Learn more about Streama© – the foundational technology behind our stateful streaming data platform. Learn More

Ratio Alerts

Ratio alerts allow you to easily calculate a ratio between two log queries and trigger an alert when the ratio reaches a set threshold.

A few examples of how to utilize ratio alerts:

  • Operational Health: Monitor the number of outgoing responses to incoming requests, or the ratio of specific error codes to the overall number of errors

  • Marketing: Monitor the ratio between traffic from specific regions to overall traffic following regional campaigns

  • Security: Monitor the ratio of denied requests, specific admin operations or requests originating from blocked network domains compared to all requests

Many of you create these types of visualizations using Coralogix Kibana or our Grafana plug-in, and now you can also use the Coralogix alert engine to create ratio alerts.


Create a Ratio Alert

Choosing ‘ratio’ will open two query forms instead of one in the next section:

Define Two Queries

Next, provide a title for each query with a meaningful name (it will appear in the alert notification and create the queries).

Based on the examples we mentioned before:

Example 1

Query1 – status:504

Query2 – _exists_:status

Results: It will find the ratio between error code 504 to the overall number of response codes received. A higher than usual ratio can indicate operational issues.

Example 2

Query1 – NOT client_addr:/172\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/

Query2 – _exists_:client_addr

Results: In this example, we assume that all addresses outside 172.xxx.xxx.xxx are restricted. The abnormal ratio of restricted traffic to all traffic might indicate an attack.

Example 3

Query1 – reuest_status:success

Query2 – reponse_status:rejectrequest

Results: It will find how many requests were not answered successfully out of all successful requests. A higher than usual ratio can indicate operational issues.


The condition supports either ‘more’ or ‘less’ than, for the ratio chosen in the Query1/Query2 drop-down list. The last parameter to choose is the time window.


The rest of the alert settings doesn’t change from the standard alert setup. Remember that for added flexibility you can use the time window option and define when should the alert be active.

  • Alert Cadence control.

with this option now you can control how many notification you get for any configured Alert in minutes, hours or both.

Snoozing alerts

Snooze alerts was made for those cases where the alert was triggered and handled and there’s no need for further notifications while you are focused in resolving the issue

Snooze or disable snooze

  • Go to your dashboard and click on the snooze button next to an alert

snooze alert

Snoozed alert tooltip:

  • Hover your mouse over the snooze button to see who snoozed the alert and when snooze period ends

snooze alert tooltip

Enjoy and take advantage of this new capability.

Like always if you have any questions or suggestions, please contact us in the in-app chat or send us an email at support@coralogix.com.