Log Processing Pipelines
Last updated - 07 November, 2025
LogAlert Groups raise alerts for specific log messages or categories of log messages. The LogAlert Groups themselves do not trigger any alerts. Instead, they group logs into categories under which alert conditions (LogAlert Group alerts) must be defined to trigger the desired alerts. Typically, LogAlert Groups are applied to resources or resource groups, and the LogAlert Group alert conditions set the alert criteria, for example, matching text in the log message.
How LogAlert Groups Work
LogAlert Groups and LogAlert Group alerts are created using the LM Logs Query Language to identify which logs should trigger alerts. The querying can range from broad matches on entire resources or resource groups to very specific matches on individual log messages. You can also apply regular expressions to match specific log patterns in cases where the content differs between logs.
You can for example have certain types of log events or anomalies that you always want to track and take action on, such as errors or exceptions that should notify to be resolved immediately. Start by creating a LogAlert Group and defining filters for the logs you want to track, as described in the following. Then continue by creating alert conditions for the LogAlert Group.
Recommendation: LogAlert Groups and alert conditions are checked for every received log. For performance reasons, it is therefore recommended that your LogAlert Group definitions are narrowed to for example specific device types and their associated alert conditions. Consider this especially in cases where you know that a device log will never match the alert, for example a Windows Event Log will never match Syslog facility and so on.
Viewing LogAlert Groups
On the Logs page, select the LogAlert Groups icon to open the LogAlert Groups page. From here you can review and manage existing LogAlert Group and add new ones.
- LogAlert Group—Shows the name of the LogAlert Group.
- Query—Lists the filtering conditions that define the log events in the LogAlert Group. For example, the resources where the logs are received from.
- Alert Conditions—Lists the number of alert conditions defined for that LogAlert Group. Select the icon or count to open the Alert Conditions page for the LogAlert Group to configure alert conditions. For more information, see LogAlerts.
- Description—Provides information about the LogAlert Group.
- Select a LogAlert Group in the list to review and edit LogAlert Groups settings, or to delete the LogAlert Group.
Adding LogAlert Groups
You can add LogAlert Groups from the Logs or LogAlert Groups pages:
- From a log event or anomaly in the Logs page: Open the menu for Resource or Groups, and select Create LogAlert Group. This opens the Add LogAlert Group dialog with the Logs query field prefilled with matching events for the selected resource or groups.
- From the LogAlert Groups page: Select the plus sign to open the Add LogAlert Groups dialog and add a new LogAlert Group.
In the Add LogAlert Groups dialog, enter information as follows:
- Enter a Display Name (required) and Display Description. These will appear in the LogAlert Group list.
- Under Logs query, define the events to match using the logs query language (unless prefilled). For more information, see Query Language Overview. Select the arrow to preview the results and refine your query before you save.
- Select the Save icon to add the LogAlert Group.
Note:
You can create a maximum of 20 log LogAlert Groups with a maximum of 55 alert conditions for each log LogAlert Group. Within those 55 alert conditions, each LogAlert Group can include up to 10 window alerts and 10 stateful alerts.
If you have existing log LogAlert Groups and alert conditions that exceed these limits, they will continue to function. However, you cannot create new LogAlert Groups or alert conditions until you are within the supported limits. To proceed, you may need to consolidate existing LogAlert Groups conditions.
To request an increase in the number of log LogAlert Groups, contact your Customer Success Manager (CSM).
When you return to the LogAlert Groups page, you can review the LogAlert Group you created in the table.
After adding a LogAlert Group, continue by defining its alert conditions. For more information, see LogAlerts.
Note: You can create log processing LogAlert Group also for unmapped resources. Since there is no LM-monitored resource or resource group for these, LogicMonitor automatically associates the LogAlert Group with a special resource and resource group. The resource name will be the same as the LogAlert Group name. The resource group for unmapped resources is called “LogAlert GroupResources”. For more information, see Deviceless Logs.
