Log Change Detection Rules

Log change detection rules will notify you when a condition changes, such as HTTP 500 errors in your web access logs. They are based off of calculations that you apply to log(s) or logset(s).

Change detections will help you stay on top of critical conditions when something is broken and must be immediately addressed, or occurring errors that must be escalated. This type of alert will minimize your time to investigate and resolve any errors.

On the Log Search page, you can create basic detection rules in two different ways:

  • Auto-populate a Log Change Detection Rule
  • Manually configure a Log Change Detection Rule

Auto-populate a Log Change Detection Rule

To auto-populate a log change detection rule:

  1. Go to the Log Search page.
  2. Select the log or log sets you want in the rule, or use a search query to look for a specific set of logs.
  3. In the top right corner, select the Detection Rules button and choose a basic detection rule type based on the selected logs. The “Create a Basic Detection Rule" panel appears, with applicable steps already pre-populated.
  4. In the “Name” field, name your rule. Optionally provide a description.
  5. If applicable, select the Next button to complete the Trigger section. Read more about Alert Settings.
  6. Click the Skip to alert notification link.
  7. In the “Alert Notification” section, define how you will receive notifications. Read more about Alert Settings.
  8. Define a notification throttle to control how many alerts you receive in a specific window of time.
  9. Click Create.

Manually configure a Log Change Detection Rule

To configure a log change detection rule:

  1. In InsightOps, select the Manage Alerts page, or select the Log Search page from the left menu.
  2. In the top right corner, select the Detection Rules button.
  3. Select Log Change Detection Rule.
  4. In the “Name” section, name your rule and optionally add a description.
  5. In the “Logs” section, select one or more logs or the log sets you want to use in the rule.
  6. In the “Trigger” section, choose a saved query or optionally create a new query using keywords, regex, or LEQL.
    • New queries require that you specify a calculation to use, and a key to apply the calculation. Any changes of the key based off of the calculation will trigger an alert.
  7. Optionally customize the notification settings to define how severe the change is before triggering an alert.
  8. Optionally click the + OR button to add another pattern detection rule on the same logs.
  9. In the “Alert Notification” section, define how you will receive notifications. Read more about Alert Settings.
  10. Define a notification throttle to control how many alerts you receive in a specific window of time.
  11. Click Create.