# Create metric alerts from logs

Create metric alerts directly from numeric values in your logs, without building metrics, writing queries, or configuring alert pipelines manually.

This feature lets you turn a single log entry into a working alert. Coralogix creates the [Events2Metrics](https://coralogix.com/docs/user-guides/monitoring-and-insights/events2metrics/) configuration and the alert for you, and shows historical values during setup so you can verify that the signal is meaningful before you create the alert.

## Why this matters

Logs often include numeric measurements such as request duration, response size, execution time, or queue depth.

In many environments, these values are visible long before a formal metric exists. This workflow lets you act on those signals immediately, instead of delaying protection until metrics are modeled and queries are written.

## When to use this workflow

Use this approach whenever you discover a numeric log value that represents important behavior and want to monitor it quickly.

Common situations include:

- Investigating performance or reliability issues
- Adding short-term protection during incident response
- Validating whether a log-derived signal is worth long-term monitoring

The following example demonstrates one scenario, but the same process applies to any numeric field in your logs.

## What you can alert on

A log field can be used to create a metric alert if it meets all of the following conditions:

| Requirement                    | Valid example                                        | Not valid                                 |
| ------------------------------ | ---------------------------------------------------- | ----------------------------------------- |
| **It is numeric**              | `json.duration_ms = 245`                             | `json.duration_ms = "245"`                |
| **It is consistently numeric** | `json.response_size = 1024json.response_size = 2048` | `json.response_size = "N/A"`              |
| **It is a structured field**   | `json.request_time_ms = 312`                         | `message = "Request completed in 312 ms"` |

### How to recognize this in the product

In the **Log details** panel, the field:

- Displays a number (not text)
- Appears with the same type across multiple events
- Shows the **Create metric alert** action in its menu

If the action is available, the field is eligible for alerting.

## Example flow: Alert on slow API responses

The following walkthrough shows one common example of how this feature is used.

Your environment, fields, and thresholds may differ, but the steps are the same.

In this example, you want to detect slow API responses by alerting when response time becomes too high.

### Step 1: Find a numeric field in a log entry

1. Go to **Explore**, and search for logs related to the behavior you want to monitor.

   For example, filter to the service or API you are investigating.

1. In the results table, locate a log entry that represents the issue you are seeing (for example, a slow request or large response).

1. Select the space bar on that row to open the **Log details** panel.

1. In the **Table** view, scan the list of fields on the right.

1. Look for a field that:

   - Contains a numeric value (for example, `53`)

   - Represents a measurable signal, such as response time or size

     (for example, `json.http_resp_took_ms`)

1. When you find the field, open its actions menu and confirm that **Create metric alert** is available.

This confirms that the field can be used to create an alert directly from the log.

### Step 2: Start alert creation from the field

1. In the **Log details** panel, locate the numeric field you want to monitor

   (for this example, `json.http_resp_took_ms`).

1. Hover over the field row with the numeric value and right-click to open the action menu.

1. From the list of actions, select **Create metric alert**.

When you select this option, Coralogix:

- Keeps all active log filters
- Creates the metric automatically from this log field
- Opens the **New metric alert** flow
- Displays a historical preview of the calculated values

This moves you directly from log analysis to alert configuration, without writing a query or creating a metric manually.

### Step 3: Select how the values are aggregated

In the **Select aggregation** step, decide how Coralogix should calculate the numeric field over time.

1. In the aggregation drop-down, select the function that best represents the behavior you want to monitor.

In this example, **Max** is selected for `json.http_resp_took_ms` to detect the slowest request in each evaluation window.

1. Review the **Metric preview** chart.

   This chart shows how the aggregated values behaved over the selected time range.

1. Use the time range picker to expand or narrow the history and confirm that:

   - Spikes represent individual slow requests
   - The general baseline reflects normal performance

This preview helps you understand the signal before defining thresholds, so you can avoid alerts that are either too sensitive or too noisy.

### Step 4: Define when the alert should trigger

In the **Set threshold** step, tell Coralogix what “too slow” looks like.

1. Select the comparison:

   - Select **More than** to alert when the value exceeds a limit.

1. Enter the threshold value.

   In this example, enter `53` for `json.http_resp_took_ms`.

1. Select the evaluation window.

   Select **In 10 minutes** to require the condition to be met within a ten-minute period.

1. Set the priority.

   Select **P1** to indicate high urgency.

1. Review the **Metric preview**:

   - The dashed line shows the threshold.
   - Historical points above the line indicate when this alert would have triggered.

Use this view to adjust sensitivity before moving on.

### Step 5: Review and create the alert

In the **Summary** step, review what will be created.

1. Confirm the **Alert name**.

   By default, Coralogix generates a name based on:

   - The selected aggregation
   - The field `json.http_resp_took_ms`
   - The threshold condition
   - Review notification routing:
   - Under **You’ll be notified via**, verify that **Routing** is selected.
   - (Optional) Add routing labels in **Select routers** to control where notifications are sent.
   - Review the generated metric:
   - In the **Events2Metrics** section, confirm the **Metric name** that will be created from the log field.
   - This metric is automatically derived from the selected log attribute and behaves like any other metric.
   - When everything looks correct, select **Create**.

The alert immediately starts evaluating new log data, and the metric becomes available in **Events2Metrics** for reuse.

## Related resources

[Configure alert definition](https://coralogix.com/docs/user-guides/alerting/configuring-alert-definition/) [Introduction to alerts](https://coralogix.com/docs/user-guides/alerting/introduction-to-alerts/) [Notification Center](https://coralogix.com/docs/user-guides/notification-center/introduction/)

## Next steps

View, filter, and manage all your alert definitions in [Alert definition management](https://coralogix.com/docs/user-guides/alerting/alert-definition-management/index.md).