Our next-gen architecture is built to help you make sense of your ever-growing data Watch a 4-min demo video!

Back to All Docs

User-Defined Alerts User-Defined Alerts

Last Updated: Aug. 24, 2022

The user-defined alerts in Coralogix enable you to obtain real-time insights based on the criteria of your own choosing. It is a very simple process that grants users full flexibility, advanced alerting options, and real-time push notifications to your preferred communication channel.

Creating Alerts

1) From the main dashboard, open the logs tab:

2) Perform a query to filter the logs that will be returned as part of the alert. You may use a combination of the query input or the filters on the left side panel. For additional information about how to query logs see  here:

3) When you have the right log results, click on the “Create Alert” button. The alert configuration window will be open now. I

4) In the Details section, you need to fill in General alert params: Define Name, Alert description, Alert Severity and Labels.


  • In Slack Integration the following Tag option are supported if you add to the description <@member_id>, <!here>, <!channel>
  • In Labels you can define a new label or choose from an existing one. You can nest a label using key:value.

5) In the Query section, you will see the query that you entered in the logs screen. You can click the Edit button if you need to change the query.

6) In the Condition section, you set the conditions for triggering the alert – whether you want the alert to trigger immediately or you want to define a rule for ‘More/Less’ occurrences within a specified time window or using our new ‘more than usual’ anomaly detecting option.

  • Immediately: An immediate alert will notify immediately and will be silent for one minute. Hit count will present 1 in immediate alert as we notify on the first log that matches.
  • More/Less Than: A ‘More’/’Less’ alert will trigger when the count of the entries that matched the alert definition will be more/less than the chosen threshold. Hit count will present the actual number of entries that matched within the selected time window.
  • More Than Usual – Dynamic Alerts: Setting appropriate thresholds for each metric can be daunting especially with highly variable data which tends to generate many false positive alerts. Coralogix Dynamic Alerts enable you to detect abnormal behavior automatically – without having to set fixed threshold values. (Note: It takes one week for algorithms to learn the traffic pattern)
  • Notify When Resolved: You can also add an automatic ‘Resolve’ message to your ‘More/Less Than’ alerts. Just mark the ‘Notify on resolved’ checkbox under the ‘More’/’Less’ control and you’ll get an automatic update once an alert is not occurring anymore (works with all notification methods).
  • Notify every: This control sets the alert’s cadence. After the alert was triggered and notification sent, future notifications will be suppressed for the duration of the suppression period. The alert itself will continue to work, only the notifications will be suppressed.
  • Group By: You can enhance your ‘More‘ and ‘Less‘ alerts by adding the ‘Group by’ option, up to two ‘Group by’ fields: values under the ‘Group By’ fields are aggregated into a histogram. An alert will trigger whenever the condition threshold will be met for a specific aggregated value within the specified timeframe. If we are using 2 levels of ‘Group by’, matching logs will first be aggregated on the parent field and then a sub-aggregation on the child, and an alert will fire in case the threshold was met for a unique combination of both parent and child. Of course, only logs that include the ‘Group By’ fields will be included in the count. Up to 5 unique values of the selected field and their count will show up in the event details screen, along with the threshold value. Of course, all regular filters, such as application, subsystem, severity, etc.. may be applied to the alert as well. This is how it will look like in Coralogix:

If you set up the second ‘Group by’ it will look like this in Coralogix:

2 group by alert for more than alerts - coralogix

Note: The number of ‘Group by‘ permutations is limited to 1000. If there are more permutations, then only the first 1000 are tracked.

Note: Once the ‘Less‘ alert is created, the state of ‘Group by‘ values is saved. In case there will be a permanent change which will trigger the alert all the time then there is a need to edit and re-save the alert so the state of ‘Group by‘ values is saved. Example:
The ‘Less‘ alert with the ‘Group by‘: metadata.coralogix.applicationName and the threshold less than 1 is created. The list of all applications is saved. After some time there is a change in the integration and one application stopped sending logs. The alert will be triggered all the time until the alert

  • is not edited with some changes like a threshold change or group by fields and saved again and then again to restore the proper threshold, or
  • is not created again from the scratch.

The logic behind that is the alert id needs to be changed to reset the state of ‘Group by‘ values. New ‘Group by‘ values are added once they are found by the query.

7) In the Recipients section, you choose who do you want to be notified, it could be an e-mail address, Slack room or custom webhook or all of them.

8) In the Schedule section, it could be always active or limit triggering to certain days and hours

9) In the Notification Content section, you can choose what portion of the log you want to see when notified, ‘Full Log Text’ to be shown with the entire log or ‘Specific JSON Key’ to be shown with a specific key and its value (you can add multiple keys).

10) In the Verify Alert section, you can check how many times the alert would match the criteria in the last 24 hours.

11) In the History section, you can see which user performed a change in the alert and when.

12) The final step is to click on the ‘Create alert’ button on the upper-right side of the screen. You’re all set! Now you can view your alerts.

View Alerts

The ‘Alert logs’ view within the ‘Insights’ tab shows the logs which triggered the alert:

“Logs” view within ‘Insights’ tab shows all the logs prior to and after the alert was triggered, with the triggered alert itself highlighted:


  • You can create a new alert by entering the alerts page and pressing on the “new alert” button.
  • You can see in the alerts menu who is the user that created the alert.
  • You can see in the alert the history of edits that were made.

Snoozing alerts

Snooze alerts was made for those cases where the alert was triggered and handled and there’s no need for further notifications while you are focused in resolving the issue. Alerts can get snoozed from in several ways, as below:

Snooze or disable snooze

  • Go to your dashboard and click on the snooze button next to an alert

Snoozed alert tooltip:

  • Hover your mouse over the snooze button to see who snoozed the alert and when snooze period ends

Snoozed alert (Manage Alerts page):

  • In the table view, where all the team’s alerts displayed, a “Snooze” column is now available. The snooze switch is interactive, and you can switch from “Snoozed” to “Active”, the switch will always reflects the current alert status

On this page