Define an Alert

You can define an alert in VMware Aria Operations for Logs and send email or webhook notifications, or trigger notification events in VMware Aria Operations if the number of events that match the alert query exceeds the thresholds that you have set.

Prerequisites

Verify that you are logged in to the VMware Aria Operations for Logs web user interface, for which the URL format is https://operations_for_logs-host. Here, operations_for_logs-host is the IP address or host name of the VMware Aria Operations for Logs virtual appliance.
Verify that your user account is associated with a role that has the relevant permissions for alerts.
If your user account is assigned a role with view access to alerts (for example, the User role), you can view and manage all the alerts in your organization.
If your user account is assigned a role with edit or full access to alerts (for example, the Super Admin role):
- You can activate or deactivate all the system alerts in your organization.
- You can create, modify, and remove all the user-defined alerts in your organization.
For information about roles, see Create and Modify Roles in Administering VMware Aria Operations for Logs.

Procedure

Expand the main menu and navigate to Alerts > Alerts Definition.
Click Create New.

Tip: Alternatively you can navigate to the Explore Logs page and create an alert based on a query. Enter a query, and next to the Search button, click and select Create Alert from Query.
Enter a name for the alert.
You can customize the alert name by including a field in the format ${field name }. For example, you can enter the alert name as Alert for ${hostname} VPXA Logs. Assuming that there are two host names and you have set up email notifications for the alert, the email subject looks like this:
```
Alert for "hostname loginsight-01.eng.vmware.com and 1 more" VPXA Logs
```
You can use other static fields in the description, such as event_type, source, filepath, and so on. You can also use extracted fields.
Note:
- You can add only one static or extracted field to the alert name.
- If you use an extracted field in the alert name, it must be a part of the alert query. If the alert has a "Group by" condition, the extracted field must also be a part of the "Group by" condition.
- If you are sending notifications to VMware Aria Operations, one notification event is sent for each field. For example, if your alert name contains ${hostname} and there are five host names, five notification events are sent - one for each host name.
Enter a short meaningful description of the event that triggers the alert.
You can customize the alert description by including one or more fields in the format ${field name }. For example, you can enter the alert description as VPXA logs were generated for ${hostname}. Assuming that there are two host names and you have set up email notifications for the alert, the email lists some sample logs and then displays the following information:
```
Additional notes for this alert:
VPXA logs were generated for
hostname
loginsight-01.eng.vmware.com
loginsight-02.eng.vmware.com
```
You can use other static fields in the description, such as event_type, source, filepath, and so on. You can also use extracted fields.
Note:
- You can use only one static or extracted field in the alert description.
- If you use an extracted field in the alert name, it must be a part of the alert query. If the alert has a "Group by" condition, the extracted field must also be a part of the "Group by" condition.
Enter the query on which the alert is based.

Enter the trigger condition for the alert. You can select a time period and group the query results by static or extracted fields.

Trigger Condition	Description
On every match Note: You can set this trigger condition when you select Real Time in the time period drop-down menu.	The alert query runs automatically every minute. A notification is triggered when at least one event within the last minute matches the query.
Total count of events	A notification is triggered when more or less than `X` matching events occur within the time period that you select from the drop-drown menu. If this type of alert is triggered, it is snoozed for the duration of its time period to prevent duplicate alerts from being raised for the same set of events. If you want to activate an alert while it is snoozing, you can deactivate and then re-activate it.
Unique count of a field	A notification is triggered when the unique count of field `F` is more or less than `X`, within the time period that you select from the drop-drown menu.
Aggregation operation on a field	A notification is triggered when the aggregation operation `A` applied on the field `F` is more or less than `X`, within the time period that you select from the drop-drown menu.

You can configure the alert to send notifications based on the trigger condition.

To send email notifications, enter comma-separated recipient email addresses.
Ensure that SMTP is configured to activate email notifications. For more information, Configure the SMTP Server.
For information about sending webhook notifications, see Add an Alert to Send Webhook Notifications.
For information about sending notifications to VMware Aria Operations, see Add an Alert to Send Notifications to VMware Aria Operations.

(Optional) Enter a recommendation for the alert, which is included in the notification message when the alert is sent.
(Optional) To send a test alert notification, click Send Test Alert.
Click Save.

Results

Your alert definition appears in the Alerts Definition page.

What to do next

You can activate, deactivate, or modify the alert.