Log Pattern Detection Rules

In order for an alert to trigger, a log must match the exact pattern you enter as a search term.

Alerting on patterns can be useful in situations such as monitoring server errors, critical exceptions, and general performance, and allows you to only monitor events that are important to you.

On the Log Search page, you can create basic detection rules in two different ways:

  • Auto-populate a Log Pattern Detection Rule
  • Manually configure a Log Pattern Detection Rule

Auto-populate a Log Pattern Detection Rule

To auto-populate a log pattern detection rule:

  1. Go to the “Log Search” page.
  2. Select the log or log sets you want in the rule or use a search query to look for a specific set of logs.
  3. In the top right corner, click the Detection Rules button and choose a basic detection rule type based on the selected logs. The “Create a Basic Detection Rule" panel appears, with applicable steps already pre-populated.
  4. In the “Name” section, name your rule and optionally add a description.
  5. Select the Next button to complete the Trigger section.
  6. Click the Skip to alert notification link.
  7. In the “Alert Notification” section, choose whether you want to apply labels to the pattern, or receive alerts from email or other integrations. If you choose the latter, you can define the log information you'd like included. See Alert Settings for more information.
  8. Choose the notification trigger setting you want. You will not receive alerts other than those generated for this specific rule.
  9. Define notification throttles to control how many alerts you receive in a specific window of time.
  10. Click Create.

Manually configure a Log Pattern Detection Rule

To configure a log pattern detection rule:

  1. In InsightOps, select the Manage Alerts page, or select the Log Search page from the left menu.
  2. In the top right corner, select the Detection Rules button.
  3. Select Log Pattern Detection Rule.
  4. In the “Name” section, name your rule.
  5. In the “Logs” section, select one or more logs or the log sets you want to use in the rule.
  6. In the “Trigger” section, choose a saved query or create a new query using keywords or regex.
  7. Optionally click the + OR button to add up to five patterns on the same logs.
  8. In the “Alert Notification” section, choose whether you want to apply labels to the pattern, or receive alerts from email or other integrations. Or, you can choose both. If you are receiving alerts from emails or other integrations, you can define the log information you'd like included. You can See Alert Settings for more information.
  9. Choose which notification trigger setting you want. You will not receive alerts other than those generated for this specific rule.
  10. Define a notification throttle to control how many alerts you receive in a specific window of time.
  11. Click Create.

Troubleshooting

If you're not receiving an email alert when you expect to, make sure your pattern is correct. A simple way to check if your pattern will trigger an alert is to run the pattern as a search against your logs. If events are returned, then an alert will trigger if this pattern is detected again.

You should also make sure that:

  • Your patterns do not contain the where() clause.
  • Logical operators like AND and OR are uppercase in the pattern field.
  • You've checked your spam folder and confirmed that InsightOps is not being filtered by your mail server.