

    Category

    Parameter

    Description

    Basic Info

    Rule Name

    Define a name for your alarm rule based on service requirements. After the rule is created, move the cursor to the rule name in the rule list to view both the rule name and the original rule name. You can modify the rule name, but cannot modify the original rule name (defined during rule creation).

    Naming rules:

    Use only letters, digits, hyphens (-), and underscores (_). Do not start or end with a hyphen or underscore.

    Basic Info

    Description

    Description of the rule. Enter up to 128 characters.

    Statistical Analysis

    Statistics

    By keyword: applicable to scenarios where keywords are used to search for and configure log alarms.

    After an alarm rule is created, the statistics type cannot be changed. Plan the statistics type based on service requirements.

    Query Condition

    Log Group Name: Select a log group.

    Log Stream Name: Select a log stream.

    If a log group contains more than one log stream, you can select multiple log streams when creating a keyword alarm rule.

    Query Time Range: Specify the query period of the statement. It is one period earlier than the current time. For example, if Query Time Range is set to one hour and the current time is 9:00, the query statement period is 8:00–9:00.

    • The value ranges from 1 to 60 in the unit of minutes.
    • The value ranges from 1 to 24 in the unit of hours.

    Keywords: Enter log keywords that can be queried on the Log Search tab page. LTS monitors logs in the log stream based on these keywords.

    Exact and fuzzy matches are supported. Enter up to 1,024 characters. For details about how to set keyword search, see Using Search Syntax.

    In the index settings, Case-Sensitive is disabled by default. This means that keywords are case insensitive. If you enable this option, alarm keywords you enter will be case-sensitive for matching. For details, see Configuring Log Indexing.

    Check Rule

    Configure a condition that will trigger the alarm.

    • Matching Log Events: When the number of log events that contain the configured keywords reaches the specified value, an alarm is triggered. Four comparison operators are supported: greater than (>), greater than or equal to (>=), less than (<), and less than or equal to (<=).
    • The alarm severity can be Critical (default), Major, Minor, or Info.
    • The number of queries refers to the number of occurrences of the Query Frequency set in Advanced Settings. The number of times the condition is met refers to the number of times that the keyword appears. The number of queries must be greater than or equal to the number of times the condition must be met. Number of queries: 1–10

    Click + to add a condition expression with an OR relationship. A maximum of 20 condition expressions can be added.

    Click to delete a condition expression.

    Advanced Settings

    Query Frequency

    Options:

    • Hourly: The query is performed at the top of each hour.
    • Daily: The query is performed at a specific time every day.
    • Weekly: The query is performed at a specific time on a specific day every week.
    • Custom interval: You can specify the interval from 1 minute to 60 minutes or from 1 hour to 24 hours. For example, if the current time is 9:00 and the Custom interval is set to 5 minutes, the first query is at 9:00, the second query is at 9:05, the third query is at 9:10, and so on.

      When the query time range is larger than 1 hour, the custom interval must be at least 5 minutes.

    • CRON: The query task is executed according to Cron Expression. Cron expressions use the 24-hour format and are precise down to the minute.

    Advanced Settings

    Alarm Restored When

    Configure a policy for sending an alarm restoration notification.

    If alarm restoration notification is enabled and the trigger condition has not been met for the specified number of last queries, an alarm restoration notification is sent.

    Number of last queries: 1–10

    Advanced Settings

    Notify When

    • Alarm triggered: Specify whether to send a notification when an alarm is triggered. If this option is enabled, a notification will be sent when the trigger condition is met. If disabled, no notifications will be sent, even if the trigger condition is met.
    • Alarm restored: Specify whether to send a notification when an alarm is restored. If this option is enabled, a notification will be sent when the restoration policy is met. If disabled, no notifications will be sent, even if the restoration policy is met.

    Advanced Settings

    Frequency

    You can select Immediate, Every 5 minutes, Every 10 minutes, Every 15 minutes, Every 30 minutes, Every hour, Every 3 hours, or Every 6 hours to send alarms.

    Immediate indicates that a notification is sent once an alarm is generated. Every 10 minutes indicates that the minimum interval between two notifications is 10 minutes, preventing alarm storms.

    Advanced Settings

    Alarm Notification Rule

    Select a desired rule from the drop-down list.

    If no rule is available, click Create Alarm Notification Rule on the right.

    Advanced Settings

    Language

    Select the alarm language.

  6. Click OK.

    After an alarm rule is created, its status is Enabled by default. After the alarm rule is disabled, the alarm status is Disabled. After the alarm rule is disabled temporarily, the alarm status is Temporarily closed to May 30, 2023 16:21:24.000 GMT+08:00. (The time is for reference only.)

    When the alarm rule is enabled, an alarm will be triggered if the alarm rule is met. When it is disabled, an alarm will not be triggered even if the alarm rule is met.

Configuring a SQL Alarm Rule

LTS can regularly run the SQL queries that you specify on structured logs and trigger an alarm when the alarm rule is met. You can view SQL alarms on the LTS console. Each SQL alarm rule can be associated with one to three charts. Each chart contains a SQL statement for querying a log stream.

This function is available only in regions AF-Johannesburg, AP-Singapore, CN-Hong Kong, CN East-Shanghai1, LA-Mexico City1, LA-Mexico City2, LA-Santiago, and LA-Sao Paulo1.

  1. Log in to the LTS console and choose Log Alarms in the navigation pane.
  2. Click the Alarm Rules tab.
  3. Click Create. The Create Alarm Rule right panel is displayed.
  4. Configure alarm rule parameters by referring to Table 2.

    Table 2 SQL alarm rule parameters

    Category

    Parameter

    Description

    Basic Info

    Rule Name

    Define a name for your alarm rule based on service requirements. After the rule is created, move the cursor to the rule name in the rule list to view both the rule name and the original rule name. You can modify the rule name, but cannot modify the original rule name (defined during rule creation).

    Naming rules:

    Use only letters, digits, hyphens (-), and underscores (_). Do not start or end with a hyphen or underscore.

    Basic Info

    Description

    Description of the rule.

    Statistical Analysis

    Statistics

    By SQL: Use SQL analysis to configure an alarm rule.

    After an alarm rule is created, the statistics type cannot be changed. Plan the statistics type based on service requirements.

    Charts

    Configure alarm-related charts.

    You can add a chart in these following two ways. If the logs in the log stream have not been structured, configure log structuring first. Up to three charts can be added. The chart and the SQL query statement in the chart cannot be left blank.

    • Configure from Scratch

      Click Configure from Scratch and then select a log group and stream. Set parameters as follows:

      • Log Group Name: (Required) Select a log group.
      • Log Stream Name: (Required) Select a log stream.
      • Query Time Range: (Optional) the period specified for querying logs. It can be 1 to 60 minutes or 1 to 24 hours.
      • Query Statement: required.
    • Import Configuration

      Click Import Configuration. On the displayed Custom page, select a log group and stream, select a chart, and click OK.

      If there are no charts available or the charts do not fit your needs, click Create Chart. Configure the chart parameters, click OK, and click Save and Back in the upper right corner to return to the Create Alarm Rule right panel. You can see that the chart you just created has been selected, and the query statement has been filled in.

      Specify the query time range (1 to 60 minutes or 1 to 24 hours). When the query frequency is set to every 1 to 4 minutes, the query time range can only be set to a value no larger than 1 hour.

      • Click to go to the visualization page of the log stream.
      • Click to delete an added chart.
      • Click Preview to view the data after visual analysis. You must click Preview; otherwise, the alarm rule cannot be saved.

    To add more charts, repeat the preceding steps.

    The number of the first chart is 0, the number of the second chart is 1, and the number of the third chart is 2.

    Check Rule

    Enter a specific condition expression. When the expression execution result is true, an alarm is generated.

    • Condition expressions can contain Chinese characters. They cannot contain only digits or start with a digit.
    • The alarm severity can be Critical (default), Major, Minor, or Info.
    • Specify the number of queries and the number of times the condition must be met to trigger the alarm. The number of queries must be greater than or equal to the number of times the condition must be met. Number of queries: 1–10

    Basic syntax and cross-chart combination syntax are supported. When multiple charts are associated, the following format must be used to reference fields in condition expressions:

    ${Chart No.}.{Query statement field}

    For example, to reference the pv field in the query statement select count(*) as pv of the first chart (chart 0), enter $0.pv.

    CAUTION:

    If multiple charts are used, condition expressions must contain $0, which indicates the first chart (chart 0).

    • Basic syntax:
      • Basic arithmetic operators: addition (+), subtraction (–), multiplication (*), division (/), and modulo (%). Example: x * 10 + y > 100
      • Comparison operators: greater than (>), greater than or equal to (>=), less than (<), less than or equal to (<=), equal to (==), and not equal to (!=). Example: x >= 100.
      • Logical operators: && (and) and || (or). Example: x > 0 && y < 200
      • Logical negation (!). Example: !(x < 1 && x > 100)
      • Numeric constants: They are processed as 64-bit floating point numbers. Example: x > 10
      • String constants. Example: str =="string"
      • Boolean constants: true and false. Example: (x < 100)!=true
      • Parentheses: used to change the order of operations. Example: x *(y + 10) < 200
      • contains function: used to check whether a string contains a substring. For example, if you run contains(str, "hello") and true is returned, the string contains the hello substring.
    • Cross-chart combination syntax:
      • Basic arithmetic operators: addition (+), subtraction (–), multiplication (*), division (/), and modulo (%).
      • Comparison operators: greater than (>), greater than or equal to (>=), less than (<), less than or equal to (<=), equal to (==), and not equal to (!=).
      • Logical operators: && (and) and || (or).
      • Logical negation (!)
      • contains function
      • Parentheses ()

      Example:

      $0.pv > 10 && $1.uv < 2

      $0.pv indicates the pv field in the query statement select count(*) as pv of the first chart (chart 0), and $1.uv indicates the uv field in the query statement select count(*) as uv of the second chart (chart 1). The two conditions must be met at the same time.

    Advanced Settings

    Query Frequency

    Options:

    • Hourly: The query is performed at the top of each hour.
    • Daily: The query is performed at a specific time every day.
    • Weekly: The query is performed at a specific time on a specific day every week.
    • Custom interval: You can specify the interval from 1 minute to 60 minutes or from 1 hour to 24 hours. For example, if the current time is 9:00 and the Custom interval is set to 5 minutes, the first query is at 9:00, the second query is at 9:05, the third query is at 9:10, and so on.

      When the query time range is larger than 1 hour, the custom interval must be at least 5 minutes.

    • CRON: The query task is executed according to Cron Expression. Cron expressions use the 24-hour format and are precise down to the minute.

    Advanced Settings

    Alarm Restored When

    Configure a policy for sending an alarm restoration notification.

    If alarm restoration notification is enabled and the trigger condition has not been met for the specified number of last queries, an alarm restoration notification is sent.

    Number of last queries: 1–10

    Advanced Settings

    Notify When

    • Alarm triggered: Specify whether to send a notification when an alarm is triggered. If this option is enabled, a notification will be sent when the trigger condition is met. If disabled, no notifications will be sent, even if the trigger condition is met.
    • Alarm restored: Specify whether to send a notification when an alarm is restored. If this option is enabled, a notification will be sent when the restoration policy is met. If disabled, no notifications will be sent, even if the restoration policy is met.

    Advanced Settings

    Frequency

    You can select Immediate, Every 5 minutes, Every 10 minutes, Every 15 minutes, Every 30 minutes, Every hour, Every 3 hours, or Every 6 hours to send alarms.

    Immediate indicates that a notification is sent once an alarm is generated. Every 10 minutes indicates that the minimum interval between two notifications is 10 minutes, preventing alarm storms.

    Advanced Settings

    Alarm Notification Rule

    Select a desired rule from the drop-down list.

    If no rule is available, click Create Alarm Notification Rule on the right. For details, see Creating an Alarm Notification Rule.

    Advanced Settings

    Language

    Specify the language (Chinese (simplified) or English) in which alarms are sent.

  5. Click OK.

Configuring an Alarm Rule with a Search | Analysis Statement

LTS allows you to configure alarm rules using its new SQL engine. This engine supports the combination of search and analysis statements with a pipe character (search | analysis) to periodically query structured data and trigger an alarm when the alarm rule's condition expression returns true. You can then view these SQL alarms on the LTS console.

  1. Log in to the LTS console and choose Log Alarms in the navigation pane.
  2. Click the Alarm Rules tab.
  3. Click Create. The Create Alarm Rule right panel is displayed.
  4. Configure alarm rule parameters by referring to Table 3.

    Table 3 Parameters of a search analysis alarm rule

    Category

    Parameter

    Description

    Basic Info

    Rule Name

    Define a name for your alarm rule based on service requirements. After the rule is created, move the cursor to the rule name in the rule list to view both the rule name and the original rule name. You can modify the rule name, but cannot modify the original rule name (defined during rule creation).

    Naming rules:

    Use only letters, digits, hyphens (-), and underscores (_). Do not start or end with a hyphen or underscore. Enter 1 to 128 characters.

    Enterprise Project Name

    Select the required enterprise project. The default value is default. You can click View Enterprise Projects to view all enterprise projects.

    Description

    Brief description of the rule. Enter up to 128 characters.

    Statistical Analysis

    Statistics

    Search Analysis: Configure alarm rules using the new SQL engine, which supports the combination of search and analysis statements with a pipe character (search | analysis).

    After an alarm rule is created, the statistics type cannot be changed. Plan the statistics type based on service requirements.

    Query Condition (Up to three query statements are supported.)

    Log Group Name: Select a log group.

    Log Stream Name: Select a log stream.

    Query Time Range: Specify the query period of the statement. It is one period earlier than the current time. For example, if Query Time Range is set to one hour and the current time is 9:00, the query statement period is 8:00–9:00.

    • The value ranges from 1 to 60 in the unit of minutes.
    • The value ranges from 1 to 24 in the unit of hours.

    Query Statement: Enter a statement in the following format.

    Search statement | SQL analysis statement

    LTS monitors logs in the log stream based on the configured statement. After entering the query statement, click Preview to preview the query result. Set the check rule based on the fields in the preview result.

    To add more query conditions, repeat the preceding steps. For details about the numbers of multiple conditions, see Figure 1.

    Figure 1 Viewing the query condition numbers

    The number of the first query condition is 0, the number of the second condition is 1, and the number of the third condition is 2.

    Check Rule

    When the condition expression is met for the specified times in the specified queries, an alarm of the critical, major, minor, or info severity will be triggered.

    Enter a specific condition expression. When the expression execution result is true, an alarm is generated.

    • Condition expressions can contain Chinese characters. They cannot contain only digits or start with a digit.
    • The alarm severity can be Critical (default), Major, Minor, or Info.
    • Specify the number of queries and the number of times the condition must be met to trigger the alarm. The number of queries must be greater than or equal to the number of times the condition must be met. Number of queries: 1–10

    Click + to add a condition expression with an OR relationship. A maximum of 20 condition expressions can be added.

    Click to delete a condition expression.

    Basic syntax and cross-chart combination syntax are supported. When multiple query conditions are associated, the following format must be used to reference fields in condition expressions:

    ${Query condition No.}.{Query statement field}

    For example, to reference the pv field in the query statement * | select count(*) as pv of the first chart (chart 0), enter $0.pv.

    CAUTION:

    If multiple charts are used, condition expressions must contain $0, which indicates the first chart (chart 0).

    • Basic syntax:
      • Basic arithmetic operators: addition (+), subtraction (–), multiplication (*), division (/), and modulo (%). Example: x * 10 + y > 100
      • Comparison operators: greater than (>), greater than or equal to (>=), less than (<), less than or equal to (<=), equal to (==), and not equal to (!=). Example: x >= 100.
      • Logical operators: && (and) and || (or). Example: x > 0 && y < 200
      • Logical negation (!). Example: !(x < 1 && x > 100)
      • Numeric constants: They are processed as 64-bit floating point numbers. Example: x > 10
      • String constants. Example: str =="string"
      • Boolean constants: true and false. Example: (x < 100)!=true
      • Parentheses: used to change the order of operations. Example: x *(y + 10) < 200
      • contains function: used to check whether a string contains a substring. For example, if you run contains(str, "hello") and true is returned, the string contains the hello substring.
    • Cross-chart combination syntax:
      • Basic arithmetic operators: addition (+), subtraction (–), multiplication (*), division (/), and modulo (%).
      • Comparison operators: greater than (>), greater than or equal to (>=), less than (<), less than or equal to (<=), equal to (==), and not equal to (!=).
      • Logical operators: && (and) and || (or).
      • Logical negation (!)
      • contains function
      • Parentheses ()

      Example:

      $0.pv > 10 && $1.uv < 2

      $0.pv indicates the pv field in the query statement * | select count(*) as pv of the first chart (chart 0), and $1.uv indicates the uv field in the query statement * | select count(*) as uv of the second chart (chart 1). The two conditions must be met at the same time.

    Advanced Settings

    Query Frequency

    Options:

    • Hourly: The query is performed at the top of each hour.
    • Daily: The query is performed at a specific time every day.
    • Weekly: The query is performed at a specific time on a specific day every week.
    • Custom interval: You can specify the interval from 1 minute to 60 minutes or from 1 hour to 24 hours. For example, if the current time is 9:00 and the Custom interval is set to 5 minutes, the first query is at 9:00, the second query is at 9:05, the third query is at 9:10, and so on.

      When the query time range is larger than 1 hour, the custom interval must be at least 5 minutes.

    • CRON: The query task is executed according to Cron Expression. Cron expressions use the 24-hour format and are precise down to the minute.

    Alarm Restored When

    Configure a policy for sending an alarm restoration notification.

    If alarm restoration notification is enabled and the trigger condition has not been met for the specified number of last queries, an alarm restoration notification is sent.

    Number of last queries: 1–10

    Notify When

    • Alarm triggered: Specify whether to send a notification when an alarm is triggered. If this option is enabled, a notification will be sent when the trigger condition is met. If disabled, no notifications will be sent, even if the trigger condition is met.
    • Alarm restored: Specify whether to send a notification when an alarm is restored. If this option is enabled, a notification will be sent when the restoration policy is met. If disabled, no notifications will be sent, even if the restoration policy is met.

    Frequency

    You can select Immediate, Every 5 minutes, Every 10 minutes, Every 15 minutes, Every 30 minutes, Every hour, Every 3 hours, or Every 6 hours to send alarms.

    Immediate indicates that a notification is sent once an alarm is generated. Every 10 minutes indicates that the minimum interval between two notifications is 10 minutes, preventing alarm storms.

    Alarm Notification Rule

    Select a desired rule from the drop-down list.

    If no rule is available, click Create Alarm Notification Rule on the right. For details, see Creating an Alarm Notification Rule.

    Language

    Specify the language (Chinese (simplified) or English) in which alarms are sent.

    Tag

    Tag alarm rules as required. Click Add Tags and enter a tag key and value.

    To add more tags, repeat this step. A maximum of 20 tags can be added.

    Tag key restrictions:

    • A tag key can contain letters, digits, spaces, and special characters (_.:=+-@), but cannot start or end with a space or start with _sys_.
    • A tag key can contain up to 128 characters, and a tag value can contain up to 255 characters.
    • Each tag key must be unique.

    Tag value restrictions:

    • A tag value can contain letters, digits, spaces, and the following special characters: _.:=+-@
    • A tag value can contain up to 255 characters.

    Deleting a tag:

    WARNING:

    Deleted tags cannot be recovered.

    To delete a tag, click Delete in the Operation column of the tag.

  5. Click OK.

    After an alarm rule is created, its status is Enabled by default. After the alarm rule is disabled, the alarm status is Disabled. After the alarm rule is disabled temporarily, the alarm status is Temporarily closed to May 30, 2023 16:21:24.000 GMT+08:00. (The time is for reference only.)

    When the alarm rule is enabled, an alarm will be triggered if the alarm rule is met. When it is disabled, an alarm will not be triggered even if the alarm rule is met.

Follow-up Operations on Alarm Rules

After creating an alarm rule, you can modify, enable, disable, copy, or delete it. Exercise caution when performing these operations.

  • You can perform the following operations on a single alarm rule.

    Modifying an alarm rule: Click Modify in the Operation column of the target alarm rule. On the displayed page, modify the rule name, query condition, and check rule, and click OK.

    Enabling an alarm rule: Click More > Enable in the Operation column of the target alarm rule and ensure the status changes to Enabled.

    Disabling an alarm rule: Click More > Disable in the Operation column of the target alarm rule and ensure the status changes to Disabled.

    Temporarily disabling an alarm rule: Click More > Disable Temporarily in the Operation column of the target alarm rule.

    Copying an alarm rule: Click More > Copy in the Operation column of the target alarm rule.

    Deleting an alarm rule: Click Delete in the Operation column of the target alarm rule. In the displayed dialog box, click OK.

    Deleted alarm rules cannot be recovered. Exercise caution when performing this operation.

  • After selecting multiple alarm rules, you can perform the following operations on them: Enable, Disable, Disable Temporarily, Re-Enable, Enable Clearance, Disable Clearance, Delete, and Export.
  • You can hover over a rule name to see both the current and original names. The original rule name cannot be changed.

Cron Expression

A cron expression consists of the following six fields: minute (0–59), hour (0–23), day (1–31), month (1–12), and day of the week (0–6: 0 indicates Sunday and 6 indicates Saturday). These fields are separated by spaces and are mandatory. In addition to the basic values, you can use special characters to output more complex time rules. Examples:
  • The query starts from 00:00 and is performed every 10 minutes at 00:00, 00:10, 00:20, 00:30, 00:40, 00:50, 01:00, and so on. * indicates any value of the field, and / indicates the interval between specified time points.
    0/10 * * * *

    For example, if the current time is 16:37, the next query is at 16:50.

  • The query starts from 00:00 and is performed every 5 hours at 00:00, 05:00, 10:00, 15:00, 20:00, and so on. * indicates any value of the field, and / indicates the interval between specified time points.
    0 0/5 * * *

    For example, if the current time is 16:37, the next query is at 20:00.

  • The query is performed at 14:00 every day.
    0 14 * * *
  • The query is performed at 00:00 on the 10th day of every month.
    0 0 10 * *

Example: Setting an Alarm Rule Using a Search | Analysis Statement (Beta)

This example guides you through setting up an alarm rule with a pipe-character-based statement (search | analysis statement) to trigger an alarm when the number of logs with an ERROR level reaches a specified threshold within a defined time range. This example is for reference only.

Search | analysis statement:

level:ERROR | SELECT count(*) as error_count

The following query result indicates that the log level ERROR appeared 123 times in the target log stream.

Figure 2 Query and analysis result
  • Query statement: Set the query time range to 5 minutes and execute the search | analysis statement to count ERROR level logs within that period. For details about the pipe character statement syntax, see Log Search and Analysis (Pipe Character).
    Figure 3 Query statement

  • Alarm notification: After creating the preceding alarm rule, you will receive an alarm in the alarm list as long as the keyword Error appears two or more times in your logs. You can also click an alarm name to view the alarm details and sources.
    Figure 4 Alarm notification