IBM Cloud Docs
Working with alerts

Working with alerts

You can configure alerts to notify about the state of your infrastructure, applications, and IBM Cloud services.

As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025. For information about IBM Cloud Logs, see the IBM Cloud Logs documentation.

A rule specifies the scope of the data that you want to monitor and be notified if certain conditions occur. Per alert rule, consider the following information:

  • You can define 1 or more notification channels.
  • You can configure different alert types for each notification channel that you configure for an alert.
  • You can configure different triggering conditions for each notification channel that you configure for an alert.

A rule is also the basis of a view. You can see the data that is included by any rule by using it as a view. The two are interchangeable.

Types of alerts

You can configure any of the following types of alerts for each notification channel that you configure for an alert:

Presence alert

You can configure a presence alert to notify when the number of logs that show in a view is more than what you expect.

For example, you might have a view that shows logs that report payments that are rejected by your service. You can configure a presence alert that triggers an alert when 1 or more logs show in the view.

Absence alert

Configure an absence alert to notify when the number of logs that show in a view is less than what you expect, or none.

An absence alert is triggered when the view that has an absence alert attached to it is active. A view is active when the view receives logs within the last 24 hours.

For example, you might have a view that does not get any logs for 2 days. Therefore, this view is not active. You have an absence alert attached to this view that is configured to send a notification after 30 minutes. Because the view is not active, the absence alert is muted and you do not get notifications. To make the view active and get notifications for the absence condition, logs need to start flowing into the view.

Alert conditions

You can configure any of the following triggering conditions for each notification channel that you configure for an alert:

  • Time frequency: You set this condition to specify how often to trigger an alert. Valid values are: 30 seconds, 1 minute, 5 minutes, 15 minutes, 30 minutes, 1 hour, 6 hours, 12 hours, 24 hours
  • Event lines counter: You set this condition to specify the number of event lines that match the view's filtering and search criteria. When the number of event lines is reached, an alert is triggered.

You can decide whether both conditions are checked or only one. If both conditions are set, an alert is triggered when any of the thresholds is reached.

For example, you can configure an alert that is triggered after 30 seconds, or when a 100 event lines that match the view's filtering and search criteria are collected.

Notification channels

You can define 1 or more notification channels for an alert.

The following table lists the notification channels that you can configure when an alert is triggered:

Notification channels
Channel Configuration details
email You can configure one or more email addresses. For more information, see Integrating with email.
SMS You can send an SMS to notify of an alert either through the PagerDuty channel or through the IBM Cloud Monitoring channel. For more information, see Integrating with SMS.
Slack You can configure a slack channel.
Webhook You can configure a web hook URL.
PagerDuty You can configure connection details to your PagerDuty system, and select a service. Use this channel when you require call times and escalation management processes. For more information, see Integrating with PagerDuty.
IBM Cloud Monitoring You can configure a Monitoring instance. When you need alerts on log data alongside your system health metrics, configure a Monitoring notification channel. For more information, see Integrating with IBM Cloud Monitoring.

Creating alerts

You can choose any of the following options to create an alert:

  • Create a preset and attach the preset to the view
  • Create a specific alert on a view.

You can configure alerts graphically through the Log Analysis UI, or programmatically.

Deleting alerts

You can delete alerts graphically through the Log Analysis UI, or programmatically.

Managing presets (alert templates)

To reuse an alert configuration, a service administrator can configure an alert preset (alert template).

Muting alert notifications

By default, the feature that controls the ability of a user to mute notifications is enabled when you configure an alert on a custom view. The Mutable feature applies to email notifications only.

When the mutable feature is enabled on an alert, a user can pause notifications for a period of time. A user can choose to mute an alert for a period of 1 hour, 6 hours, 12 hours, or 1 day.

For more information on how to mute an email alert, see Muting an alert.

For more information on how to ummute an email alert, see Unmuting a muted alert.