You can define an alert in VMware Aria Operations for Logs and send email or webhook notifications, or trigger notification events in VMware Aria Operations if the number of events that match the alert query exceeds the thresholds that you have set.
Procedure
- Expand the main menu and navigate to Alerts > Alerts Definition.
- Click Create New.
Tip: Alternatively you can navigate to the
Explore Logs page and create an alert based on a query. Enter a query, and next to the
Search button, click
and select
Create Alert from Query.
- Enter a name for the alert.
You can customize the alert name by including a field in the format
${
field name
}
. For example, you can enter the alert name as
Alert for ${hostname} VPXA Logs. Assuming that there are two host names and you have set up email notifications for the alert, the email subject looks like this:
Alert for "hostname loginsight-01.eng.vmware.com and 1 more" VPXA Logs
You can use other static fields in the description, such as
event_type,
source,
filepath, and so on. You can also use extracted fields.
Note:
- You can add only one static or extracted field to the alert name.
- If you use an extracted field in the alert name, it must be a part of the alert query. If the alert has a "Group by" condition, the extracted field must also be a part of the "Group by" condition.
- If you are sending notifications to VMware Aria Operations, one notification event is sent for each field. For example, if your alert name contains
${hostname}
and there are five host names, five notification events are sent - one for each host name.
- Enter a short meaningful description of the event that triggers the alert.
You can customize the alert description by including one or more fields in the format
${
field name
}
. For example, you can enter the alert description as
VPXA logs were generated for ${hostname}. Assuming that there are two host names and you have set up email notifications for the alert, the email lists some sample logs and then displays the following information:
Additional notes for this alert:
VPXA logs were generated for
hostname
loginsight-01.eng.vmware.com
loginsight-02.eng.vmware.com
You can use other static fields in the description, such as
event_type,
source,
filepath, and so on. You can also use extracted fields.
Note:
- You can use only one static or extracted field in the alert description.
- If you use an extracted field in the alert name, it must be a part of the alert query. If the alert has a "Group by" condition, the extracted field must also be a part of the "Group by" condition.
- Enter the query on which the alert is based.
- Enter the trigger condition for the alert. You can select a time period and group the query results by static or extracted fields.
Trigger Condition |
Description |
On every match
Note: You can set this trigger condition when you select
Real Time in the time period drop-down menu.
|
The alert query runs automatically every minute. A notification is triggered when at least one event within the last minute matches the query. |
Total count of events |
A notification is triggered when more or less than X matching events occur within the time period that you select from the drop-drown menu. If this type of alert is triggered, it is snoozed for the duration of its time period to prevent duplicate alerts from being raised for the same set of events. If you want to activate an alert while it is snoozing, you can deactivate and then re-activate it. |
Unique count of a field |
A notification is triggered when the unique count of field F is more or less than X, within the time period that you select from the drop-drown menu. |
Aggregation operation on a field |
A notification is triggered when the aggregation operation A applied on the field F is more or less than X, within the time period that you select from the drop-drown menu. |
You can configure the alert to send notifications based on the trigger condition.
- (Optional) Enter a recommendation for the alert, which is included in the notification message when the alert is sent.
- (Optional) To send a test alert notification, click Send Test Alert.
- Click Save.
Results
Your alert definition appears in the Alerts Definition page.
What to do next
You can activate, deactivate, or modify the alert.