Skip to content

Ratio alerts

Open in ChatGPT Open in Claude

A ratio alert divides the count of one log query by the count of another and fires when the resulting ratio crosses a threshold. Use it to track proportions rather than raw counts, for example error code 504 responses as a share of all responses, denied requests as a share of all requests, or traffic from one region as a share of total traffic.

What you need

  • Access to Coralogix with permission to create alerts
  • Two log queries whose ratio you want to monitor

Define the ratio alert

To start, go to Alerts, then select Create alert. The alert creation wizard opens on the Query step. This page covers the parts of the wizard specific to ratio alerts. For the shared steps, see the alert creation wizard.

Query step

  1. Select the Ratio alert type.
  2. Define Query 1 (the numerator) and Query 2 (the denominator). For each query, write a DataPrime or Lucene query, give it an alias that appears in notifications, and narrow it with application, subsystem, or severity filters.

The ratio is the count from Query 1 divided by the count from Query 2 over the evaluation window.

Query examples

  • Error rate: Query 1 status:504, Query 2 _exists_:status. The ratio of 504 responses to all responses. A higher-than-usual ratio can indicate operational issues.
  • Restricted traffic: Query 1 NOT client_addr:/172\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/, Query 2 _exists_:client_addr. The ratio of traffic outside the allowed range to all traffic. An abnormal ratio can indicate an attack.
  • Failed requests: Query 1 request_status:success, Query 2 response_status:rejectrequest. The proportion of requests that were not answered successfully.

Condition step

Set the trigger logic for the ratio:

  • Threshold: alert when the ratio of Query 1 to Query 2 is more than or less than the value you set over the time window.
  • Group by: evaluate the ratio separately for each combination of label values, for example per region or per pod_name. Only logs that contain all selected fields are counted.
  • Trigger on infinity: select whether to alert when Query 2 returns 0. When the denominator is 0, the ratio is infinite.

Set routing and naming in the alert creation wizard Notification and Details steps, then select Create alert. The alert becomes active within 15 minutes.

Configure alert definitionNotification CenterCasesIncidents

Next steps

Set up volume-based alerting for your logs with Threshold alerts.

Need help? Contact Support.
What's new? Find out here.
LLM? Read llms.txt.
Previous New value alerts
Next Threshold alerts