Log alerts are alert conditions based on log events and log pipelines. These alert conditions use regular expression patterns to match ingested logs and trigger LogicMonitor alerts to send you notifications when these log events or anomalies occur.
With log alerts, you can speed up your investigation by adding alert conditions to track the logs you always want to know about or creating alerts on a detected anomaly.
Reviewing alert conditions
On the Logs page, click the Pipeline Alerts icon to open the Alert Conditions page where you can review and manage your alert conditions. You can also manage pipeline alerts directly from the Pipelines page.
- Actions allow you to edit the pipeline settings or delete the pipeline.
- Severity displays the level (Critical, Error, Warning) configured for the alert condition.
- Display As shows the configured display name of the alert condition.
- RegEx displays the regular expression pattern to match log events that will trigger the alert.
- Pipeline displays the pipeline that the alert condition applies to.
- Active allows you to toggle the alert condition on and off.
Adding log alerts
You can create alert conditions directly from any log event or anomaly listed in the Logs page or from the Pipelines and Pipeline Alerts pages.
- On a log event or anomaly, open the menu at the end of the log line and select “Create log alert” to open the Add Alert Condition dialog.
- From Pipelines > Alert Conditions, click the plus sign to open the Add Alert Condition dialog.
1. (Required) Select a Pipeline to apply the alert condition.
Note: You will not be able to create a log alert if you don’t have at least one log pipelines. This is a known issue and will be fixed in an upcoming release.
2. (Required) Supply a Regular expression. This regex pattern will be used to match the logs that will trigger the alert.
Note: The regular expression is expected to follow standard Perl and Python syntax. For more information see the RE2 syntax described here.
3. Paste a log message sample to test the regex from Step 2.
4. Choose the type of alert severity level to Generate when the conditions are met (Critical, Error, Warning) and enter a display name. By default the display name will autofill with the Regular Expression from Step 2.
5. For Clear after, enter a time in minutes that the alert will persist.
6. Check Acknowledge, if you want the alert to be acknowledged before it clears.
7. Toggle Active/Enabled to activate the alert condition.
8. Click Add to save the alert condition.
When you return to the Alert Conditions page, you can review the alert you created in the table.
When log alerts conditions are matched, they trigger standard LogicMonitor alert notifications based on the alert settings (Critical, Warning, Error) and will route through the configured escalation chain.
You can also:
- View the log alert in the Logs graph, where it will display as a line alongside the alerting log event.
- Acknowledge or clear the alert in the log list.
Each pipeline can have no more than 15 alerts per minute. If the rate of alerts exceed this limit, they will be discarded and not processed.