New value alerts
A new value alert fires when a value that has not been seen before appears in a log field within a time window. Coralogix builds the list of known values while the alert is active and tests each incoming log against it. Use it to detect first-time occurrences, for example a new domain connection in security.highest_registered_domain (a possible attack) or a new application error_code (a new issue).
What you need
- Access to Coralogix with permission to create alerts
- A log field whose new values you want to track
Define the new value alert
To start, go to Alerts, then select Create alert. The alert creation wizard opens on the Query step. This page covers the parts of the wizard specific to new value alerts. For the shared steps, see the alert creation wizard.
Query step
- Select the New value alert type.
- Optionally write a DataPrime or Lucene query and adjust the application, subsystem, and severity filters to limit the logs the alert evaluates. Without a query, the alert evaluates all logs.
Condition step
Set what the alert watches and how long it remembers values:
- Key to track: the log field to monitor for new values, for example a country name or an error code.
- Notify on new value in the last: the window over which a value counts as known. A value that has not appeared within this window triggers the alert when it next arrives. You can track a key for up to 3 months.
The alert fires the first time a value appears that is not already in the tracked list for the selected window.
Set routing and naming in the alert creation wizard Notification and Details steps, then select Create alert. The alert becomes active within 15 minutes.Alert behavior details
Related resources
Next steps
Compare two log queries and alert on their ratio with Ratio alerts.