Simple Log Service:Reference log content in alert notifications

For example, if you monitor access to NGINX, use the following query statement to obtain information such as the status code that is returned and indicates an access error, the IP address of the machine on which the error occurred, and the number of times that the error occurred. Then, create an alert monitoring rule based on the information and reference the information in the alert template. If a status code is 400 or a larger number, SLS sends you an alert notification that includes the status code, IP address of the machine on which the error occurred, and the number of times that the error occurred.

• Query statement

  status >=400 | SELECT status, __source__ AS ip, count(*) AS cnt GROUP BY status,ip

• Query results

Use the annotations variable

Use the annotations variable in an alert template to reference log content in alert notifications.

• Alert monitoring rule

  Manually add information about annotations or turn on Auto-Add Annotations to automatically add information about annotations when you create an alert monitoring rule. After an alert is triggered, information about annotations is generated and included in the alert message. For more information, see Annotations.

  Note

  SLS provides two annotations by default.

  For example, if you want to add information such as the status code that is returned and indicates an access error, IP address of the machine on which the error occurred, and number of times that the error occurred to alert messages, add annotations such as status:${status}, ip:${ip}, and cnt:${cnt}.

  • Manually add information about annotations

  • Turn on Auto-Add Annotations to automatically add information about annotations

• Alert message

  After an alert is triggered, SLS generates an alert message that contains the following information:

  {
      "annotations": {
          "title": "Alert is triggered by an NGINX access error",
          "desc": "The error that is indicated by the status code 400 occurred 15 times"
          "status": "400"
          "ip": "127.0.0.1"
          "cnt": "15"
          "__count__": "1"
      }
  }

• Alert template

  Add the annotations variable to the alert template to reference specified log content in alert notifications. For more information about how to create an alert template, see Create an alert template.

  

Use the fire_results variable

Use the fire_results variable in an alert template to reference log content in alert notifications.

• Alert monitoring rule

  SLS generates alert messages based on the alert monitoring rule that you create.

• Alert message

  After an alert is triggered, SLS generates an alert message that contains the following information. The information includes the status code that is returned and indicates an access error, IP address of the machine on which the error occurred, and number of times that the error occurred.

  {
      "fire_results": [
          { "status": "401", "ip": "127.0.0.1", "cnt": "3" },
          { "status": "400", "ip": "127.0.0.1", "cnt": "7" },
          { "status": "501", "ip": "127.0.0.1", "cnt": "4" },
          { "status": "404", "ip": "127.0.0.1", "cnt": "4" },
          { "status": "402", "ip": "127.0.0.1", "cnt": "6" },
          null
      ]
  }

• Alert template

  Add the fire_results variable to the alert template to reference specified log content in alert notifications. For more information about how to create an alert template, see Create an alert template.

  

Use the results variable

Use the results variable in an alert template to reference log content in alert notifications.

• Alert monitoring rule

  SLS generates alert messages based on the alert monitoring rule that you create.

• Alert message

  After an alert is triggered, SLS generates an alert message that contains the following information. The information includes the status code that is returned and indicates an access error, IP address of the machine on which the error occurred, and number of times that the error occurred.

  Note

  If an alert monitoring rule contains multiple query statements, the results array contains multiple items. Each item corresponds to a query statement.

  {
      "results": [{
          "store_type": "log",
          "region": "cn-hangzhou",
          "project": "test-alert",
          "store": "nginx-access-log",
          "query": "status >= 400 | select status, __source__ as ip, count(*) as cnt group by status, ip",
          "start_time": 1640006894,
          "end_time": 1640007014,
          "dashboard_id": "",
          "raw_results": [
              { "status": "401", "ip": "127.0.0.1", "cnt": "3" },
              { "status": "400", "ip": "127.0.0.1", "cnt": "7" },
              { "status": "501", "ip": "127.0.0.1", "cnt": "4" },
              { "status": "404", "ip": "127.0.0.1", "cnt": "4" },
              { "status": "402", "ip": "127.0.0.1", "cnt": "6" },
              null
          ],
          "raw_result_count": 6,
          "fire_result": {
              "status": "401",
              "ip": "127.0.0.1",
              "cnt": "3"
          },
          "has_sql": true,
          "truncated": false,
          "role_arn": ""
      }]
  }

• Alert template

  Add the results variable to the alert template to reference specified log content in alert notifications. For more information about how to create an alert template, see Create an alert template.

  

Template variables

{%- for result in alert.fire_results %}
- status: {{ result.status }}, count: {{ result.cnt }}
{%- endfor %}

SLS allows you to use built-in functions to format the content of alert notifications. For more information, see Syntax for new alert templates and Built-in functions in alert templates.