Smart Alerts for logs

In the Scope section, the Log count metric is selected by default. You can narrow down the scope by adding filters based on log content or the underlying infrastructure. The filters also support the RegEx operator, enabling you to define regular expression-based conditions for more flexible pattern matching.

The metric results can be grouped with the available grouping tags. Currently, multiple grouping tags are not supported in log Smart Alerts.

Currently, Log Smart Alert supports only the Static threshold option. Static thresholds remain fixed and are defined when you create or modify the Smart Alert. A static threshold can become less relevant if the underlying metric changes significantly. You can select a threshold operator to define how the threshold condition is evaluated.

To define threshold values, you must first select a severity level by selecting the corresponding checkbox Warning, Critical, or both. After you select one or more severity levels, enter the threshold value for each. This configuration enables the definition of multiple severity levels within a single alert, each with its own threshold condition.

After the scope and threshold are defined, a chart is plotted based on historical data for the selected metrics. Up to seven days of historical data is available for visualization. You can toggle the chart view between the last 24 hours and seven days to better understand historical variations in metric values over time.

The following image shows a chart that illustrates potential alert triggers based on the current threshold configuration and available historical data:

If you select any grouping options, the grouping results might appear as a table just after the chart. To analyze the metric data trends in the chart against each grouping, select the respective rows in the table as displayed in the following image:

For the alert that is triggered, you can add more conditions in the Time Threshold section when the defined threshold for the selected metric is violated.

The following typical conditions, often used in practice, are as follows:

• Persistence over time: Select a time window and the number of consecutive times of violation as shown in the following image. You receive an alert when the metric violates a defined threshold over the defined time window.

You can configure different alert channels for both warning and critical severity level in Smart Alerts for Logs. To add alert channels, complete the following steps:

1. Click Select Alert Channel.
2. From the list of preconfigured channels, select the channels from which you want to receive the alerts.

If a threshold value is set for warning and critical severities, you can set the alert channels for each severity. If a threshold value is set for both severities, all the alert channels are selected for the warning severity by default.

The following image shows alert channels with both severities configured:

If a threshold value is set only for one severity, the severity is displayed for every alert channel as the Alert Level.

The following image shows alert channels with one severity configured:

For more information about creating channels, see Alert channels.

Adding more alert properties is optional, but it provides more configurations to better suit your requirements. You can edit the default alert title and description, use placeholders to create dynamic titles and descriptions, and select whether the alert triggers an incident. For more information, see Alerting.

You can customize alert notifications by adding the following custom payloads:

• Global custom payloads: These payloads are relevant in all alert notifications that are sent by Instana.
• Alert-specific custom payloads: These payloads are relevant in alert notifications for a specific alert configuration that is sent by Instana.

An alert notification can include both global and alert-specific custom payloads (if applicable), but the alert-specific configuration is prioritized over the global configuration. As a result, if you use the same key, the value of the global custom payload field is overridden by the alert-specific one.

To add global custom payloads, see Configure custom payload globally.

The following image shows globally defined custom payloads that are used in the alert configuration:

To add alert-specific custom payloads, complete the following steps:

1. Click Add Row in the Custom Payloads section.
2. Enter a key to identify the custom payload entry.
3. Select the value type of the custom payload: Static or Dynamic
4. Define the value of the payload entry:

   1. For Static payload, enter the value.

   2. For Dynamic payload, click Select tag and choose a dynamic tag. You can use the suggestions to select the correct key for the selected dynamic tag or add it manually.

      The following image shows how to select a dynamic tag:

      

      The following image shows suggestions to select the correct key for the selected dynamic tag: