Configuring Keyword Alarm Rules

LTS allows you to collect statistics on log keywords and set alarm rules to monitor them. By checking the number of keyword occurrences in a specified period, you can have a real-time view of the service running. Currently, up to 200 keyword alarms can be created for each account.

Prerequisites

You have created log groups and log streams.

Creating an Alarm Rule

Log in to the LTS console, and choose Alarms in the navigation pane on the left.
Click the Alarm Rules tab.
Click Create. The Create Alarm Rule right panel is displayed.

Configure an alarm rule.

**Table 1** Parameters for setting a keyword alarm condition
Category	Parameter	Description
Basic Info	Rule Name	Name of the alarm rule. Enter 1 to 64 characters and do not start or end with a hyphen (-) or underscore (_). Only letters, digits, hyphens, and underscores are allowed. NOTE: After an alarm is created, the rule name can be modified. After the modification, move the cursor over the rule name to view the new and original rule names. The original rule name created for the first time cannot be changed.
Basic Info	Description	Rule description. Enter up to 64 characters.
Statistical analysis	Statistics	By keyword: applicable to scenarios where keywords are used to search for and configure log alarms.
	Query condition	Log Group Name: Select a log group.
		Log Stream Name: Select a log stream. NOTE: If a log group contains more than one log stream, you can select multiple log streams when creating a keyword alarm rule.
		Query Time Range: Specify the query period of the statement. It is one period earlier than the current time. For example, if Query Time Range is set to one hour and the current time is 9:00, the period of the query statement is 8:00–9:00. The value ranges from 1 to 60 in the unit of minutes. The value ranges from 1 to 24 in the unit of hours.
		Keywords: Enter keywords that you want LTS to monitor in logs. Exact and fuzzy matches are supported. A keyword is case-sensitive and contains up to 1024 characters.
	Check Rule	Configure a condition that will trigger the alarm. Matching Log Events: When the number of log events that contain the configured keywords reaches the specified value, an alarm is triggered. Four comparison operators are supported: greater than (>), greater than or equal to (>=), less than (<), and less than or equal to (<=). The number of queries refers to the Query Frequency set in Advanced Settings and the number of times the condition must be met to trigger the alarm. The number of queries must be greater than or equal to the number of times the condition must be met. NOTE: The alarm severity can be critical (default), major, minor, or info. Number of queries: 1–10
Advanced Settings	Query Frequency	The options for this parameter are: Hourly: The query is performed at the top of each hour. Daily: The query is run at a specific time every day. Weekly: The query is run at a specific time on a specific day every week. Custom interval: You can specify the interval from 1 minute to 60 minutes or from 1 hour to 24 hours. For example, if the current time is 9:00 and the Custom interval is set to 5 minutes, the first query is at 9:00, the second query is at 9:05, the third query is at 9:10, and so on. NOTE: When the query time range is set to a value larger than 1 hour, the query frequency must be set to every 5 minutes or a lower frequency. CRON: CRON expressions support schedules down to the minute and use 24-hour format. Examples: 0/10 * * * : The query starts from 00:00 and is performed every 10 minutes. That is, queries start at 00:00, 00:10, 00:20, 00:30, 00:40, 00:50, 01:00, and so on. For example, if the current time is 16:37, the next query is at 16:50. 0 0/5 * : The query starts from 00:00 and is performed every 5 hours at 00:00, 05:00, 10:00, 15:00, 20:00, and so on. For example, if the current time is 16:37, the next query is at 20:00. 0 14 * : The query is performed at 14:00 every day. 0 0 10 *: The query is performed at 00:00 on the 10th day of every month.
Advanced Settings	Send notification	Enable or disable alarm notification. If you enable Send notification, you need to select a Simple Message Notification (SMN) topic, time zone, and language. You can select multiple topics.

Click OK. The keyword alarm rule is created.

You can also choose Log Management in the navigation pane, and select a log stream. On the Raw Logs tab page displayed, click in the upper right corner, and click Alarms Rules to create an alarm rule.

After an alarm rule is created, its status is Enabled by default. After the alarm rule is disabled, the alarm status is Disabled. After the alarm rule is disabled temporarily, the alarm status is Temporarily closed to May 30, 2023 16:21:24.000 GMT+08:00. (The time is for reference only.)

When the alarm rule is enabled, an alarm will be triggered if the alarm rule is met. When the alarm rule is disabled, an alarm will not be triggered even if the alarm rule is met.

Follow-up Operations on Alarm Rules

You can perform the following operations on a single alarm rule.
Modifying an alarm rule: Click in the Operation column of the row that contains the target alarm rule and modify parameters according to Table 1. You can modify the rule name. After the modification is complete, move the cursor over the rule name. The new and original rule names are displayed. The original rule name created for the first time cannot be changed.

Enabling an alarm rule: Click in the Operation column of the row that contains the target alarm rule. (The enabling button is displayed only after the alarm rule is disabled.)

Disabling an alarm rule: Click in the Operation column of the row that contains the target alarm rule. (The disabling button is displayed only after the alarm rule is enabled.)

Temporarily disabling the alarm rule: Click in the Operation column of the row that contains the target alarm rule and set the end time for temporarily disabling the alarm rule.

Copying an alarm rule: Click in the Operation column of the row that contains the target alarm rule.

Deleting an alarm rule: Click in the Operation column of the row that contains the target alarm rule, and click OK.
After selecting multiple alarm rules, you can perform the following operations on the alarms: Open, Close, Disable Temporarily, Re-Enable, Enable Clearance, Disable Clearance, and Delete.