You can define an alert to notify users when specific data appears in the logs. An alert is based on a query.

Prerequisites

Verify that you are logged in to the vRealize Log Insight Cloud web user interface as an administrator.

Procedure

  1. Click the two arrows icon in the upper-left corner of the screen to expand the main menu.
  2. Click Explore Logs.
  3. Enter a query and click the Search button to view the results.
    You can select a time period and use filters for more specific query results. For more information, see Searching for Logs.
    Tip: You can also create an alert from a saved query. To access a saved query, click the three dots icon in the upper-right corner, click Open Saved Query, and then click a saved query.
  4. To create an alert from the query, click the exclamation mark icon.
  5. In the Save as an alert dialog box, enter the following information:
    • A name for the alert.
    • A short meaningful description of the event that triggers the alert.
    • A recommendation for the alert, which is included in the notification message when the alert is sent.
  6. Click Save.
    The alert definition opens.
  7. To configure alert notifications, click the pencil icon next to Notification.
    • To send email notifications, select the Email check box and enter a comma-separated list of recipient email addresses.
    • To send webhook notifications, select the check boxes for the webhooks that you want to notify.
      Tip: You can send additional details for an alert to the webhook payload. In the Notification Metadata section, add key-value pairs to include custom fields in addition to the default values. These key-value pairs are appended to the webhook payload when the notification is sent.
  8. In the Trigger section, set the alert threshold.
    Option Description
    On every match

    This alert query is matched with every log that is ingested.

    The time period is not relevant.

    When total count of events is applied with operation X for threshold Y

    This alert query is run within the window of the time period. The results are matched with the operation X for the threshold of Y.

    The time period is used to query logs.

    When unique count of field F is applied with operation X for threshold Y

    This alert query is run within the window of the time period. The query returns the unique count of field F. The results are matched with the operation X for the threshold of Y.

    The time period is used to query logs.

    When aggregation operation A on field F is applied with operation X for threshold Y

    This alert query is run within the window of the time period. The query returns the result of the aggregation operation A applied on the field F. The results are matched with the operation X for the threshold of Y.

    The time period is used to query logs.

  9. The alert is disabled indefinitely by default. To enable the alert, click the three dots icon in the upper-right corner and click Enable.
  10. Click the Save icon.

Results

The alert definition appears in Alerts > Alert Definitions.