Ratio alerts allow you to easily calculate a ratio between two log queries and trigger an alert when the ratio reaches a set threshold.
Feature
Use this feature to monitor:
Operational Health. Monitor the number of outgoing responses to incoming requests or the ratio of specific error codes to the overall number of errors.
Marketing. Monitor the ratio between traffic from specific regions to overall traffic following regional campaigns.
Security. Monitor the ratio of denied requests, specific admin operations, or requests originating from blocked network domains compared to all requests.
Create a Ratio Alert
STEP 1. Create a new Alert.
In the navigation pane, click Alerts.
Click NEW ALERT on the top-right area of the UI.
STEP 2. Define the Alert Details.
Please enter:
Alert Name.
Alert Description.
Alert Severity. Choose from one of four options: Info, Warning, Error, Critical.
Labels. Define a new label or choose from an existing one. Nest a label using key:value.
Create a meaningful name (Alias) for your query, as it will appear in your alert notifications
Input a new query. Using the available RegEx cheat sheet for support.
Filter by Application, Subsystem and Severity.
Additional Query Examples
Example 1
Query1: status:504
Query2: _exists_:status
Result: Finds the ratio between error code 504 and the overall number of response codes received. Higher-than-usual ratios may indicate operational issues.
Example 2
Query1: NOT client_addr:/172\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}/
Query2: _exists_:client_addr
Result: Assume addresses outside 172.xxx.xxx.xxx are restricted. An abnormal ratio of restricted traffic to all traffic may indicate an attack.
Example 3
Query1: request_status:success
Query2: response_status:rejectrequest
Result: Calculates how many requests were not answered successfully out of all successful requests. A higher than usual ratio may indicate operational issues.
STEP 5. Set the Conditions to trigger the alert.
An alert will trigger when the count of the entries matching the alert definition will be more / less than the chosen threshold (the ratio chosen in the Query1/Query2 drop-down list). Hit count will present the actual number of entries that matched within the selected time window.
Group By.
Group By alerts by one or more values that are aggregated into a histogram. An alert is triggered whenever the condition threshold is met for a specific aggregated value within the specified timeframe.
New! If using 2 values for Group By, matching logs will first be aggregated by the parent field (ie. region), then by the child field (ie. pod_name). An alert will fire when the threshold meets the unique combination of both parent and child. Only logs that include the Group By fields will be included in the count.
Do Not Trigger on Infinity: Choose whether you would like to be alerted on Infinity. Infinity value is met when the value of the second query is 0. In that case, the Ratio result will be Infinity.
STEP 6. Define Notification settings.
Aggregated Notification. By default, a single notification, aggregating all values matching an alert query and conditions, will be sent to your Coralogix Insights screen.
Individual Notification Groups. New! Multiple individual notifications for each of the values of the Group By field may be sent when query conditions are met. Select one or more Keys – consisting of a subset of the fields selected in the alert conditions – in the drop down menu. A separate notification will be sent for each Key selected.
Notes:
The number of Group By permutations is limited to 1000. If there are more permutations, then only the first 1000 are tracked.
Individual notifications for each of the values of the Group By field will not appear on the Insights screen and must be sent directly to notification recipients.
Both notification types allow you to choose the the parameters of your notification:
Notify Every. Sets the alert cadence. After an alert is triggered and a notification is sent, the alert will continue to work, but notifications will be suppressed for the duration of the suppression period.
When an alert is triggered, it won’t be triggered againuntil one of two things happens: either the Notify Every period passes or it is resolved. In the latter case, the Notify Every parameter is reset.
Notify when resolved. Activate to receive an automatic update once an alert has ceased.
Define additional alert recipient(s) and notification channels by clicking + ADD WEBHOOK.
STEP 7. Set a Schedule.
Limit triggering to specific days & times.
STEP 8. Define Notification Content.
Choose a specific JSON key or keys to include in the alert notification.
Leave blank to view the full log text.
STEP 9. Create your alert.
Click CREATE ALERT on the upper-right side of the screen.
Note: After saving your alert, it may take up to 15 minutes for the alert to be active in the cluster.
Support
Need help?
Our world-class customer success team is available 24/7 to walk you through your setup and answer any questions that may come up.
Feel free to reach out to us via our in-app chat or by sending us an email at [email protected].