You can define an alert to notify users when specific data appears in the logs. An alert is based on a query.

Prerequisites

Verify that you are logged in to the vRealize Log Insight Cloud web user interface as an administrator.

Procedure

  1. Click the two arrows icon in the upper-left corner of the screen to expand the main menu.
  2. Navigate to Alerts > Alert Definitions.
  3. In the upper-right corner of the page, click Create New.
    Tip: Alternatively you can navigate to the Explore Logs page and create an alert based on a new or saved query.
    • To create an alert based on a new query, run the query and click the exclamation mark icon in the upper-right corner.

      You can select a time period and use filters for more specific query results. For more information, see Searching for Logs.

    • To create an alert based on a saved query, click the three dots icon in the upper-right corner and click Open Saved Query. Click a saved query and click the exclamation mark icon in the upper-right corner.
  4. Enter the following information:
    • A name for the alert.

      You can customize the alert name by including a field in the format ${field_name}, for example, ${hostname}. In the notification title, ${hostname} is replaced with the actual host name value, for example, vcenter.

    • A short meaningful description of the event that triggers the alert.

      You can customize the alert description by including a field in the format ${field_name}, for example, ${log_type}. In the notification message, ${log_type} is replaced with the actual log type value, for example, audit.

    • The query on which the alert is based and a name for the query. You can enter a query or select a favorite query. You can also select one or more indexed partitions to query logs from the partition.
    • The trigger conditions for the alert and the severity based on each condition. You can add multiple trigger conditions and set a severity for each trigger condition to Critical, Immediate, Warning, or Info. For each severity, you can send email or webhook notifications in the Choose Notification drop-down menu. To send email notifications, in the Email Recipients text box, enter a recipient email address and click the plus icon. To send webhook notifications, select the check boxes for the webhooks that you want to notify.
      Trigger Condition Description
      On every match
      Note: You can set this trigger condition when you select Real Time in the time period drop-down menu.

      This alert query is matched with every log that is ingested.

      The time period is not relevant.

      When total count of events is applied with operation X for threshold Y

      This alert query is run within the window of the time period. The results are matched with the operation X for the threshold of Y.

      The time period is used to query logs.

      When unique count of field F is applied with operation X for threshold Y

      This alert query is run within the window of the time period. The query returns the unique count of field F. The results are matched with the operation X for the threshold of Y.

      The time period is used to query logs.

      When aggregation operation A on field F is applied with operation X for threshold Y

      This alert query is run within the window of the time period. The query returns the result of the aggregation operation A applied on the field F. The results are matched with the operation X for the threshold of Y.

      The time period is used to query logs.

    • (Optional) A recommendation for the alert, which is included in the notification message when the alert is sent.
    • (Optional) One or more tags for the alert. You can use existing tags or create new tags. These tags help you group alerts according to your requirement.
    • (Optional) Customize your alert notification message.
      Alert Customization Description
      Custom fields

      Select whether you want to include all the logs or custom fields in the name and description of your alert notification message.

      If you choose to include custom fields, enter up to 10 custom fields in the text box.

      To include the custom fields in email notification messages, select a JSON or Table output format.

      Note: To include the custom fields in webhook notification messages, ensure that the ${customFieldsJson} parameter is included in the payload of the selected webhooks. For more information, see Configure a Webhook to Send Alert Notifications.
      Notification metadata Enter a key-value metadata for the email or webhook notifications.
    • The alert is disabled indefinitely by default. To enable the alert, click the toggle button next to the alert name.
  5. Click Save.

Results

The alert definition appears in Alerts > Alert Definitions.