IBM Cloud Logs multi-condition alerts
With IBM® Cloud Logs, you can configure one alert with up to 5 condition rules. Each condition rule defines a threshold, a time frame, and a priority. When a condition rule is met, an alert is triggered with the priority associated with that condition rule. If more than 1 condition rule meets the trigering criteria, the alert that trigers corresponds to the condition rule with the highest priority.
Triggered alert conditions with their associated priority can be viewed in Incidents.
IBM Cloud Logs has 5 priority values from highest priority to lowest priority:
P1P2P3P4P5
These priority values determine the importance of the issue that is alerted.
Multiple conditions can be configured for the following alert types:
[*] - Multiple conditions are not supported for notify immediately alerts.
Condition processing
When configuring multiple conditions for an alert, you need to be aware of how those conditions are processed and displayed.
Alert triggering
The condition rules determine an alert's priority when the alert condition is met and the alert is triggered.
If an alert matches the conditions for multiple priorities, the highest priority value is applied. For example, if an alert would trigger for a condition that is defined as P1 and a condition that is defined as P2 as well, the P1 priority is applied to the alert. P1 is the highest priority.
On the Incidents page the alert will be displayed with a P1 priority and the information that triggered the alert.
When you configure multiple condition rules, the first condition rule that is defined sets the severity of the alert that is displayed in the Incidents page. The first condition rule also sets the severity, triggering condition, and other alert definition details of the event that is sent to the IBM Cloud Event Notifications service. The severity and alert definition details of the condition rule that triggers the alert is not used for the event notification unless it matches the first condition rule configured through the UI, CLI, API or Terraform. For this reason it is important that you configure your rule conditions in the desired priority order, top down. For example, you might want the notification to have a higher severity than the triggered alert priority. In this case you want to make sure you organize your conditions from highest priority to lowest priority.
Alert Management display
When you configure alert conditions using the UI or API, only the priority of the first configured condition will be displayed on the Alert Management page even if multiple conditions are configured.
If you always want the highest priority configured for the alert to be displayed on the Alert Management page, make sure the highest priority condition is the first configured condition.
Time frame groups
Time frames for all conditions that are configured for an alert must be within the same time frame group.
| Group | Time frame |
|---|---|
| 1 | 1 minute - 30 minutes |
| 2 | 1 hour - 6 hours |
| 3 | 12 hours - 36 hours |
For example, if you configure an alert condition with a time frame in group 2, all other conditions for that alert must also be in group 2.
Conditions for metrics alerts
For metric alerts, you can set the threshold when conditions are met for at least, at least once, or for over x% in a specific time period.
for at least- This option specifies that the condition must be met for the entire specified time period. For example, if you set
for at least 5 minutes, the metric must exceed the threshold continuously for the entire 5-minute duration. at least once- This option is the most minimal condition. The alert triggers if the threshold is crossed at least one time within the specified time period. For example,
at least once in 5 minutesmeans that if the metric exceeds the threshold even one time within that 5-minute window, the alert is triggered. for over x%- Use this option to set a duration percentage rather than a number of times the condition occurs. The
for over x%option specifies that the condition must be true for more than a certain percentage of the time within the selected time window. For example, if you setfor over 10% of 10 minutes, the metric must exceed the threshold for more than 1 minute (10% of 10 minutes) in that time period for the alert to trigger. If the percentage is set to 0 and the query crosses the threshold one time, an alert is triggered. If the percentage is set to 100, all of the time window values must exceed the threshold for the alert to trigger.