Skip to content

Time relative alerts

Open in ChatGPT Open in Claude

A time relative alert fires when the current log count differs significantly from the count over the same window in an earlier period, for example the previous hour or the same day last week. Use it to detect changes that only matter relative to a baseline you already trust: error rates that climb against yesterday, sign-ups that drop against last week, or admin logins that spike against the same hour a day ago.

What you need

  • Access to Coralogix with permission to create alerts
  • A log query that isolates the signal you want to compare over time

Define the query

In the alert creation wizard, the Query step is where you select the alert type and describe the signal to evaluate.

  1. Go to Alerts, then select Create alert.
  2. In the Query step, select Time relative as the alert type.
  3. Write the Lucene query that returns the logs you want to compare across periods, and narrow it with filters such as application, subsystem, or severity.

The query runs against both the current window and the comparison period, so write it to isolate the single signal whose change over time is meaningful.

Set the condition

In the Condition step, you define what counts as a significant change relative to the prior period.

  • Comparison direction: trigger when the current count is more than or less than the comparison-period count by your defined ratio. A ratio of 1 means the counts are equal; a ratio above 1 means the current window has more occurrences than the prior period.
  • Comparison window: select the prior period to compare against. The current window and its comparison are fixed pairs:
Comparison windowCurrent windowCompared against
Previous hournow-1h to nownow-2h to now-1h
Same hour yesterdaynow-1h to nownow-25h to now-24h
Same hour last weeknow-1h to nownow-1wk-1h to now-1wk
Yesterdaynow-24h to nownow-48h to now-24h
Same day last weeknow-24h to nownow-8d to now-7d
Same day last monthnow-24h to nownow-29d to now-28d

Hourly comparisons evaluate every 5 minutes; daily comparisons evaluate every 10 minutes.

  • Group by: count and evaluate separately for each combination of label values. With two fields, logs are aggregated by the parent field first, then the child field, and the alert fires when the threshold is met for a unique combination of both. Only logs that contain all selected fields are counted.

For example, if the current hour returns 180 error logs and the previous hour returned 60, the ratio is 3. With a comparison set to fire above a ratio of 1, the alert triggers.

Route and name the alert

Set routing and naming in the alert creation wizard Notification and Details steps. When everything is in place, select Create alert. The alert becomes active after the comparison window completes its first full evaluation.

Configure alert definitionNotification CenterCasesIncidents

Next steps

Alert on the number of distinct values in a log field with Unique count alerts.

Need help? Contact Support.
What's new? Find out here.
LLM? Read llms.txt.
Previous Threshold alerts
Next Unique count alerts