1 00:00:04,483 --> 00:00:04,849 The new 2 00:00:04,849 --> 00:00:05,449 value alert 3 00:00:05,449 --> 00:00:07,333 type allows you to specify a key 4 00:00:07,333 --> 00:00:08,783 in a given log. 5 00:00:08,783 --> 00:00:10,249 If this key is set to a value 6 00:00:10,249 --> 00:00:11,816 that has not been seen before 7 00:00:11,816 --> 00:00:13,183 within a given timeframe, 8 00:00:13,183 --> 00:00:15,116 then you will be alerted. 9 00:00:15,116 --> 00:00:16,283 This is very useful 10 00:00:16,283 --> 00:00:18,016 in a number of instances. 11 00:00:18,016 --> 00:00:18,866 For example, 12 00:00:18,866 --> 00:00:20,149 if you have a closed system 13 00:00:20,149 --> 00:00:22,166 and wish to alert that a new IP address, 14 00:00:22,516 --> 00:00:24,349 or if you wish to detect new error codes 15 00:00:24,349 --> 00:00:25,216 from a third party 16 00:00:25,216 --> 00:00:28,216 API that you haven't seen before. 17 00:00:28,699 --> 00:00:29,966 Begin by defining the log 18 00:00:29,966 --> 00:00:31,816 query that you wish to run. 19 00:00:31,816 --> 00:00:32,416 The goal of this 20 00:00:32,416 --> 00:00:33,433 query is to bring back 21 00:00:33,433 --> 00:00:35,033 your log documents. 22 00:00:35,033 --> 00:00:35,783 As usual, 23 00:00:35,783 --> 00:00:37,066 you can narrow your query down 24 00:00:37,066 --> 00:00:38,666 to specific applications 25 00:00:38,666 --> 00:00:40,583 subsystem and severity, 26 00:00:40,583 --> 00:00:42,799 which is always a good idea. 27 00:00:43,316 --> 00:00:45,499 Here you'll select your key. 28 00:00:45,499 --> 00:00:46,966 This is the key on your log document 29 00:00:46,966 --> 00:00:49,316 that you're tracking for a new value. 30 00:00:49,316 --> 00:00:51,016 Be mindful of the notice here. 31 00:00:51,016 --> 00:00:52,249 Your key needs to have fewer 32 00:00:52,249 --> 00:00:54,283 than 50,000 unique values 33 00:00:54,283 --> 00:00:56,449 within the selected timeframe. 34 00:00:56,449 --> 00:00:57,466 If it has more, 35 00:00:57,466 --> 00:00:59,416 then this alert will not trigger. 36 00:00:59,416 --> 00:01:01,783 50,000 unique values is very generous, 37 00:01:02,033 --> 00:01:02,966 so it's unlikely you'll 38 00:01:02,966 --> 00:01:03,766 run into this problem. 39 00:01:05,233 --> 00:01:07,699 Note the timeframe next to your key. 40 00:01:07,699 --> 00:01:08,866 It's important that you decide 41 00:01:08,866 --> 00:01:10,016 on the correct time window 42 00:01:10,016 --> 00:01:11,816 for your new value alerts. 43 00:01:11,816 --> 00:01:12,649 For example, 44 00:01:12,649 --> 00:01:14,183 if you choose 12 hours, 45 00:01:14,183 --> 00:01:16,316 then a value that hasn't appeared in 13 46 00:01:16,316 --> 00:01:17,566 hours would be considered 47 00:01:17,566 --> 00:01:20,116 a new value and trigger the alert. 48 00:01:20,116 --> 00:01:21,949 The new value alert allows you to detect 49 00:01:21,949 --> 00:01:23,066 when something unexpected 50 00:01:23,066 --> 00:01:23,866 has happened 51 00:01:23,866 --> 00:01:24,949 or brand new behavior 52 00:01:24,949 --> 00:01:26,899 has surfaced in your system. 53 00:01:26,899 --> 00:01:28,516 This is a key tool in tackling 54 00:01:28,516 --> 00:01:30,232 the many "known unknowns" 55 00:01:30,232 --> 00:01:32,066 that present themselves in your system 56 00:01:32,066 --> 00:01:35,516 and would otherwise go unnoticed.