Help Center/ Application Operations Management/ User Guide (2.0)/ Alarm Management/ Alarm Rules/ Creating a Log Alarm Rule
Updated on 2024-06-28 GMT+08:00
View PDF

Creating a Log Alarm Rule

You can create alarm rules based on search analysis, or keyword or SQL statistics so that AOM can monitor log data in real time and report alarms if there are any.

Prerequisites

Precautions

  • The function of creating alarm rules based on search analysis is under a closed beta test.
  • The function of creating alarm rules by SQL is available to all users in regions CN South-Guangzhou, CN North-Beijing4, CN East-Shanghai1, CN East-Shanghai2, CN-Hong Kong, and AP-Bangkok. It is also available to whitelisted users in regions CN North-Beijing1, CN Southwest-Guiyang1, AP-Bangkok, AP-Jakarta, and CN South-Shenzhen.

Creation Mode

Create log alarm rules by referring to Creating Log Alarm Rules Based on Search Analysis, Creating Log Alarm Rules by Keyword, and Creating Log Alarm Rules by SQL.

Creating Log Alarm Rules Based on Search Analysis

  1. Log in to the AOM 2.0 console.
  2. In the navigation pane, choose Alarm Management > Alarm Rules.
  3. In the right pane, click the Log Alarm Rules tab and click Add Log Alarm Rule.
  4. On the displayed page, set alarm rule parameters by referring to Table 1.

    Table 1 Alarm condition parameters

    Category

    Parameter

    Description

    Basic Info

    Rule Name

    Name of a rule. Enter 1 to 64 characters and do not start or end with a hyphen (-) or underscore (_). Only letters, digits, hyphens, and underscores are allowed.

    NOTE:

    After an alarm rule is created, the rule name can be modified. After the modification, move the cursor over the rule name to view both new and original rule names.

    Description

    Description of the rule. Enter up to 64 characters.

    Statistical Analysis

    Statistics

    Search Analysis: applicable to the scenarios where alarm rules are configured based on a new SQL engine. The pipe character (|) can be used.

    Query conditions (Up to three query statements are supported.)

    Log Group Name: Select a log group.
    Log Stream Name: Select a log stream.
    NOTE:

    If a log group contains more than one log stream, you can select multiple log streams when creating an alarm rule based on search analysis.

    Query Time Range: Specify the statement query period. It is one period earlier than the current time. For example, if Query Time Range is set to one hour and the current time is 9:00, the query statement period is 8:00–9:00.

    • The value ranges from 1 to 60 in the unit of minutes.
    • The value ranges from 1 to 24 in the unit of hours.

    Query Statement: in the format of "Search statement | SQL analysis statement". AOM then monitors logs in the log stream based on the configured statements.

    Check Rule

    Enter a specific conditional expression. When the expression execution result is true, an alarm is generated.

    Basic syntax and syntax across multiple charts are supported.

    • Basic syntax
      • Basic arithmetic operators: addition (+), subtraction (–), multiplication (*), division (/), and modulo (%). Example: x * 10 + y > 100
      • Comparison operators: greater than (>), greater than or equal to (>=), less than (<), less than or equal to (<=), equal to (==), and not equal to (!=). Example: x >= 100.
      • Logical operators: && (and) and || (or). Example: x > 0 && y < 200
      • Logical negation (!). Example: !(x < 1 && x > 100)
      • Numeric constants: processed as 64-bit floating point numbers. Example: x > 10
      • String constants. Example: str =="string"
      • Boolean constants: true and false. Example: (x < 100)!=true
      • Parentheses: used to change the order of operations. Example: x *(y + 10) < 200
      • Contains function: used to check whether a string contains a substring. For example, if you run contains(str, "hello") and true is returned, the string contains the hello substring.
    • Syntax across multiple charts
      • Basic arithmetic operators: addition (+), subtraction (–), multiplication (*), division (/), and modulo (%).
      • Comparison operators: greater than (>), greater than or equal to (>=), less than (<), less than or equal to (<=), equal to (==), and not equal to (!=).
      • Logical operators: && (and) and || (or).
      • Logical negation (!)
      • Contains function
      • Parentheses
    NOTE:
    • Specify the number of queries and the number of times the condition (conditional expression) must be met to trigger an alarm. The number of queries must be greater than or equal to the number of times the condition must be met.
    • The alarm severity can be Critical (default), Major, Minor, or Info.
    • Number of queries: 1–10

    Advanced Settings

    Query Frequency

    Options:

    • Hourly: The query is performed at the top of each hour.
    • Daily: The query is performed at a specific time every day.
    • Weekly: The query is performed at a specific time on a specific day every week.
    • Custom interval: You can specify the interval from 1 minute to 60 minutes or from 1 hour to 24 hours. For example, if the current time is 9:00 and the Custom interval is set to 5 minutes, the first query is at 9:00, the second query is at 9:05, the third query is at 9:10, and so on.
      NOTE:

      When the query time range is larger than 1 hour, the interval must be at least 5 minutes.

    • CRON: Cron expressions use the 24-hour format and are precise down to the minute. Examples:
      • 0/10 * * * *: The query starts from 00:00 and is performed every 10 minutes at 00:00, 00:10, 00:20, 00:30, 00:40, 00:50, 01:00, and so on. For example, if the current time is 16:37, the next query is at 16:50.
      • 0 0/5 * * *: The query starts from 00:00 and is performed every 5 hours at 00:00, 05:00, 10:00, 15:00, 20:00, and so on. For example, if the current time is 16:37, the next query is at 20:00.
      • 0 14 * * *: The query is performed at 14:00 every day.
      • 0 0 10 * *: The query is performed at 00:00 on the 10th day of every month.

    Restores

    Configure a policy for sending an alarm clearance notification.

    If alarm clearance notification is enabled and the trigger condition has not been met for the specified number of statistical periods, an alarm clearance notification will be sent.

    Number of last queries: 1–10

    Notify When
    • Alarm triggered: Specify whether to send a notification when an alarm is triggered. If this option is enabled, a notification will be sent when the trigger condition is met.
    • Alarm cleared: Specify whether to send a notification when an alarm is cleared. If this option is enabled, a notification will be sent when the recovery policy is met.

    Frequency

    You can select Once, Every 5 minutes, Every 10 minutes, Every 15 minutes, Every 30 minutes, Every hour, Every 3 hours, or Every 6 hours to send alarms.

    Once indicates that a notification is sent once an alarm is generated. Every 10 minutes indicates that the minimum interval between two notifications is 10 minutes, preventing alarm storms.

    Alarm Action Rules

    Select a desired rule from the drop-down list.

    If no rule is available, click Create Alarm Action Rule on the right. For details, see Creating an Alarm Action Rule.

    Language

    Specify the language (English) in which alarms are sent.

  5. Click Confirm. The alarm rule is created.

Creating Log Alarm Rules by Keyword

  1. Log in to the AOM 2.0 console.
  2. In the navigation pane, choose Alarm Management > Alarm Rules.
  3. In the right pane, click the Log Alarm Rules tab and click Add Log Alarm Rule.
  4. On the displayed page, set alarm rule parameters by referring to Table 2.

    Table 2 Alarm condition parameters

    Category

    Parameter

    Description

    Basic Info

    Rule Name

    Name of a rule. Enter 1 to 64 characters and do not start or end with a hyphen (-) or underscore (_). Only letters, digits, hyphens, and underscores are allowed.

    NOTE:

    After an alarm rule is created, the rule name can be modified. After the modification, move the cursor over the rule name to view both new and original rule names.

    Description

    Description of the rule. Enter up to 64 characters.

    Statistical Analysis

    Statistics

    By keyword: applicable to scenarios where log alarm rules are created based on the counted keywords.

    Query Condition

    Log Group Name: Select a log group.
    Log Stream Name: Select a log stream.
    NOTE:

    If a log group contains more than one log stream, you can select multiple log streams when creating a log alarm rule by keyword.

    Query Time Range: Specify the statement query period. It is one period earlier than the current time. For example, if Query Time Range is set to one hour and the current time is 9:00, the query statement period is 8:00–9:00.

    • The value ranges from 1 to 60 in the unit of minutes.
    • The value ranges from 1 to 24 in the unit of hours.

    Keywords: Enter keywords that you want AOM to monitor in logs. Exact and fuzzy matches are supported. A keyword is case-sensitive and contains up to 1024 characters.

    Check Rule

    Configure a condition that will trigger the alarm.

    Matching Log Events: When the number of log events that contain the configured keywords reaches the specified value, an alarm is triggered.

    Four comparison operators are supported: greater than (>), greater than or equal to (>=), less than (<), and less than or equal to (<=).

    Specify the number of queries and the number of times the condition (keyword contained in log events) must be met to trigger an alarm. The number of queries must be greater than or equal to the number of times the condition must be met.

    NOTE:
    • The alarm severity can be Critical (default), Major, Minor, or Info.
    • Number of queries: 1–10

    Advanced Settings

    Query Frequency

    Options:

    • Hourly: The query is performed at the top of each hour.
    • Daily: The query is performed at a specific time every day.
    • Weekly: The query is performed at a specific time on a specific day every week.
    • Custom interval: You can specify the interval from 1 minute to 60 minutes or from 1 hour to 24 hours. For example, if the current time is 9:00 and the Custom interval is set to 5 minutes, the first query is at 9:00, the second query is at 9:05, the third query is at 9:10, and so on.
      NOTE:

      When the query time range is larger than 1 hour, the interval must be at least 5 minutes.

    • CRON: Cron expressions use the 24-hour format and are precise down to the minute. Examples:
      • 0/10 * * * *: The query starts from 00:00 and is performed every 10 minutes at 00:00, 00:10, 00:20, 00:30, 00:40, 00:50, 01:00, and so on. For example, if the current time is 16:37, the next query is at 16:50.
      • 0 0/5 * * *: The query starts from 00:00 and is performed every 5 hours at 00:00, 05:00, 10:00, 15:00, 20:00, and so on. For example, if the current time is 16:37, the next query is at 20:00.
      • 0 14 * * *: The query is performed at 14:00 every day.
      • 0 0 10 * *: The query is performed at 00:00 on the 10th day of every month.

    Restores

    Configure a policy for sending an alarm clearance notification.

    If alarm clearance notification is enabled and the trigger condition has not been met for the specified number of statistical periods, an alarm clearance notification will be sent.

    Number of last queries: 1–10

    Notify When
    • Alarm triggered: Specify whether to send a notification when an alarm is triggered. If this option is enabled, a notification will be sent when the trigger condition is met.
    • Alarm cleared: Specify whether to send a notification when an alarm is cleared. If this option is enabled, a notification will be sent when the recovery policy is met.

    Frequency

    You can select Once, Every 5 minutes, Every 10 minutes, Every 15 minutes, Every 30 minutes, Every hour, Every 3 hours, or Every 6 hours to send alarms.

    Once indicates that a notification is sent once an alarm is generated. Every 10 minutes indicates that the minimum interval between two notifications is 10 minutes, preventing alarm storms.

    Alarm Action Rules

    Select a desired rule from the drop-down list.

    If no rule is available, click Create Alarm Action Rule on the right. For details, see Creating an Alarm Action Rule.

    Languages

    Specify the language (English) in which alarms are sent.

  5. Click Confirm. The alarm rule is created.

Creating Log Alarm Rules by SQL

  1. Log in to the AOM 2.0 console.
  2. In the navigation pane, choose Alarm Management > Alarm Rules.
  3. In the right pane, click the Log Alarm Rules tab and click Add Log Alarm Rule.
  4. On the displayed page, set alarm rule parameters by referring to Table 3.

    Table 3 Alarm condition parameters

    Category

    Parameter

    Description

    Basic Info

    Rule Name

    Name of a rule. Enter 1 to 64 characters and do not start or end with a hyphen (-) or underscore (_). Only letters, digits, hyphens, and underscores are allowed.

    NOTE:

    After an alarm rule is created, the rule name can be modified. After the modification, move the cursor over the rule name to view both new and original rule names.

    Description

    Description of the rule. Enter up to 64 characters.

    Statistical Analysis

    Statistics

    By SQL: applicable to the scenarios where alarm rules are configured based on the old SQL engine.

    Charts

    You can add a chart in two ways.

    • Configure from Scratch: Click Configure from Scratch and then select a log group and stream. Set parameters as follows:

      Log Group Name: (Required) Select a log group.

      Log Stream Name: (Required) Select a log stream.
      NOTE:

      If no structuring rule has been configured, configure structuring first.

      Query Time Range: (Optional) the period specified for querying logs. It can be 1 to 60 minutes or 1 to 24 hours.

      Query Statement: Required.

    • Import Configuration: Click . On the displayed Custom page, select a log group and stream, select a chart, and click OK. If there are no charts available or the charts do not fit your needs, click Create Chart. Configure the chart parameters, click OK, and click Save and Back in the upper right corner to return to the Create Alarm Rule page. You can see that the chart you just created has been selected, and the query statement has been filled in.

      Specify the query time range (1 to 60 minutes or 1 to 24 hours). When the query frequency is set to every 1 to 4 minutes, the query time range cannot exceed one hour.

      You can add more charts by clicking .

      NOTE:
      • Click to go to the visualization page of the log stream.
      • Click to delete an added chart.
      • Click Preview to view the data after visualized analysis. You must click Preview; otherwise, the alarm rule cannot be saved.
      • Up to three charts can be added.
      • The chart and the query statement cannot be left blank.

    Check Rule

    Enter a specific conditional expression. When the expression execution result is true, an alarm is generated.

    Basic syntax and syntax across multiple charts are supported.

    • Basic syntax
      • Basic arithmetic operators: addition (+), subtraction (–), multiplication (*), division (/), and modulo (%). Example: x * 10 + y > 100
      • Comparison operators: greater than (>), greater than or equal to (>=), less than (<), less than or equal to (<=), equal to (==), and not equal to (!=). Example: x >= 100.
      • Logical operators: && (and) and || (or). Example: x > 0 && y < 200
      • Logical negation (!). Example: !(x < 1 && x > 100)
      • Numeric constants: processed as 64-bit floating point numbers. Example: x > 10
      • String constants. Example: str =="string"
      • Boolean constants: true and false. Example: (x < 100)!=true
      • Parentheses: used to change the order of operations. Example: x *(y + 10) < 200
      • Contains function: used to check whether a string contains a substring. For example, if you run contains(str, "hello") and true is returned, the string contains the hello substring.
    • Syntax across multiple charts
      • Basic arithmetic operators: addition (+), subtraction (–), multiplication (*), division (/), and modulo (%).
      • Comparison operators: greater than (>), greater than or equal to (>=), less than (<), less than or equal to (<=), equal to (==), and not equal to (!=).
      • Logical operators: && (and) and || (or).
      • Logical negation (!)
      • Contains function
      • Parentheses
    NOTE:
    • Specify the number of queries and the number of times the condition (conditional expression) must be met to trigger an alarm. The number of queries must be greater than or equal to the number of times the condition must be met.
    • The alarm severity can be Critical (default), Major, Minor, or Info.
    • Number of queries: 1–10

    Advanced Settings

    Query Frequency

    Options:

    • Hourly: The query is performed at the top of each hour.
    • Daily: The query is performed at a specific time every day.
    • Weekly: The query is performed at a specific time on a specific day every week.
    • Custom interval: You can specify the interval from 1 minute to 60 minutes or from 1 hour to 24 hours. For example, if the current time is 9:00 and the Custom interval is set to 5 minutes, the first query is at 9:00, the second query is at 9:05, the third query is at 9:10, and so on.
      NOTE:

      When the query time range is larger than 1 hour, the interval must be at least 5 minutes.

    • CRON: Cron expressions use the 24-hour format and are precise down to the minute. Examples:
      • 0/10 * * * *: The query starts from 00:00 and is performed every 10 minutes at 00:00, 00:10, 00:20, 00:30, 00:40, 00:50, 01:00, and so on. For example, if the current time is 16:37, the next query is at 16:50.
      • 0 0/5 * * *: The query starts from 00:00 and is performed every 5 hours at 00:00, 05:00, 10:00, 15:00, 20:00, and so on. For example, if the current time is 16:37, the next query is at 20:00.
      • 0 14 * * *: The query is performed at 14:00 every day.
      • 0 0 10 * *: The query is performed at 00:00 on the 10th day of every month.

    Restores

    Configure a policy for sending an alarm clearance notification.

    If alarm clearance notification is enabled and the trigger condition has not been met for the specified number of statistical periods, an alarm clearance notification will be sent.

    Number of last queries: 1–10

    Notify When
    • Alarm triggered: Specify whether to send a notification when an alarm is triggered. If this option is enabled, a notification will be sent when the trigger condition is met.
    • Alarm cleared: Specify whether to send a notification when an alarm is cleared. If this option is enabled, a notification will be sent when the recovery policy is met.

    Frequency

    You can select Once, Every 5 minutes, Every 10 minutes, Every 15 minutes, Every 30 minutes, Every hour, Every 3 hours, or Every 6 hours to send alarms.

    Once indicates that a notification is sent once an alarm is generated. Every 10 minutes indicates that the minimum interval between two notifications is 10 minutes, preventing alarm storms.

    Alarm Action Rules

    Select a desired rule from the drop-down list.

    If no rule is available, click Create Alarm Action Rule on the right. For details, see Creating an Alarm Action Rule.

    Languages

    Specify the language (English) in which alarms are sent.

  5. Click Confirm. The alarm rule is created.
Parent topic: Alarm Rules