Support Using Loggly Adding alerts

Adding Alerts

The last thing that anyone wants is to find out about a critical operational issue on Twitter or from an angry email from the boss. That’s why alerting is an important part of Loggly.

With Loggly, you can specify the exact conditions under which the alert fires, with all the capabilities of our search function at your disposal. For example, you might want to be alerted if a specific error occurs. Or, you might want to be alerted if a variable exceeds some threshold. For example, database response times that exceed 100 ms may indicate trouble. We’ll notify you right away via email or through another alerting endpoint like PagerDuty.

How To Video

Configuring Alerts

There are three ways to set up alerts in Loggly:

  1. By clicking on the “bell” icon at the top right side of the Search screen.
  2. From the Saved Search creation dialog box.Create Alert from Saved Search
  3. By selecting Add New on the Alerts page.Add New

Regardless of how you initiate setting up your alert, you’ll be prompted to fill in the following information:

Name
Choose a name for your alert. The name will be returned with any alert that’s triggered.

Description
Add a short description so that you remember why you set it Alert Name and Description

Search
You can choose a Saved Search to use or save the alert criteria as a Saved Search. If you initiated your alert setup from the Saved Search creation dialog, that Saved Search will display. If you initiated your alert setup using the alert bell icon, you’ll see an option to save it as Saved Search. Any time range that was part of your saved search will be ignored, only the terms of a saved search are used for alerting.

adding alert

Alert if
Here you’ll set the criteria used to trigger an alert. Set the threshold number of results that trigger an alert within a given timeframe. For example, you can set an alert to trigger when the search results show more than 10 results over any 5 minute time span (based on timestamp).

alert ifUsing standard deviation in alerts

You can specify the alert threshold in relative terms using standard deviation. This statistical operator is a measure that quantifies the amount of variation in a set of data values. While a low standard deviation indicates that most of the values in the data set are close to the average, a high standard deviation indicates that they are distributed over a wide range of values.

Here’s an example of setting up an alert with this new capability:

Alert when the count of 404 errors in the last 15 minutes is above two standard deviations from the average for the last six hours. 404 errors are a way of life, so setting an absolute threshold often doesn’t make sense. But you would certainly want to investigate a sudden 404 spike. In this case, you can specify whether you would like to be alerted on one, two, or three standard deviations from the mean.

In order to set the statistical alert, click on the “use standard deviation instead” link as shown below:

standard deviation

Then select the exceeds by value. The available values are 1, 2 and 3. Mathematically speaking, what this implies is that you can choose to be alerted when some values exceed 68%, 95%, and 99% from the mean, respectively. For most cases, 2 standard deviations is a reasonable threshold.

exceeds by

Select the mean for which you want to set the standard deviation. You must select values for the current time range and historical time range such that the current time range cannot be greater than the historical time range.

alert setting

Then
In this section you set how you’d like to receive alert notifications. Choose to send an email or hit a 3rd party endpoint. Please see Alert Endpoints for a discussion on setting up your own endpoints. Only registered users can receive email notifications.

Alert endpoint

 

Add Multiple Endpoints
You can set multiple endpoints to receive the notification from a alert. For example you can set an alert to notify your HipChat room and Slack room without the need to create another alert.

Multiple alert endpoints
Include up to 10 recent events
To receive up to 10 recent events as part of the alert, enable this option, as shown below.
10 events in alert

Check for this condition every
Set how often we run your saved search and check if the condition matches your alert criteria. Please note, if you choose to check the condition every minute and the condition exists for 30 minutes, 30 notifications will be sent.

Check condition interval

Delay alerts during indexing delays. This may reduce false positives

This will help you to avoid false positives, because if your account is having an indexing delay, the alert might trigger (if this setting is not enabled) due to absence of expected events caused by the indexing delay. This setting if enabled, will not send you an alert until the indexing delay is recovered and back to normal.

Enable this alert

If you don’t want the alert to be enabled at this time, you could uncheck the box. The alert will be saved but not active until you enable it from the alerts page.

Thanks for the feedback! We'll use it to improve our support documentation.