Help Center/ Log Tank Service/ User Guide/ Log Alarms/ Configuring Log Alarm Rules
Updated on 2024-10-10 GMT+08:00

Configuring Log Alarm Rules

You can set alarm rules based on SQL statistics or keywords in log streams to monitor service status in real time. Currently, up to 200 keyword and SQL alarms can be created for each account.

Prerequisites

A log group and stream have been created. For details, see Managing Log Groups and Managing Log Streams.

Creating a Keyword Alarm Rule

LTS allows you to collect statistics on log keywords in log streams and set alarm rules to monitor them. By checking the number of keyword occurrences in a specified period, you can have a real-time view of the service running.

  1. Log in to the LTS console.
  2. Choose Log Alarms in the navigation pane.
  3. Click the Alarm Rules tab.
  4. Click Create. The Create Alarm Rule right panel is displayed.
  5. Configure alarm rule parameters.

    Table 1 Keyword alarm rule parameters

    Category

    Parameter

    Description

    Basic Info

    Rule Name

    Name of the alarm rule. Enter 1 to 64 characters and do not start or end with a hyphen (-) or underscore (_). Only letters, digits, hyphens, and underscores are allowed.

    NOTE:

    After an alarm rule is created, the rule name can be modified. After the modification, move the cursor over the rule name to view the new and original rule names. The original rule name cannot be changed.

    Description

    Brief description of the rule. Enter up to 64 characters.

    Statistical Analysis

    Statistics

    By keyword: applicable when keywords are used to search for and configure log alarms.

    Query Condition

    Log Group Name: Select a log group.

    Log Stream Name: Select a log stream.
    NOTE:

    If a log group contains more than one log stream, you can select multiple log streams when creating a keyword alarm rule.

    Query Time Range: Specify the query period of the statement. It is one period earlier than the current time. For example, if Query Time Range is set to one hour and the current time is 9:00, the period of the query statement is 8:00–9:00.

    • The value ranges from 1 to 60 in the unit of minutes.
    • The value ranges from 1 to 24 in the unit of hours.

    Keywords: Enter keywords that you want LTS to monitor in logs. Exact and fuzzy matches are supported. A keyword is case-sensitive and contains up to 1,024 characters. For details about how to set keyword search, see Using LTS Search Syntax.

    Check Rule

    Configure a condition that will trigger the alarm.

    Matching Log Events: When the number of log events that contain the configured keywords reaches the specified value, an alarm is triggered. Four comparison operators are supported: greater than (>), greater than or equal to (>=), less than (<), and less than or equal to (<=).

    • Click + to add a conditional expression (or). A maximum of 20 conditional expressions can be added.
    • Click to delete a conditional expression.

    The number of queries refers to the Query Frequency set in Advanced Settings and the number of times the condition must be met to trigger the alarm. The number of queries must be greater than or equal to the number of times the condition must be met.

    NOTE:
    • The alarm severity can be critical (default), major, minor, or info.
    • Number of queries: 1–10

    Advanced Settings

    Query Frequency

    The options for this parameter are:

    • Hourly: The query is performed at the top of each hour.
    • Daily: The query is run at a specific time every day.
    • Weekly: The query is run at a specific time on a specific day every week.
    • Custom interval: You can specify the interval from 1 minute to 60 minutes or from 1 hour to 24 hours. For example, if the current time is 9:00 and the Custom interval is set to 5 minutes, the first query is at 9:00, the second query is at 9:05, the third query is at 9:10, and so on.
      NOTE:

      When the query time range is set to a value larger than 1 hour, the query frequency must be set to every 5 minutes or a lower frequency.

    • CRON: CRON expressions support schedules down to the minute and use 24-hour format. Examples:
      • 0/10 * * * *: The query starts from 00:00 and is performed every 10 minutes. That is, queries start at 00:00, 00:10, 00:20, 00:30, 00:40, 00:50, 01:00, and so on. For example, if the current time is 16:37, the next query is at 16:50.
      • 0 0/5 * * *: The query starts from 00:00 and is performed every 5 hours at 00:00, 05:00, 10:00, 15:00, 20:00, and so on. For example, if the current time is 16:37, the next query is at 20:00.
      • 0 14 * * *: The query is performed at 14:00 every day.
      • 0 0 10 * *: The query is performed at 00:00 on the 10th day of every month.

    Advanced Settings

    Restores

    Configure a policy for sending an alarm clearance notification.

    If alarm clearance notification is enabled and the trigger condition has not been met for the specified number of statistical periods, an alarm clearance notification is sent.

    Number of last queries: 1–10

    Advanced Settings

    Notify When

    • Alarm triggered: Specify whether to send a notification when an alarm is triggered. If this option is enabled, a notification will be sent when the trigger condition is met.
    • Alarm cleared: Specify whether to send a notification when an alarm is cleared. If this option is enabled, a notification will be sent when the recovery policy is met.

    Advanced Settings

    Frequency

    You can select Once, Every 5 minutes, Every 10 minutes, Every 15 minutes, Every 30 minutes, Every hour, Every 3 hours, or Every 6 hours to send alarms.

    Once indicates that a notification is sent once an alarm is generated. Every 10 minutes indicates that the minimum interval between two notifications is 10 minutes, preventing alarm storms.

    Advanced Settings

    Alarm Action Rules

    Select a desired rule from the drop-down list.

    If no rule is available, click Create Alarm Action Rule on the right.

    Advanced Settings

    Language

    Specify the language (Chinese (simplified) or English) in which alarms are sent.

  6. Click OK. For examples, see Example 1: Alarms Triggered by a Keyword.

    After an alarm rule is created, its status is Enabled by default. After the alarm rule is disabled, the alarm status is Disabled. After the alarm rule is disabled temporarily, the alarm status is Temporarily closed to May 30, 2023 16:21:24.000 GMT+08:00. (The time is for reference only.)

    When the alarm rule is enabled, an alarm will be triggered if the alarm rule is met. When it is disabled, an alarm will not be triggered even if the alarm rule is met.

Creating a SQL Alarm Rule

LTS can regularly run the SQL queries that you specify on structured logs and trigger an alarm when the alarm rule is met. You can view SQL alarms on the LTS console. Each SQL alarm rule can be associated with one to three charts. Each chart contains a SQL statement for querying a log stream.

Currently, this function is available to all users in regions CN South-Guangzhou, CN North-Beijing4, CN East-Shanghai1, CN-Hong Kong, CN Southwest-Guiyang1, AP-Singapore, and CN South-Shenzhen. It is also available to whitelisted users in regions AP-Bangkok, CN North-Beijing1, AP-Jakarta, and CN East-Shanghai2. It is not available in other regions.

  1. Log in to the LTS console and choose Log Alarms in the navigation pane.
  2. Click the Alarm Rules tab.
  3. Click Create. The Create Alarm Rule right panel is displayed.
  4. Configure alarm rule parameters. For details, see Table 2.

    Table 2 SQL alarm rule parameters

    Category

    Parameter

    Description

    Basic Info

    Rule Name

    Name of the alarm rule. Enter 1 to 64 characters and do not start or end with a hyphen (-) or underscore (_). Only letters, digits, hyphens, and underscores are allowed.

    NOTE:

    After an alarm rule is created, the rule name can be modified. After the modification, move the cursor over the rule name to view the new and original rule names. The original rule name cannot be changed.

    Description

    Rule description. Enter up to 64 characters.

    Statistical Analysis

    Statistics

    By SQL: Use SQL analysis to configure an alarm rule.

    Charts

    You can add a chart in two ways.

    • Configure from Scratch: Click Configure from Scratch and then select a log group and stream. Set parameters as follows:

      Log Group Name: (Required) Select a log group.

      Log Stream Name: (Required) Select a log stream.
      NOTE:

      If the logs in the log stream have not been structured, configure log structuring first.

      Query Time Range: (Optional) the period specified for querying logs. It can be 1 to 60 minutes or 1 to 24 hours.

      Query Statement: required.

    • Import Configuration: Click . On the displayed Custom page, select a log group and stream, select a chart, and click OK. If there are no charts available or the charts do not fit your needs, click Create Chart. Configure the chart parameters, click OK, and click Save and Back in the upper right corner to return to the Create Alarm Rule right panel. You can see that the chart you just created has been selected, and the query statement has been filled in.

      Specify the query time range (1 to 60 minutes or 1 to 24 hours). When the query frequency is set to every 1 to 4 minutes, the query time range can only be set to a value no larger than 1 hour.

      You can continue to add more charts by clicking .

      NOTE:
      • Click to go to the visualization page of the log stream.
      • Click to delete an added chart.
      • Click Preview to view the data after visualized analysis. You must click Preview; otherwise, the alarm rule cannot be saved.
      • Up to three charts can be added.
      • The chart and the query statement are required.

    Check Rule

    Enter a specific conditional expression. When the expression execution result is true, an alarm is generated.

    NOTE:
    • Conditional expressions support Chinese characters.
    • Conditional expressions cannot contain only digits or start with a digit.
    • Specify the number of queries and the number of times the condition must be met to trigger the alarm. The number of queries must be greater than or equal to the number of times the condition must be met.
    • The alarm severity can be critical (default), major, minor, or info.
    • Number of queries: 1–10
    • Click + to add a conditional expression (or). A maximum of 20 conditional expressions can be added.
    • Click to delete a conditional expression.

    Basic syntax and syntax across multiple charts are supported.

    • Basic syntax
      • Basic arithmetic operators: addition (+), subtraction (–), multiplication (*), division (/), and modulo (%). Example: x * 10 + y > 100
      • Comparison operators: greater than (>), greater than or equal to (>=), less than (<), less than or equal to (<=), equal to (==), and not equal to (!=). Example: x >= 100.
      • Logical operators: && (and) and || (or). Example: x > 0 && y < 200
      • Logical negation (!). Example: !(x < 1 && x > 100)
      • Numeric constants: They are processed as 64-bit floating point numbers. Example: x > 10
      • String constants. Example: str =="string"
      • Boolean constants: true and false. Example: (x < 100)!=true
      • Parentheses: used to change the order of operations. Example: x *(y + 10) < 200
      • contains function: used to check whether a string contains a substring. For example, if you run contains(str, "hello") and true is returned, the string contains the hello substring.
    • Syntax across multiple charts
      • Basic arithmetic operators: addition (+), subtraction (–), multiplication (*), division (/), and modulo (%).
      • Comparison operators: greater than (>), greater than or equal to (>=), less than (<), less than or equal to (<=), equal to (==), and not equal to (!=).
      • Logical operators: && (and) and || (or).
      • Logical negation (!)
      • contains function
      • Parentheses

    Advanced Settings

    Query Frequency

    The options for this parameter are:

    • Hourly: The query is performed at the top of each hour.
    • Daily: The query is run at a specific time every day.
    • Weekly: The query is run at a specific time on a specific day every week.
    • Custom interval: You can specify the interval from 1 minute to 60 minutes or from 1 hour to 24 hours. For example, if the current time is 9:00 and the Custom interval is set to 5 minutes, the first query is at 9:00, the second query is at 9:05, the third query is at 9:10, and so on.
      NOTE:

      When the query time range is set to a value larger than 1 hour, the query frequency must be set to every 5 minutes or a lower frequency.

    • CRON: CRON expressions support schedules down to the minute and use 24-hour format. Examples:
      • 0/10 * * * *: The query starts from 00:00 and is performed every 10 minutes. That is, queries start at 00:00, 00:10, 00:20, 00:30, 00:40, 00:50, 01:00, and so on. For example, if the current time is 16:37, the next query is at 16:50.
      • 0 0/5 * * *: The query starts from 00:00 and is performed every 5 hours at 00:00, 05:00, 10:00, 15:00, 20:00, and so on. For example, if the current time is 16:37, the next query is at 20:00.
      • 0 14 * * *: The query is performed at 14:00 every day.
      • 0 0 10 * *: The query is performed at 00:00 on the 10th day of every month.

    Advanced Settings

    Restores

    Configure a policy for sending an alarm clearance notification.

    If alarm clearance notification is enabled and the trigger condition has not been met for the specified number of statistical periods, an alarm clearance notification is sent.

    Number of last queries: 1–10

    Advanced Settings

    Notify When

    • Alarm triggered: Specify whether to send a notification when an alarm is triggered. If this option is enabled, a notification will be sent when the trigger condition is met.
    • Alarm cleared: Specify whether to send a notification when an alarm is cleared. If this option is enabled, a notification will be sent when the recovery policy is met.

    Advanced Settings

    Frequency

    You can select Once, Every 5 minutes, Every 10 minutes, Every 15 minutes, Every 30 minutes, Every hour, Every 3 hours, or Every 6 hours to send alarms.

    Once indicates that a notification is sent once an alarm is generated. Every 10 minutes indicates that the minimum interval between two notifications is 10 minutes, preventing alarm storms.

    Advanced Settings

    Alarm Action Rules

    Select a desired rule from the drop-down list.

    If no rule is available, click Create Alarm Action Rule on the right. For details, see Creating an Alarm Action Rule.

    Advanced Settings

    Language

    Specify the language (Chinese (simplified) or English) in which alarms are sent.

  5. Click OK. For examples, see Example 2: Alarms Triggered by the Keyword Frequency.

Creating Multiple Alarm Rules

You can create multiple alarm rules in a batch.

  1. On the Alarm Rules tab page, import alarm rules in a batch.

    1. Click Import. The Import Alarm Rule dialog box is displayed.
    2. Click Download Alarm Template.xlsx to download the template to the local PC and fill in the template.
    3. Click Select File and select the file that has been filled in.
    4. Check the imported rule information and click Import.
    5. After the import is successful, view the alarm rule details in the rule list.

  2. Click Modify. The Edit Alarm Rules page is displayed.
  3. Under Basic Settings, enter the number of alarm rules and click Add.

    Alternatively, click Import to import alarm rules in a batch.

    A maximum of 200 rules can be created. By default, there is one alarm rule in the rule list. Therefore, you can add up to 199 more rules.

  4. In the Rule List area, set alarm rules by referring to Creating a SQL Alarm Rule and Creating a Keyword Alarm Rule, and click Submit.

    • After setting an alarm rule, you can click Apply to Other Rules to copy its settings to other alarm rules.
    • The created alarm rules will be displayed on the Alarm Rules tab page after the batch creation is successful.

Follow-up Operations on Alarm Rules

  • You can perform the following operations on a single alarm rule.

    Modifying an alarm rule: Click Modify in the Operation column of the target alarm rule. On the displayed page, modify the rule name, query condition, and check rule, and click OK.

    Enabling an alarm rule: Click More > Enable in the Operation column of the target alarm rule.

    Disabling an alarm rule: Click More > Disable in the Operation column of the target alarm rule.

    Temporarily disabling an alarm rule: Click More > Disable Temporarily in the Operation column of the target alarm rule.

    Copying an alarm rule: Click More > Copy in the Operation column of the target alarm rule.

    Deleting an alarm rule: Click Delete in the Operation column of the target alarm rule. In the displayed dialog box, click OK.

  • After selecting multiple alarm rules, you can perform the following operations on the alarms: Open, Close, Disable Temporarily, Re-Enable, Enable Clearance, Disable Clearance, Delete, and Export.
  • You can move the cursor to the rule name to view both the new and original names after modification. The original rule name cannot be changed.

Example 1: Alarms Triggered by a Keyword

If you want to trigger an alarm upon the detection of a specific keyword in a log, follow this example to set a query statement and a keyword alarm rule. The example is for reference only.

Ensure that the keyword you specify exists in the log stream. In this example, the key word is Error.

Figure 1 Querying result
  • Query statement: Set the query time range to 15 minutes and run the following statement to query logs containing the keyword Error. For other search syntaxes, see Using LTS Search Syntax.
    Figure 2 Query statement
  • Alarm notification: After creating the preceding alarm rule, you will receive an alarm in the alarm list as long as the keyword Error appears in a log. You can also click an alarm name to view the alarm details and sources.
    Figure 3 Alarm

Example 2: Alarms Triggered by the Keyword Frequency

If you want to trigger an alarm when the number of occurrences of a specified keyword reaches a specified value in a specified period, follow this example to set a query analysis statement and SQL alarm rule. The example is for reference only.

Run SELECT count(*) as Error. The result indicates that Error appears 90 times in total in the target log stream.

Figure 4 Querying result
  • Query statement: Set the query time range to 5 minutes and run the statement SELECT count(*) as Error to collect statistics on the number of times that the keyword Error appears within 5 minutes. For other search syntaxes, see SQL Analysis Syntax.
    Figure 5 Query statement
  • Alarm notification: After creating the preceding alarm rule, you will receive an alarm in the alarm list as long as the keyword Error appears in logs for two times or more. You can also click an alarm name to view the alarm details and sources.
    Figure 6 Alarm