IBM Cloud Docs
Why are my alerts not being sent?

Why are my alerts not being sent?

Depending on how your alerts are configured in IBM® Cloud Logs, those alerts might not be triggered as intended.

You have one or more alerts that are configured in IBM Cloud Logs. However, the alerts are not being sent as intended.

Alerts not being sent can be due to a number of issues.

Some issues that can cause alerts to not be sent include:

  • Logs are processed into a TCO pipeline that does not support alerts.
  • Insufficient time has passed for the alert to be issued.
  • The alert is incorrectly configured.
  • Integration between IBM Cloud Logs and IBM Cloud Event Notifications is not correctly configured.

To resolve your alerting issues, you need to determine the cause of the problem, and then make the appropriate changes to your environment.

Are alerted logs sent to the Store and search pipeline?

If the logs where you are expecting alerts are being sent to the Store and search TCO pipeline, then alerts are never sent on those logs. Alerts are only sent on logs in the Priority insights and Analyze and alert pipelines.

If you need to alert on these logs, reconfigure your TCO pipelines so the logs flow to either the Priority insights or Analyze and alert pipeline.

You can determine the pipeline where the log is being sent by using a DataPrime query in the IBM Cloud Logs UI logs view:

source logs
| filter $m.logid == '<LOG ID>'
| create $d.TCO from $m.priorityclass

Where <LOG ID> is the log ID value for the log that you are questioning.

To determine the log ID value, from the IBM Cloud Logs UI logs view, do the following.

  1. Hover over the log line number in question and click the three dots.
  2. Click Copy Permalink.
  3. Paste the value to a text editor.
  4. Find the <LOG ID> value. This value is prefixed by logId=. For example, f5a16fe9-9817-4976-8aaa-5a2ef7c8c1e7

Finding the TCO pipeline for a log. The TCO value must display high or medium for alerts on the log to be sent.
Finding the TCO pipeline for a log

If the TCO value is low, then the log is being sent to the Store and search pipeline and alerts cannot be triggered by logs in the Store and search pipeline.

Has enough time elapsed?

Consider the following timing considerations with alerts.

  • When you change your alert configuration, it can take up to 15 minutes for alerts to be triggered with the new or changed configuration.

  • If an alert is configured to be sent immediately when a log with the matching criteria is received, the log can be seen in the UI before the alert is triggered.

    A 1-minute period must elapse between when IBM Cloud Logs receives a log and an immediate alert is triggered.

Is your alert correctly configured?

While you might think that a log matches the criteria for an alert to be triggered, an alert configuration error might exist that keeps the alert from being triggered.

Review your alert configuration for errors such as:

  • Does the values of the Application, Subsystem, and Severity of the alert configuration match the values of the log that triggers the alert?

  • Are any field.keyword values greater than 256 characters in length? IBM Cloud Logs supports a maximum field length of 256 characters.

  • Is your alert querying a value in an array? IBM Cloud Logs does not support querying values in arrays. Use the extract parsing rule to extract the required array information to fields before querying.

  • Does your alert query contain too many operators? Up to 48 operators (AND/ OR) can be included in an alert query.

  • Are you using parentheses in your query to determine operator precedence? Are your parentheses correctly coded?

For more information, see Configuring alerts in IBM Cloud Logs.

Is IBM Cloud Event Notifications correctly configured?

If IBM Cloud Logs and IBM Cloud Event Notifications are not correctly configured, your alert will not trigger your intended notification. See Configuring the integration with the Event Notifications service for information about configuring the integration between IBM Cloud Logs and IBM Cloud Event Notifications.