Log Service lets you set alert severity statically or dynamically. If you set the severity without a condition, it is static. If you add a condition, it becomes dynamic.
For example, when you monitor website access logs, you can trigger alerts with different severities based on the ratio of HTTP 500 errors in the last 15 minutes compared to the same period yesterday. The following example demonstrates this.
Log Service evaluates the query and statistics results against each trigger condition in order. Once a result matches a trigger condition, Log Service does not evaluate the subsequent conditions. Therefore, you must configure the trigger conditions in order from the highest severity to the lowest.
The key parameters are as follows:
-
query and statistics:
host:www.example.com and status = 500 | select coalesce(diff[2],0) as ratio from (select compare(cnt,86400) as diff from (select count(1) as cnt from log))This query and analysis statement calculates the ratio of HTTP 500 errors on the website in the last 15 minutes compared to the same period yesterday. The result is aliased as
ratio. -
Trigger Condition:
-
Data exists, ratio>1, severity: Critical
When the value of ratio in the query and analysis results is greater than 1, a Critical-level alarm is triggered.
-
Data exists, ratio>=0.5, severity: High
When the value of ratio in the query and analysis results is greater than or equal to 0.5, a high-level alarm is triggered.
-
Data exists, ratio>0.05, severity: Medium
When the value of ratio in the query and analysis results is greater than 0.05, a Medium-level alert is triggered.
-