Pattern Detection Alerts

In order for an alert to trigger, a log must match the exact pattern you enter as a search term.

Alerting on patterns can be useful in situations such as monitoring server errors, critical exceptions, and general performance, and allows you to only monitor events that are important to you.

On the Log Search page, you can create Pattern Detection alerts in two different ways:

  • auto-populate an alert
  • manually configure an alert

Auto-Populate an Alert

To auto-populate an alert:

  1. Go to the “Log Search” page.
  2. Select the log or log sets you want in the alert or use a search query to look for a specific set of logs.
  3. In the top right corner, click the Add Alert button and choose an alert type based on the selected logs. The “Create Alert” panel appears with applicable steps already pre-populated.
  4. In the “Name” section, name your alert and optionally add a description.
  5. Select the Next button to complete the Trigger section.
  6. Click the Skip to Alert link.
  7. In the “Alert Notification” section, choose whether you want to apply labels to the pattern, or receive alerts from email or other integrations. If you choose the latter, you can define the log information you'd like included. See Alert Settings for more information.
  1. Choose the notification trigger setting you want. You will not receive alerts outside of this specific alert.
  2. Define notification throttles to control how many alerts you receive in a specific window of time.
  3. Click Create Alert.

Manually Create an Alert

To configure a pattern detection alert:

  1. In InsightOps, select the Manage Alerts page, or select the Log Search page from the left menu.
  2. In the top right corner, select the Add Alert button. An empty alert page will appear.
  3. Select Pattern Detection Alert.
  4. In the “Name” section, name your alert.
  5. In the “Logs” section, select one or more logs or the log sets you want to use in the alert.
  6. In the “Trigger” section, choose a saved query or create a new query using keywords or regex.
  7. Optionally click the + OR button to add up to five patterns on the same logs.
  8. In the “Alert Notification” section, choose whether you want to apply labels to the pattern, or receive alerts from email or other integrations. Or, you can choose both. If you are receiving alerts from emails or other integrations, you can define the log information you'd like included. You can See Alert Settings for more information.
  1. Choose which notification trigger setting you want. You will not receive alerts outside of this specific alert.
  2. Define a notification throttle to control how many alerts you receive in a specific window of time.
  3. Click Create Alert.

Troubleshooting

If you're not receiving an email alert when you expect to, make sure your pattern is correct. A simple way to check if your pattern will trigger an alert is to run the pattern as a search against your logs. If events are returned, then an alert will trigger if this pattern is detected again.

You should also make sure that:

  • Your patterns do not contain the where() clause.
  • Logical operators like AND and OR are uppercase in the pattern field.
  • You've checked your spam folder and confirmed that InsightOps is not being filtered by your mail server.