Threshold alerts
A threshold alert fires when the number of logs matching your query crosses a level you set over a time window. Use it to catch error spikes, traffic drops, or any countable change in your log stream, for example more than 10 errors in 5 minutes.
What you need
- Access to Coralogix with permission to create alerts
- A log query that isolates the events you want to count
Define the threshold alert
To start, go to Alerts, then select Create alert. The alert creation wizard opens on the Query step. This page covers the parts of the wizard specific to threshold alerts. For the shared steps, see the alert creation wizard.
Query step
- Select the Threshold alert type.
- Write the query that isolates the logs you want to count. Use DataPrime or Lucene.
- Narrow the signal with filters such as application, subsystem, severity, or tag so the count reflects only the events that matter.
The Alert Visualization panel evaluates your definition over the last 24 hours as you build, so you can see whether the query is too noisy or too quiet before saving.
Condition step
Set the trigger logic that turns the count into an alert:
- Trigger logic: express the condition in plain terms, for example more than 100 in 5 minutes or fewer than 5 in 10 minutes. The duration choice matters: "at least once" highlights each crossing, while "for over" requires a continuous breach across the whole window.
- Group by: count and evaluate separately for each combination of label values, for example per
regionor perpod_name. Only logs that contain all selected fields are counted.
You can add multiple conditions to the same alert when you need tiered severity from one query. See Multiple alert conditions.
Set routing and naming in the alert creation wizard Notification and Details steps, then select Create alert. The alert becomes active within 15 minutes.
Related resources
Next steps
Compare current log volume against past time frames with Time relative alerts.