Skip to content

New value alerts

The New Value alert triggers when a new value first appears within a time interval. The alert tests values against a list it builds dynamically while active. You set the alert with a query to identify a subset of logs (if needed), and define a key to track for new values within the desired interval.

In many use cases, this alert helps you automatically detect atypical behavior in your system.

A few example use cases include:

  • Security: An alert might trigger on a new domain connection. Because Coralogix Cloud Security logs security information across network traffic, a new domain connection causes the field security.highest_registered_domain to get a new value. This can indicate a possible attack (command-and-control activity, data exfiltration, etc).

  • Monitoring: An alert might trigger on a new application error code. Many applications send an error_code field; a new value for this field indicates a new issue with the application.

Create new value alerts

1.

Create an alert.

There are 2 ways to create an alert:

  1. Through the explore screen.

new value alerts coralogix

The advantage of creating an alert through the explore screen is that you can build your query and adjust the filters to alert on (application/subsystem, severity, fields). When you create the alert, the system adds the filters and query automatically.

  1. Alerts > Alert Management tab.

The Alert Management tab lets you create the alert from scratch.

  • Select NEW ALERT.
2.

Define alert details: Name, Description, Priority (P1, highest to P5, lowest), Labels (A new label or an existing one. Nest a label using key:value.).
You can also select the Set as Security Alert checkbox to add the alert_type:security label. This will help Security customers filter for this alert type in the Incidents screen.

3.

Select New Value alert type.

new value alerts coralogix

4.

[Optional] Add a query, and adjust the application, subsystem, and severity filters for the logs the alert should evaluate.

new value alerts coralogix

5.

Define Conditions.

Key to track: A key from your logs to track for new values (for example, country or city name).

Notify on new value in the last: The duration you want to track this key. You can track a key for up to 3 months.

Notify Every: Use this to tune the alert cadence if it is noisy.

Note

After an alert triggers, it does not trigger again until either the Notify Every period passes or you resolve it. In the latter case, the Notify Every parameter resets.

new value alerts coralogix

6.

Define Notification settings.

  • By default, the system sends a single notification that aggregates all values matching the alert query and conditions to your Coralogix Insights screen.
  • + Add Webhook: Define additional alert recipients and notification channels.
  • Notify Every: Sets the alert cadence. After an alert triggers and the system sends a notification, the alert continues to run, but the system suppresses notifications during the suppression period.
  • Notify when resolved: Activate to receive an automatic update when the alert resolves.
  • Phantom mode: Toggle Phantom mode to silence the alert. In phantom mode, alerts can serve as building blocks for flow alerts without sending independent notifications or creating an incident.

7.

Set Schedule.

Use the schedule if multiple teams in different time zones handle the same tasks. Choose which days Team A should receive alerts and which days Team B should receive alerts.

new value alerts coralogix

8.

To finalize the alert, select CREATE ALERT.

Note

  • A new or updated alert becomes active after the configured alert time window or 7 days (whichever is shorter). This allows Coralogix to train on the set of values, capture a baseline, and reduce false notifications.
  • The alert tracks up to 50K unique values in the defined time window. When the captured values list reaches 50K, the alert does not trigger until values are cleared from the list. The system clears a value from the list when its age equals the alert time window. The first detection of this value after deletion triggers the alert.
  • The system uses the first 255 characters as the value (if two values share the same first 255 characters, the system treats them as the same value).
  • After the alert triggers, the system enforces a 5-minute silence period. During this time, the system adds new values to the list but does not trigger the alert.

Support

Need help?

Customer success is available 24/7 to help with setup and answer questions.

Contact customer success through the in-app chat or by emailing support@coralogix.com.

Previous Immediate Notifications
Next Ratio Alerts