Our next-gen architecture is built to help you make sense of your ever-growing data Watch a 4-min demo video!

Back to All Docs

Ratio Alerts Ratio Alerts

Last Updated: May. 09, 2022

Ratio alerts allow you to easily calculate a ratio between two log queries and trigger an alert when the ratio reaches a set threshold.

A few examples of how to utilize ratio alerts:

  • Operational Health: Monitor the number of outgoing responses to incoming requests, or the ratio of specific error codes to the overall number of errors
  • Marketing: Monitor the ratio between traffic from specific regions to overall traffic following regional campaigns
  • Security: Monitor the ratio of denied requests, specific admin operations or requests originating from blocked network domains compared to all requests

Many of you create these types of visualizations using Coralogix Kibana or our Grafana plug-in, and now you can also use the Coralogix alert engine to create ratio alerts.

Create a Ratio Alert

Define Two Queries

Choosing ‘ratio’ will open two query forms instead of one in the next section:

Next, provide a title for each query with a meaningful name (it will appear in the alert notification and create the queries).

Example 1

Query1 – status:504

Query2 – _exists_:status

Results: It will find the ratio between error code 504 to the overall number of response codes received. A higher than usual ratio can indicate operational issues.

Example 2

Query1 – NOT client_addr:/172\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/

Query2 – _exists_:client_addr

Results: In this example, we assume that all addresses outside 172.xxx.xxx.xxx are restricted. The abnormal ratio of restricted traffic to all traffic might indicate an attack.

Example 3

Query1 – request_status:success

Query2 – reponse_status:rejectrequest

Results: It will find how many requests were not answered successfully out of all successful requests. A higher than usual ratio can indicate operational issues.


The condition supports either ‘more’ or ‘less’ than, for the ratio chosen in the Query1/Query2 drop-down list. The last parameter to choose is the time window.

Group By: You can enhance your ‘Ratio’ alerts when using the ‘More’ condition by adding the ‘Group by’ option, up to two ‘Group by’ fields: values under the ‘Group By’ fields are aggregated into a histogram. An alert will trigger whenever the condition threshold will be met for a specific aggregated value within the specified timeframe. If we are using 2 levels of ‘Group by’, matching logs will first be aggregated on the parent field and then a sub-aggregation on the child, and an alert will fire in case the threshold was met for a unique combination of both parent and child. Of course, only logs that include the ‘Group By’ fields will be included in the count. Up to 5 unique values of the selected field and their count will show up in the event details screen, along with the threshold value. ‘Group By’ configuration can be deployed on query 1, query 2, or on both queries Of course, all regular filters, such as application, subsystem, severity, etc.. may be applied to the alert as well. This is how it will look like in Coralogix:

Do Not Trigger on infinity: You can decide if you want to be alerted on Infinity. Infinity value is when the value of the second query is 0. In that case, the result of the Ratio will be infinity.


The rest of the alert settings doesn’t change from the standard alert setup. Remember that for added flexibility you can use the time window option and define when should the alert be active.

  • Alert Cadence control.

With this option now you can control how many notifications you get for any configured Alert in minutes, hours, or both.

Enjoy and take advantage of this new capability.

Like always if you have any questions or suggestions, please contact us in the in-app chat or send us an email at [email protected].


On this page