Log Alert Conditions

Last updated on 19 October, 2022

Log alerts are alert conditions based on log events and log pipelines. These alert conditions use regular expression patterns to match ingested logs and trigger LogicMonitor alerts to send you notifications when these log events or anomalies occur.

With log alerts, you can speed up your investigation by adding alert conditions to track the logs you always want to know about or creating alerts on a detected anomaly.

Reviewing Alert Conditions

On the Logs page, click the Pipeline Alerts icon to open the Alert Conditions page where you can review and manage alert conditions.

  • Severity displays the level (Critical, Error, Warning) configured for the alert condition.
  • Display As shows the configured display name of the alert condition.
  • Logs query displays the regular expression pattern to match log events that will trigger the alert.
  • Pipeline displays the pipeline that the alert condition applies to.
  • Description provides a short explanation of the alert condition.
  • Active lets you toggle the alert condition on and off.

Adding Alert Conditions

You can add alert conditions directly from any log event or anomaly listed in the Logs page, or from the Pipelines and Pipeline Alerts pages.

  • From a log event or anomaly on the Logs page: Open the action menu at the beginning of the log line and select “Create Alert Condition” to open the Add Alert Condition dialog.
  • From the Pipelines page: Click on the Alert Conditions icon or count to open the Alert Conditions page, and click the plus sign to add an alert condition.

Note: You will not be able to create a log alert if you don’t have at least one log pipeline. See Log Processing Pipelines. Log queries for alert conditions cannot include aggregate functions.

In the Add Alert Condition dialog, enter information as follows:

  1. Select the type of Alert severity level (Critical, Error, Warning) to generate when conditions are met.
  2. Enter a Display name and a Description to be displayed in the list of alert conditions.
  3. Select a Pipeline to apply the alert condition (unless prefilled).
  4. Enter a Logs query to filter the events in the pipeline. For more information, see Writing a Filtering Query. Click the arrow to preview the results and refine your query before you save.
  5. Toggle Trigger alert to on to activate the alert condition.
  6. For Clear after, enter the time that the alert will persist. Default is 60 minutes.
  7. Toggle Auto-clear after acknowledge to on if you want the alert to be cleared after it is acknowledged.
  8. Click the Save icon to add the alert condition.

Note: The Clear-after setting will clear alerts after the specified time, even if the Auto-clear after acknowledge toggle is off. Alerts will only be acknowledged if the Auto-clear after acknowledge toggle is on.

When you return to the Alert Conditions page, you can review the alert you created in the table.

Acknowledging Alerts

When log alerts conditions are matched, they trigger standard LogicMonitor alert notifications based on the alert settings (Critical, Warning, Error) and will route through the configured escalation chain.

You can also:

  • View the log alert in the Logs graph, where it will display as a line alongside the alerting log event.
  • Acknowledge or clear the alert in the Alerts list.

Limitations

Each pipeline can have no more than 15 alerts per minute. If the rate of alerts exceed this limit, they will be discarded and not processed.

In This Article