Skip to content

Unique count alerts

Open in ChatGPT Open in Claude

A unique count alert fires when the number of distinct values in a selected log field exceeds a limit. Use it when the breadth of an issue matters more than its volume: how many users encountered a 5XX error, how many Kafka consumer groups returned errors, or how many countries a single user signed in from at once. Counting distinct values surfaces the scope of a problem directly, instead of leaving you to drill into the data to gauge it.

What you need

  • Access to Coralogix with permission to create alerts
  • A log query that isolates the events you want to measure
  • The log field whose distinct values you want to count

Define the query

In the alert creation wizard, the Query step is where you select the alert type and describe the signal to evaluate.

  1. Go to Alerts, then select Create alert.
  2. In the Query step, select Unique count as the alert type.
  3. Write the Lucene query that returns the events you want to measure, and narrow it with filters such as application, subsystem, or severity.

Set the condition

In the Condition step, you select the field to count and the limit that triggers the alert.

  • Unique count key: select the log field whose distinct values are counted. The alert tracks the cardinality of this field across logs matching the query.
  • Unique-value limit: set the number of distinct values that triggers the alert when exceeded.
  • Group by: evaluate the unique count separately for each value of a grouping field. This is useful for security cases, for example to fire when a single user (the group-by key) signs in from more than one country (the unique count key) at the same time.

When the alert fires, it reports the unique count for the selected key and lists the distinct values found within the evaluation window. The combined total of unique-count-key and group-by-key permutations must not exceed 10,000 for the alert timeframe.

Route and name the alert

Set routing and naming in the alert creation wizard Notification and Details steps. When everything is in place, select Create alert. The alert can take up to 15 minutes to become active.

Configure alert definitionNotification CenterCasesIncidents

Next steps

Detect unusual metric behavior with machine learning in Anomaly detection alerts.

Need help? Contact Support.
What's new? Find out here.
LLM? Read llms.txt.
Previous Time relative alerts
Next Anomaly detection alerts