Creating alerts through the UI
You can create alerts graphically through the UI.
As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025. For information about IBM Cloud Logs, see the IBM Cloud Logs documentation.
Complete the following steps to create an alert:
Prereqs
You must grant permissions to users in your account to be able to launch the web UI and create alerts.
You must be an administrator of the IBM Log Analysis service, an administrator of the IBM Log Analysis instance, or have account IAM permissions to grant other users policies.
The following table lists the minimum policies that a user must have to be able to launch the IBM Log Analysis Web UI, and view logs:
Service | Role | Permission granted |
---|---|---|
IBM Log Analysis |
Platform role: Viewer | Allows the user to view the list of service instances in the Observability Logging dashboard. |
IBM Log Analysis |
Service role: Manager or Standard-member | Allows the user to launch the Web UI and create alerts. |
For more information on how to configure these policies for a user, see Granting permissions to a user to view logs.
Step 1. Define the rule
You must define the rule that specifies the scope of the data and save the rule as a view.
Complete the following steps to create a rule:
-
Filter log data by using pre-defined filters.
You can filter logs by log source, application, and log level.
-
A source can be a host, a computer, a virtual machine, or a Heroku app.
-
An application represents a log file, a program, or a container.
-
Examples of log levels are: INFO, DEBUG, ERROR
Complete the following steps to filter logs:
-
Click the Views icon .
-
Select EVERYTHING or a view.
-
Expand Tags to see the list of tags that are identified in the logs. Then, choose the ones that you want.
-
Expand Sources to see the list of log sources that are identified in the logs. Then, choose the ones that you want.
-
Expand Apps to see the list of apps that are identified in the logs. Then, choose the ones that you want.
-
Expand Levels to see the list of log levels that are identified in the logs. Then, choose the ones that you want.
In each section, you can group multiple options into a group. Group tags, log sources, apps, and log levels to reuse these groupings when you filter log data in other custom views. To create a group, select multiple values. Then, click Save as group. Enter a name for the group, and save it.
-
-
Filter log data by adding a search query.
When you search log data, the search applies any log filters and time queries configured in that view.
You can do simple searches (single term string search), compound search (multiple search terms and operators), field searches if the log line can be parsed, and others. For more information, see How to Search Logs.
AND and OR operators are case-sensitive and must be capitalized.
-
Create a view.
-
Click the Views icon .
-
Select EVERYTHING or a view.
-
Filter log data then click Save as new view. The Create new view page opens.
-
Enter a name for the view in the Name field.
-
Optionally, add a category. Enter a name and then click Add this as new view category.
-
Click Save View
-
Step 2. Create the alert
Next, you must attach an alert to the view.
You can choose any of the following options:
- Create a preset and attach the preset to the view
- Create a specific alert on the view.
You can attach multiple notification channels to a view. You can define different triggering conditions to each notification channel.
Create an alert by using a preset
Complete the following steps to attach a preset to a view:
-
Click the Views icon . Select the view name. Then, select Attach an alert.
-
In the section Choose preset, select a preset.
-
Click Save alert.
Create an alert on a view
Complete the following steps to attach an alert to a view:
-
In the web UI, click the Views icon .
-
Click the view name. Then, select Attach an alert.
-
Select View-specific alert.
-
Select the type of alert (Slack, Email, Webhook, or PagerDuty). If you selected the wrong alert type and you want to change it, click Delete Alert Channel.
-
Configure when you want the alert to be sent.
Select if you want the alert to be sent when the condition exists (Presence) or does not exist (Absence).
Indicate the logging criteria when an alert should be sent. For example, when 100 lines matching in the view are logged in an hour. A graph will help you determine the number of log lines matching your specified criteria.
Select if the alert should be sent at the end of the selected period or immediately when the number of lines are logged.
Optionally you can specify a Custom schedule with alerting limited to a specified timezone, days of the week, or timeframe. To configure a Custom schedule:
-
Select on for Custom schedule.
-
Select the Timezone for the log entries.
-
Select the days of the week when alerts should be generated.
-
Optionally specify a time range for the selected days. A graph will help you determine the number of log entries for the timezone and time range.
-
-
Depending on the type of alert you will also need to configure additional settings:
Slack: Specify your Webhook URL and the desired Message color.
Email: Specify the Recipients of the email and a Timezone. The timezone defines the timestamp value of each event that is included in the email. To see UTC timestamps, you can select (GMT +00:00) UTC.
PagerDuty: Specify the Service. If required, you will be prompted to connect to PagerDuty.
Webhook: Specify the Method & URL, and the Headers and Body of the
JSON
used to interact with your webhook. You can use Validate JSON to make sure yourJSON
is correct before creating the alert. -
You can click Test to test that your alert configuration is correct.
-
Click Save Alert.
-
If you want to create an additional alert channel, click + and follow the prior steps to create additional channels. You can create different channel types, for example, an email and a Slack channel. Or, you can create multiple channels of the same type with different alert criteria.
Alerts will be generated based on your configuration.