All Products
Search
Document Center

Simple Log Service:Syntax of trigger conditions in alert rules

Last Updated:Mar 01, 2024

This topic describes the syntax of trigger conditions in alert rules.

You can use variables to reference log fields in the trigger condition of an alert rule. To evaluate the alert rule, Simple Log Service performs log queries based on the query statements that are specified in the alert rule and checks whether the query results meet the trigger condition. If the trigger condition is met, an alert is triggered.

Limits

This section lists the limits of trigger conditions:

  • Negative numbers must be enclosed with parentheses (), for example, x+(-100)<100.

  • Numeric values are converted into 64-bit floating-point numbers. Therefore, the result of an alert rule evaluation may be inaccurate if a comparison is involved.

  • A variable name can contain only letters and digits and must start with a letter.

  • A trigger condition must be 1 to 128 characters in length.

  • If an alert rule is associated with multiple charts, multiple queries are performed during each alert rule evaluation. Therefore, multiple sets of log entries are returned as the query results. Simple Log Service selects a log entry from each set and checks whether the combination of the selected log entries meets the trigger condition. For each alert rule evaluation, Simple Log Service checks a maximum of 1,000 log entry combinations. An alert is triggered if one of the combinations meets the trigger condition.

  • An alert rule can be associated with a maximum of three charts or query statements.

  • If the result of a trigger condition is true, it means that the trigger condition is met. In this case, an alert is triggered. For example, if the trigger condition is 100+100, the results is 200 and no alert is triggered.

  • Simple Log Service reserves two words: true and false. It also reserves two special characters: dollar sign ($) and period (.). These words and special characters cannot be used as variables.

Syntax

The following table lists the syntax that is used in trigger conditions.

Syntax type

Operation

Description

Arithmetic operators

Supports the addition (+), subtraction (-), multiplication (*), division (/), and modulus (%) operators.

  • x * 100 + y > 200

  • x % 10 > 5

Comparison operators

Supports eight comparison operators: greater-than (>), greater-than-or-equal-to (>=), less-than (<), less-than-or-equal-to (<=), equal-to (==), not-equal-to (!=), match (=~), and not-match (!~).

Note
  • Backslashes (\) in regular expressions must be escaped.

  • The Regular Expression 2 (RE2) syntax is used. For more information, see Syntax.

  • x >= 0

  • x < 100

  • x <= 100

  • x == 100

  • x == "foo"

  • x =~ "\\w +"

Logical operators

Supports the AND (&&) and OR (||) operators.

  • x >= 0 && y <= 100

  • x > 0 || y >0

Not operator

Supports the not operator (!).

!(a < 1 && a > 100)

Numeric constants

Supports numeric constants. Simple Log Service converts numeric constants into 64-bit floating-point numbers.

x > 100

String constants

Supports string constants in the format of 'String', for example, 'string'.

foo == 'string'

Boolean constants

Supports true and false.

(x > 100) == true

Parentheses

Supports parentheses (). You can use parentheses to override the standard precedence order and force Simple Log Service to evaluate the enclosed part of a trigger condition before an unenclosed part.

x * (y + 100) > 100

Function that is named contains

Supports the contains function. The contains function checks whether a string contains a substring. For example, contains(foo, 'hello') returns true if the string that is referenced by the foo variable includes a hello substring.

contains(foo, 'hello')

Trigger conditions in alert rules that are associated with multiple charts

  • Syntax

    An alert rule can be associated with multiple query statements. If you want to use a variable in the trigger condition to reference a field from the result of a query statement, you must prefix the variable with the serial number of the query statement in the format of $N.fieldname. The serial number of a query statement is the same as the serial number of the chart that plots the result of the query statement. For more information, see How can I view the serial number of a chart? The value range of N is 0 to 2 because each alert rule is associated with a maximum of three query statements. For example, $0.foo references the value of the foo field from the result of the first query statement. If an alert rule is associated with only one query statement, you do not need to specify the prefix in the trigger condition.

  • Evaluation

    During an evaluation of an alert rule, if multiple queries are performed and multiple sets of log entries are returned as the query results, Simple Log Service uses only the query results whose fields are referenced in the trigger condition. For example, three sets of log entries are returned. The number of log entries in the first set is z, the number of log entries in the second set is y, and the number of log entries in the third set is z. If the trigger condition is $0.foo > 100 && $1.bar < 100, Simple Log Service uses only the first set and the second set during the alert rule evaluation. Simple Log Service selects a log entry from each of the two sets and checks whether the combination of the selected log entries meets the trigger condition. Simple Log Service checks x × y combinations. If the result of x × y exceeds 1,000, Simple Log Service checks only 1,000 combinations. If one of the combinations meets the trigger condition, Simple Log Service triggers an alert.

Operator implementation

Note
  • Simple Log Service converts all numeric values into 64-bit floating-point numbers.

  • A string constant must be enclosed in single quotation marks ('') or double quotation marks (""), for example, 'string' or "string".

  • Boolean values include true and false.

Operator

Implementation

Operation between variables

Operation between a non-string constant and a variable

Operation between a string constant and a variable

Arithmetic operators: addition (+), subtraction (-), multiplication (*), division (/), and modulus (%)

Before an arithmetic operator is applied, the left and right operands are converted into 64-bit floating-point numbers.

Not supported.

Comparison operators:

greater-than (>), greater-than-or-equal-to (>=), less-than (<), less-than-or-equal-to (<=), equal-to (==), and not-equal-to (!=)

Simple Log Service uses the following comparison rules that are sorted in the precedence order:

  1. The left and right operands are converted into 64-bit floating-point numbers and then compared based on the numerical order. If the conversion fails, the next rule applies.

  2. The left and right operands are converted into strings and then compared based on the lexicographic order.

The left and right operands are converted into 64-bit floating-point numbers and then compared based on the numerical order.

The left and right operands are converted into strings and then compared based on the lexicographic order.

Regular expression operators:

regex match (=~) and regex not match (!~)

Before a matching operator is applied, the left and right operands are converted into strings.

Not supported.

Before a matching operator is applied, the left and right operands are converted into strings.

Logical operators:

AND (&&) and OR (||)

A logical operator cannot be applied to log fields. The left and right operands must be conditional expressions. The result that a logical operator returns is of the Boolean data type.

Not operator (!)

The not operator cannot be applied to log fields. The right operand must be a conditional expression. The result that the not operator returns is of the Boolean data type.

Function that is named contains

Before the contains function is run, the input parameters are converted into strings.

Not supported.

Before the contains function is run, the input parameters are converted into strings.

Parentheses ()

Parentheses are used to override the standard precedence order and force Simple Log Service to evaluate the enclosed part of a trigger condition before an unenclosed part.