You can define an alert to notify users when specific data appears in the logs. An alert is based on a query.

Prerequisites

Verify that you are logged in to the vRealize Log Insight Cloud web user interface as an administrator.

Procedure

  1. Click the two arrows icon in the upper-left corner of the screen to expand the main menu.
  2. Navigate to Alerts > Alert Definitions.
  3. In the upper-right corner of the page, click Create New.
    Tip: Alternatively you can navigate to the Explore Logs page and create an alert based on a new or saved query.
    • To create an alert based on a new query, run the query and click the exclamation mark icon in the upper-right corner.

      You can select a time period and use filters for more specific query results. For more information, see Searching for Logs.

    • To create an alert based on a saved query, click the three dots icon in the upper-right corner and click Open Saved Query. Click a saved query and click the exclamation mark icon in the upper-right corner.
  4. Enter the following information for the alert:
    • A name for the alert.
    • A short meaningful description of the event that triggers the alert.
    • The query on which the alert is based. You can enter a query or select a favorite query.
    • The trigger conditions for the alert and the severity based on each condition. You can add multiple trigger conditions and set a severity for each trigger condition to Critical, Immediate, Warning, or Info. For each severity, you can send email or webhook notifications in the Choose Notification drop-down menu. To send email notifications, in the Email Recipients text box, enter a recipient email address and click the plus icon. To send webhook notifications, select the check boxes for the webhooks that you want to notify.
      Trigger Condition Description
      On every match
      Note: You can set this trigger condition when you select Real Time in the time period drop-down menu.

      This alert query is matched with every log that is ingested.

      The time period is not relevant.

      When total count of events is applied with operation X for threshold Y

      This alert query is run within the window of the time period. The results are matched with the operation X for the threshold of Y.

      The time period is used to query logs.

      When unique count of field F is applied with operation X for threshold Y

      This alert query is run within the window of the time period. The query returns the unique count of field F. The results are matched with the operation X for the threshold of Y.

      The time period is used to query logs.

      When aggregation operation A on field F is applied with operation X for threshold Y

      This alert query is run within the window of the time period. The query returns the result of the aggregation operation A applied on the field F. The results are matched with the operation X for the threshold of Y.

      The time period is used to query logs.

    • (Optional) A key-value notification metadata that is sent as a payload to the selected webhooks.
    • (Optional) A recommendation for the alert, which is included in the notification message when the alert is sent.
    • (Optional) One or more tags for the alert. You can use existing tags or create new tags. These tags help you group alerts according to your requirement.
    • The alert is disabled indefinitely by default. To enable the alert, click the toggle button next to the alert name.
  5. Click Save.

Results

The alert definition appears in Alerts > Alert Definitions.