Learn how you can create, snooze and delete a logs alert.

You can create alerts for your logs data and see the firing events of an alert.

Alerts Browser

Use the Alerts Browser to create and manage your logs alerts. To see the logs alerts you created, click the Logs Alerts tab.

An annotated screenshot of the logs alerts on the Alerts Browser.

Create a Logs Alert

Follow these steps to create a logs alert:

Go to the Alert Browser

  1. Log in to your product instance as a user with the Alerts and Logs permissions.
  2. On the toolbar, click Alerting > All Alerts.
  3. Click Create Logs Alert.

Step 1: Filter the Data

Use the filters to query the logs data:

  1. Enter a unique name for the query.
  2. Filter the logs data for which you want to create the alert. There are two types of query filters:
    • Use a word or phrase in the log message:
      1. Next to Text Contains, click Search Logs for Text Containing.
      2. Enter the text and press Enter.
      3. To add more filters like this, click the + icon next to the filter.
    • Use tags:
      1. Next to Filters, click Add.
      2. Select Filter by Operator.
      3. Click the Choose Filter drop-down menu, select the tag key, and select the tag value.
      4. To add more filters like this, click the + icon next to the filter.
      Settings Description
      Filters You can use the following filter operators to get the log data and create the alert. If you select more than one value for a filter, the alert fires when any of the specified values in a filter is in a log and when the alert condition is met.
      • Contains: You get the logs that include the tag values you define.
      • Does not contain: You get the logs that don't include the tag values you define.
      • Starts with: You get the logs that have tag values that start with the tag value you selected.
      • Does not start with: You get the logs that have tag values that don't start with the tag value you selected.
      Tags Select a tag key and the corresponding tag values from the drop-down list. The tags you see here are the log attributes you send. See Log Attributes for details.
  3. If you add more than one Filter by Operator, select one of the following options:
    • All: The logs alert you create fires only when all the filters in the query are met.
    • Any: The logs alert fires if a filter in the query is met.
  4. Click Next.

Example:

Get the logs that have any of the following data:

  • If the access_token_length value is 4600.
  • If the access_token_length value does not start with 1278.

A screenshot of the query that is described in this example.

Step 2: Define the Alert Conditions

You can configure the alert to fire in real time, or you can configure the alert to fire when the alert conditions are met for the selected time window.

  • Fire alerts in real time, when a log matches the query:
    1. Click the drop-down menu for Trigger Condition and select Real Time.
    2. Select the severity for the Alert Condition.
    3. Click Next.
  • Fire alerts when the alert condition is met for a specified time window.
    1. Click the drop-down menu for Trigger Condition and select a time window. For example, select 5 minutes.
    2. (Optional) You can group the logs data you see on the chart. For Group By, click + Logs Tag to select a tag and group the logs.
    3. Define the alert conditions that need to be met for the time window you selected. You must configure a threshold for at least one severity (critical, immediate, warning, or info).
      Alert Condition Type Description
      Count of Events The alert fires when the number of logs for the selected time window is greater than the alert threshold you define.
      Unique count The alert fires when the number of logs that includes the tag you selected is greater than or less than the alert threshold you define.
      Average The alert fires when the average number of logs that includes the tag you selected is greater than or less than the alert threshold you define.
      Maximum The alert fires when the maximum number of logs that includes the tag you selected is greater than or less than the alert threshold you define.
      Minimum The alert fires when the minimum number of logs that includes the tag you selected is greater than or less than the alert threshold you define.
      Sum The alert fires when the sum of the logs that includes the tag you selected is greater than or less than the alert threshold you define.
    4. Click Next.

Example: The alert fires if the alert conditions you set are true for 5 minutes:

  • Critical state if the number of logs is great than 4.
  • Info state if the number of logs is greater than 1.

A screenshot of the alert conditions explained above

Step 3: Add a Recipient to the Alert

Email and Webhook notifications are coming soon to Logs Alerts!

Step 4: (Optional) Customize the Alert Firing Message

You can customize the alert firing message and add information to help users understand why the alert fired.

Settings Description
Recommendations Add information that is useful to the alert recipient. This field supports Markdown. You can click Preview to preview the Markdown output.
Notification Metadata Add key-value pairs to send additional information in the logs alert firing message.

After you customize the message, click Next.

Step 5: Name and Activate the Logs Alert

  1. Enter the Alert name.
  2. (Optional) Add a Description to your logs alert. This field supports Markdown. You can click Preview to preview the Markdown output.
  3. Click Activate to create the alert.

Example: A screenshot of the section to name and adda  description to the alert.

Once the logs alert is successfully created, you are redirected back to the Alerts Browser page. To see the logs alert you created, search for your alert, and see the status and firing details of the alert.

See Logs Alerts that Fired

Follow these steps to see the firings of a logs alert. You see up to five firing events in the last thirty days.

  1. On the Alerts Browser, click the Logs Alerts tab.
  2. Search for the alert you want to edit. You can search for the alert by name, status, severity, or a saved search.
  3. Click the alert name.
  4. Click Show Firings at any time to see when the alert fired and fine-tune the behavior based on that information. a screenshot highlighting the show alert firing button

The Recent Firings pane shows the last five firing events in the last thirty days. Don’t see any data? That is because the logs alert did not fire in the last thirty days.
Example: screenshot of alert firing timeline you see when you click Show Firings.

Edit a Logs Alert

Users with the Alerts and Logs permissions can update a logs alert at any time. Follow these steps to update the logs alert.

  1. On the Alerts Browser, click the Logs Alerts tab.
  2. Search for the alert you want to edit. You can search for the alert by name, status, severity, or a saved search.
  3. Click the alert name.
  4. Click on the section you want to make changes.
  5. Once all the changes are made, click Save in the top right.

Snooze and Unsnooze a Logs Alert

Snooze a Logs Alert

If you are running tests and don’t want a logs alert to fire, follow these steps to pause the logs alert from firing for a specified time window:

  1. On the Alerts Browser, click the Logs Alerts tab.
  2. Select the check box next to the logs alert. You can select more than one logs alert.
  3. Click Snooze and select how long you want to snooze the alert. a screenshot that shows the snooze drop down times.

Unsnooze a Logs Alert

Follow these steps once you are done with your testing, and you want a logs alert to fire if the conditions in the logs alert is met.

  1. On the Alerts Browser, click the Logs Alerts tab.
  2. Filter the logs alerts you snoozed using the Snoozed Status.
  3. Select the check box next to the logs alert. You can select more than one logs alert.
  4. Click Unsnooze. The logs alert changes to the Checking state. a screenshot that shows the unsnooze button.

Delete a Logs Alert

Follow these steps to delete a logs alert you no longer need:

  1. On the Alerts Browser, click the Logs Alerts tab.
  2. Select the check box next to the logs alert. You can select more than one logs alert.
  3. Click Delete. Once deleted you don’t see the logs alert. a screenshot that shows the delete button.

Logs Alert FAQs

What are the logs alert limits?

Operations for Applications uses VMware Aria Operations for logs. See the limitations listed on the Operations for logs documentation (scroll to Limits) when creating and managing logs alerts.