Skip to content

Flow alerts

Open in ChatGPT Open in Claude

Flow alerts notify you when a sequence of alert events occurs in a specific order within a defined time window. Use them to correlate signals across logs, metrics, traces, and security, so you alert on a chain of events rather than isolated symptoms, and surface a likely root cause.

For example, to catch an HTTP error spike caused by high CPU, configure a flow alert that fires when a high HTTP error rate alert follows a high CPU utilization alert within a set time frame.

What you need

  • Access to Coralogix with permission to create alerts
  • The individual alerts you want to chain, already created

How a flow is structured

You assemble a flow from two building blocks in the flow builder:

  • Group: a logical combination of individual alerts, joined with the OR, AND, and NOT operators.
  • Stage: one or more groups that must trigger within a specified time frame. A flow is an ordered series of stages.

Flow alert groups within a stage

Shows how individual alerts combine into groups, and groups into a time-bound stage.

Limitations

  • The cumulative time frame across all stages cannot exceed 168 hours (1 week). A larger value resets to zero.
  • A single flow alert can combine a maximum of 30 alerts.
  • The following alert types do not support the NOT operator:
    • New value
    • Unique count
    • Immediate

Build a flow alert

To create a flow alert, go to Alerts, then select Create alert. The alert creation wizard opens on the Query step. The Flow type uses the same four-step flow as every alert (Query, then Condition, then Notification, then Details). Naming, labels, and scheduling now come last on the Details step, not first; the steps below cover the flow-specific work.

Query and condition: build the sequence

  1. On the Query step, select the Flow alert type, then select Open Flow Builder.
  2. Drag existing alerts from the left panel into the builder workspace. Hover an alert to see its Query, Conditions, and Group by fields.
  3. Organize the alerts into groups and stages, and set a time frame for each stage.
  4. Select Apply to save the flow.
  5. Select the Group by keys for the flow.

Note

The available Group by keys are the intersection of the keys across the alerts in the flow. If alert A is grouped by Region and Cluster, and alert B is grouped by Region and Pod, the flow can only group by Region. Hover an alert in the builder to see its available keys.

To keep a constituent alert from firing on its own, enable Phantom mode on that alert. Only the flow then triggers a notification and opens an incident, while its building-block alerts stay silent.

For the Notification and Details steps, including routing, cadence, alert scheduling, naming, and labels, see Configuring an alert definition and Define alert details.

Example

The following flow notifies you when successful orders drop because of a failed database cleanup task that ran 24 hours earlier.

Flow alert correlating a failed cleanup task with a later drop in successful orders

Shows a two-stage flow linking an earlier failure to a later business-metric drop.

Configuring an alert definitionIntroduction to alertsNotification Center

Next steps

Configure alert name, description, and labels in Define alert details.

Need help? Contact Support.
What's new? Find out here.
LLM? Read llms.txt.
Previous Tracing alerts
Next Define alert details