Learn more about Streama© – the foundational technology behind our stateful streaming data platform. Learn More

Dynamic Alerts

The power and value that are embedded in logs are reflected by the status and behavior of our applications and infrastructure. Many times we would like to be alerted when the application or its components show abnormal behavior. This behavior can be reflected by the application sending some logs at a higher than usual volume.

Figuring out exactly what ‘higher than usual’ means, or in other words, setting the threshold value at which the alert should trigger can be a daunting task. This is especially true regarding highly variable data.

The value of a threshold in certain cases may need to change based on the time of day or day of the week to adjust for “expected” changes. Thresholds may even need to be changed over the course of a longer period of time to accommodate for natural changes to application usage trends.

Coralogix Dynamic Alerts enable you to detect abnormal behavior automatically – without having to set a fixed threshold value. Dynamic Alerts rely on Coralogix ML algorithms to continuously analyze your application’s behavior.


Dynamic Alert Examples

Use Case 1: Too Many Unsuccessful Logins

Many times the security team would like to know if there were too many unsuccessful logins in a time period. 

Alert Filter: event.action:”user_login” NOT event.outcome:success

Alert Condition:  ‘more than usual’

Use Case 2: Increase in ELB WAF errors

ELB is an AWS load balancer. This alert identifies if a specific ELB generates 403 errors more than usual. A 403 error results from a request that is blocked by AWS WAF, Web Application Firewall. 

Alert Filter:

elb:”app/my-loadbalancer/50dc6c495c0c9188” AND elb_status_code:”403”

Alert Condition: ‘More than usual’


Use Case 3: Long Connection Time

Many times ops would like to be alerted if connection times are unusually long. Here again, the Coralogix ‘more than usual” alert option will be very handy. 

Alert Filter:

connection_time:[2 TO *]

Alert Condition:  ‘more than usual’

  • Group By.

Now you can use up to 2 fields to group by.

Under insight this is what you are going to see based on the data above. Two fields one for Host_name and the other for location with how many times have been seen.


  • Alert Cadence control.


with this option now you can control how many notification you get for any configured Alert in minutes, hours or both.


Snoozing alerts

Snooze alerts was made for those cases where the alert was triggered and handled and there’s no need for further notifications while you are focused in resolving the issue

Snooze or disable snooze

  • Go to your dashboard and click on the snooze button next to an alert

snooze alert

Snoozed alert tooltip:

  • Hover your mouse over the snooze button to see who snoozed the alert and when snooze period ends

snooze alert tooltip

It is most likely that you and/or your application monitoring team will find similar use cases beneficial. If you are already a Coralogix customer please start using this capability, if not go to our website and try this for free. If you have any questions please reach out to us at support@coralogix.com.