User-Defined Alerts: Real-Time Notifications
The user-defined alerts in Coralogix will allow you to obtain real-time insights based on criteria of your own choosing. It is a very simple process which grants users full flexibility, advanced alerting options, and real-time push notifications.
Here’s how it is done.
1) From the main dashboard, open the alert definition interface:
2) Then, click on the “ + “ sign:
Note that in cases you have filtered Coralogix with the top right filters (e.g. application or subsystem) you’ll be shown with a subset of your alerts. Clicking on the yellow filter button will clear your top right corner filters thus, showing the alerts list in full.
3) The final screen contains 4 sections. Here’s a breakdown of how to configure your alert in each one:
- General alert params: Define Name, Alert significance, and Alert time window (indefinitely/until a specified date).
- Filter definition: Define the alert criteria – text/template, metadata, and log severity.
- Rules definition: Set the alert rule, whether you want the alert to trigger immediately or you want to define a rule for ‘More/Less’ occurrences per time window.
- An immediate alert will notify immediately and will be silent for one minute. Hit count will present 1 in immediate alert as we notify on the first log that matches.
- A ‘More’/’Less’ alert will trigger when the count of the entries that matched the alert definition will be more/less than the chosen threshold. Hit count will present the actual number of entries that matched within the selected time window.
- You can also add an automatic ‘resolve’ message to your ‘More’/’Less’ alerts. Just mark the ‘Notify on resolved’ checkbox near the ‘More’/’Less’ control and you’ll get an automatic update once an alert is not occurring anymore (works with all notification methods).
- Notifications definition: Define the notification you’d like to receive. In ‘Content’ you can choose what portion of the log you want to see when notified, ‘Full Log Text’ to be shown with the entire log or ‘Specific JSON Key’ to be shown with a specific key and it’s value (you can add multiple keys). In ‘Destinations’ you choose where to be notified, it could be an e-mail address, Slack room (see instructions for Slack alias below) or both.
4) To define an advanced alert, use ‘/’ before and after your text, and follow these instructions:
- To perform a free text search, simply enter a text string. For example, if you are searching web server logs, enter safari to define an alert on all fields for the term safari (without ‘/’ before and after the alert text).
- To define an alert on a value in a specific field, prefix the value with the name of the field. For example, enter /environment:production/ to define an alert on all the entries that contain the value production in the environment field.
- To define an alert on a range of numeric values, use the bracketed range syntax [START_VALUE TO END_VALUE]. For example, to define an alert on entries that have 4xx status codes, enter /status.numeric:[400 TO 499]/.
- To specify more complex alert criteria, use the Boolean operators AND, OR, and NOT. For example, to define an alert on entries that have 4xx status codes and have an extension of PHP, enter /status.numeric:[400 TO 499] AND extension:php/.
- To define an alert when a regular expression matches a value, wrap your regex with ‘/’ and use it as the expression for the field’s value. For example, to define an alert on the regions west-europe-1, west-europe-2, west-us-1, west-us-2, west-us-3 etc., enter /region.keyword:/.*west-(europe|us)-[0-9]+.*//.
Example: define an alert on logs from your production with status codes 5xx not originating from west-europe or west-us, use this expression:
/environment:production AND status.numeric:[500 TO 599] NOT region.keyword:/.*west-(europe|us)-[0-9]+.*//
** Please note that when updating an alert, there is a ~5 min delay before the alert gets in effect and ~10-15 min if the alert has a ‘More/Less’ rule.
The final step is to click on the ‘V’ mark on the right-hand side of the screen.
You’re all set! Now you can view your alerts:
The ‘Alert logs’ view within ‘Insights’ tab shows the logs which triggered the alert:
“Logs” view within ‘Insights’ tab shows all the logs prior and after the alert hit, with the hit itself highlighted:
To add a slack integration to your alert:
1) Go to settings, click “integrations” and click the ‘+’ sign on the righthand side:
2) Select “Slack”, add the desired alias (it’s best to use the Slack room name), add the room webhook, click save.
3) If you don’t see your new integration under your alert definition, try to refresh your browser
**To find your webhook, click here: https://my.slack.com/services/new/incoming-webhook/ (while logged in to Slack), choose the room name, click “Add incoming webhook integration” and copy the webhook you got into Coralogix.
**To add other custom webhooks (OpsGenie, PagerDuty, etc..), follow our tutorial ‘Alert webhooks’.
Enjoy a whole new world of actionable real-time insights on your production systems with Coralogix!
Signup to Coralogix