Create metric alerts from logs
Create metric alerts directly from numeric values in your logs, without building metrics, writing queries, or configuring alert pipelines manually.
This feature lets you turn a single log entry into a working alert. Coralogix creates the Events2Metrics configuration and the alert for you, and shows historical values during setup so you can verify that the signal is meaningful before you create the alert.
Why this matters
Logs often include numeric measurements such as request duration, response size, execution time, or queue depth.
In many environments, these values are visible long before a formal metric exists. This workflow lets you act on those signals immediately, instead of delaying protection until metrics are modeled and queries are written.
When to use this workflow
Use this approach whenever you discover a numeric log value that represents important behavior and want to monitor it quickly.
Common situations include:
- Investigating performance or reliability issues
- Adding short-term protection during incident response
- Validating whether a log-derived signal is worth long-term monitoring
The following example demonstrates one scenario, but the same process applies to any numeric field in your logs.
What you can alert on
A log field can be used to create a metric alert if it meets all of the following conditions:
| Requirement | Valid example | Not valid |
|---|---|---|
| It is numeric | json.duration_ms = 245 | json.duration_ms = "245" |
| It is consistently numeric | json.response_size = 1024json.response_size = 2048 | json.response_size = "N/A" |
| It is a structured field | json.request_time_ms = 312 | message = "Request completed in 312 ms" |
How to recognize this in the product
In the Log details panel, the field:
- Displays a number (not text)
- Appears with the same type across multiple events
- Shows the Create metric alert action in its menu
If the action is available, the field is eligible for alerting.
Example flow: Alert on slow API responses
The following walkthrough shows one common example of how this feature is used.
Your environment, fields, and thresholds may differ, but the steps are the same.
In this example, you want to detect slow API responses by alerting when response time becomes too high.
Step 1: Find a numeric field in a log entry
Go to Explore, and search for logs related to the behavior you want to monitor.
For example, filter to the service or API you are investigating.
In the results table, locate a log entry that represents the issue you are seeing (for example, a slow request or large response).
- Press the space bar on that row to open the Log details panel.
- In the Table view, scan the list of fields on the right.
Look for a field that:
- Contains a numeric value (for example,
53) Represents a measurable signal, such as response time or size
(for example,
json.http_resp_took_ms)
- Contains a numeric value (for example,
When you find the field, open its actions menu and confirm that Create metric alert is available.
This confirms that the field can be used to create an alert directly from the log.
Step 2: Start alert creation from the field
In the Log details panel, locate the numeric field you want to monitor
(for this example,
json.http_resp_took_ms).Hover over the field row with the numeric value and right-click to open the action menu.
- From the list of actions, select Create metric alert.
When you select this option, Coralogix:
- Keeps all active log filters
- Creates the metric automatically from this log field
- Opens the New metric alert flow
- Displays a historical preview of the calculated values
This moves you directly from log analysis to alert configuration, without writing a query or creating a metric manually.
Step 3: Select how the values are aggregated
In the Select aggregation step, decide how Coralogix should calculate the numeric field over time.
- In the aggregation drop-down, select the function that best represents the behavior you want to monitor.
In this example, Max is selected for json.http_resp_took_ms to detect the slowest request in each evaluation window.
Review the Metric preview chart.
This chart shows how the aggregated values behaved over the selected time range.
Use the time range picker to expand or narrow the history and confirm that:
- Spikes represent individual slow requests
- The general baseline reflects normal performance
This preview helps you understand the signal before defining thresholds, so you can avoid alerts that are either too sensitive or too noisy.
Step 4: Define when the alert should trigger
In the Set threshold step, tell Coralogix what “too slow” looks like.
- Choose the comparison:
- Select More than to alert when the value exceeds a limit.
Enter the threshold value.
In this example, enter
53forjson.http_resp_took_ms.
Select the evaluation window.
Choose In 10 minutes to require the condition to be met within a ten-minute period.
Set the priority.
Select P1 to indicate high urgency.
Review the Metric preview:
- The dashed line shows the threshold.
- Historical points above the line indicate when this alert would have triggered.
Use this view to adjust sensitivity before moving on.
Step 5: Review and create the alert
In the Summary step, review what will be created.
Confirm the Alert name.
By default, Coralogix generates a name based on:
- The selected aggregation
- The field
json.http_resp_took_ms - The threshold condition
- Review notification routing:
- Under You’ll be notified via, verify that Routing is selected.
- (Optional) Add routing labels in Select routers to control where notifications are sent.
- Review the generated metric:
- In the Events2Metrics section, confirm the Metric name that will be created from the log field.
- This metric is automatically derived from the selected log attribute and behaves like any other metric.
- When everything looks correct, select Create.
The alert immediately starts evaluating new log data, and the metric becomes available in Events2Metrics for reuse.