Our next-gen architecture is built to help you make sense of your ever-growing data Watch a 4-min demo video!

Start Free Trial Request Demo
Back to All Docs

Ratio Alerts Ratio Alerts

Last Updated: Jul. 16, 2023

Ratio alerts allow you to easily calculate a ratio between two log queries and trigger an alert when the ratio reaches a set threshold.

Feature

Use this feature to monitor:

  • Operational Health. Monitor the number of outgoing responses to incoming requests or the ratio of specific error codes to the overall number of errors.
  • Marketing. Monitor the ratio between traffic from specific regions to overall traffic following regional campaigns.
  • Security. Monitor the ratio of denied requests, specific admin operations, or requests originating from blocked network domains compared to all requests.

Create a Ratio Alert

STEP 1. Create a new Alert.

  • In the navigation pane, click Alerts.
ratio alerts coralogix
  • Click NEW ALERT on the top-right area of the UI.

STEP 2. Define the Alert Details.

  • Please enter:
    • Alert Name.
    • Alert Description.
    • Alert Severity. Choose from one of four options: Info, Warning, Error, Critical.
    • Labels. Define a new label or choose from an existing one. Nest a label using key:value.
    • Set as Security Alert. Check this option to create an alert related to Coralogix Security solutions.
ratio alerts coralogix

STEP 3. Select RATIO Alert Type.

ratio alerts coralogix

STEP 4. Define Query 1 & Query 2.

  • Create a meaningful name (Alias) for your query, as it will appear in your alert notifications
  • Input a new query. Using the available RegEx cheat sheet for support.
  • Filter by Application, Subsystem and Severity.
ratio alerts coralogix
ratio alerts coralogix

Additional Query Examples

  • Example 1
    • Query1: status:504
    • Query2: _exists_:status
    • Result: Finds the ratio between error code 504 and the overall number of response codes received. Higher-than-usual ratios may indicate operational issues.
  • Example 2
    • Query1: NOT client_addr:/172\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}/
    • Query2: _exists_:client_addr
    • Result: Assume addresses outside 172.xxx.xxx.xxx are restricted. An abnormal ratio of restricted traffic to all traffic may indicate an attack.
  • Example 3
    • Query1: request_status:success
    • Query2: response_status:rejectrequest
    • Result: Calculates how many requests were not answered successfully out of all successful requests. A higher than usual ratio may indicate operational issues.

STEP 5. Set the Conditions to trigger the alert.

  • An alert will trigger when the count of the entries matching the alert definition will be more / less than the chosen threshold (the ratio chosen in the Query1/Query2 drop-down list). Hit count will present the actual number of entries that matched within the selected time window.
  • Group By.
    • Group By alerts by one or more values that are aggregated into a histogram. An alert is triggered whenever the condition threshold is met for a specific aggregated value within the specified timeframe.
    • New! If using 2 values for Group By, matching logs will first be aggregated by the parent field (ie. region), then by the child field (ie. pod_name). An alert will fire when the threshold meets the unique combination of both parent and child. Only logs that include the Group By fields will be included in the count.
  • Do Not Trigger on Infinity: Choose whether you would like to be alerted on Infinity. Infinity value is met when the value of the second query is 0. In that case, the Ratio result will be Infinity.
ratio alerts coralogix

STEP 6. Define Notification settings.

ratio alerts coralogix
  • Aggregated Notification. By default, a single notification, aggregating all values matching an alert query and conditions, will be sent to your Coralogix Insights screen.
  • Individual Notification Groups. New! Multiple individual notifications for each of the values of the Group By field may be sent when query conditions are met. Select one or more Keys – consisting of a subset of the fields selected in the alert conditions – in the drop down menu. A separate notification will be sent for each Key selected.
    • Notes:
      • The number of Group By permutations is limited to 1000. If there are more permutations, then only the first 1000 are tracked.
      • Individual notifications for each of the values of the Group By field will not appear on the Insights screen and must be sent directly to notification recipients.
  • Both notification types allow you to choose the the parameters of your notification:
    • Notify Every. Sets the alert cadence. After an alert is triggered and a notification is sent, the alert will continue to work, but notifications will be suppressed for the duration of the suppression period.
      • When an alert is triggered, it won’t be triggered again until one of two things happens: either the Notify Every period passes or it is resolved. In the latter case, the Notify Every parameter is reset.
    • Notify when resolved. Activate to receive an automatic update once an alert has ceased.
    • Define additional alert recipient(s) and notification channels by clicking + ADD WEBHOOK.

STEP 7. Set a Schedule.

Limit triggering to specific days & times.

ratio alerts coralogix

STEP 8. Define Notification Content.

  • Choose a specific JSON key or keys to include in the alert notification.
  • Leave blank to view the full log text.
ratio alerts coralogix

STEP 9. Create your alert.

Click CREATE ALERT on the upper-right side of the screen.

Note: After saving your alert, it may take up to 15 minutes for the alert to be active in the cluster.

Support

Need help?

Our world-class customer success team is available 24/7 to walk you through your setup and answer any questions that may come up.

Feel free to reach out to us via our in-app chat or by sending us an email at [email protected].

On this page