Coralogix’s ‘New Value’ alert is triggered by the first occurrence of a value within a time interval. All values are tested against a list that is being created while the alert is active. The alert trigger is set by a specific query defined for the key of choice and the interval.
In many use cases, this alert enables you to detect a possible abnormal behavior within your system, automatically.
Few use cases examples for this alerts type will be:
Security: Alert will be triggered by a new domain connection. AsCoralogix Cloud Security logs all security information across all network traffic. A new domain connection results with the field ‘security.highest_registered_domain’ having a new value. This can point to an attack (Command & Control activity, Data ex-filtration, etc…).
Monitoring: Alert will be triggered by a new application error code. Many applications send an ‘error_code’ field. A new value for this field indicates a new issue with the Application.
Go to the Alerts tab, open a new alert, and name it. Then, select the ‘New Value’ alert type. Enter a query that will identify the subsets of logs that will be tracked. Select the time frame (between 12H and 3 months) and the actual key that will be tracked for new values. It is good practice to verify that the selected field exists in the logs you are matching with the query filter.
New/updated Alert will become active after the configured alert time window or 7 days (the shorter of the two). This is in order for Coralogix to train on the set of different values, capture a baseline as well as try to prevent false notifications.
The alert can track up to 50K unique values in the defined time window. When the captured values list gets to 50K, the alert will not be triggered until values are cleared from the list. A value will be cleared from the list when its age in the list is equal to the alert time window. The first detection of this value after it was deleted will trigger an alert.
The first 255 Characters will be taken as the value (i.e if you have 2 values that have the same first 255 chars, they will be considered as the same value).
There is a 5 min “silence” period after the alert was triggered. During this time, new values will be added to the list but the alert will not be triggered.
Snooze alerts was made for those cases where the alert was triggered and handled and there’s no need for further notifications while you are focused in resolving the issue
Snooze or disable snooze
Go to your dashboard and click on the snooze button next to an alert
Snoozed alert tooltip:
Hover your mouse over the snooze button to see who snoozed the alert and when snooze period ends
If you are already a Coralogix customer and have any questions please reach out to us at email@example.com.