alerts

As an avid user of the ELK platform — especially when it comes to log analytics and DevOps or IT operations — I knew that one big missing part has been the ability to send notifications  when something relevant happens.

I also got the same feedback from our customers, so we have decided to implement an alerting mechanism that sits on top of the ELK Stack, is fully integrated throughout all of the different components, and is production-ready. Alerts, after all, is a game changer. The use of ELK today is mainly for forensics and the creation of dashboards to visualize trends manually. Receiving alerts about changes completes the picture because it looks at the trends and then lets users know when a problem occurs or when the business is not performing as expected.

If you refer to our complete guide to the ELK Stack, you will realize that we spend a lot of effort making ELK usable and scalable — and that the addition of alerts completes the picture for us and for our customers. It was important to us that we have a seamless integration with a user interface as part of the Kibana UI to provide an end-to-end solution.

Here is how to use the new Alerts system:

Creating a New Alert

To create a new alert, run the search that you want in the Discovery tab and click on the bell icon that is to the right of the search bar:

alerts one

A pop-up window will open with the following options:

alerts two

Query – This is a read-only name that you can then verify that the query that will trigger the alert.

Name – The name of the alert – this name will be sent in the subject line of the email alert.

Description – A short description of the alert that will be sent in the body of the email and can be used to elaborate on the specific alert, what caused it, and what is the best way to remedy the situation.

Time Range – This will set the frequency that the check will occur. If you select “check every hour,” the query will be triggered every hour and will check to see if the condition applies for events within the past hour.

Trigger if number of results are – This is the alert trigger and can be set to either “equal to,” “not equal to,” “greater than,” “greater than or equal to,” “less than,” or “less than or equal to.” For example, if you select “one hour” in the Check Every field; “greater than” in this field; and select “two” in the adjacent field, the alert will run the query every hour and will trigger if more than “two” documents that satisfy the query string are found in the last hour.

Severity – Select between Low, Medium, and High – this will be included in the email’s subject line.

Send email to – A comma-separated list of email addresses.

Suppress triggering for – This will quiet the email alert for the required time.

Managing  Alerts

There is also a new Alert section in the top-level menu to the right of the icon for the device-configuration page:

alerts three

Clicking on that icon will take you to the alert-management page, where a click on a given alert will allow you to edit it. Clicking on the trash can icon on the right side of the Alert Definition will delete the alert.

alerts four

Viewing All Triggered Alerts

There are two ways to view triggered alerts.

The first is under the same section. If you click on “Triggered” on the left-hand side of the menu, you will see a list of all the events that have been triggered:

alerts five

The second way is to search for the Alerts in the log by entering _exists_:alert in the search field on the Discovery tab.

alerts six

How Do Our Customers Use Alerts?

Alerts are used in all sorts of ways, from notifying about inactivity, alerting on unauthorized access or when a certain threshold has been breached.

Coming up next is the ability to send web hooks from alerts as well as integrate Logz.io with services such as PagerDuty. We are also working on the ability to set alerts based on aggregations and statistical computation so you can, for example, set an alert if a specific host’s CPU usage has averaged 60% or more for more than ten minutes. We’ll let you know as soon as we add these new features!

Logz.io is a predictive, cloud-based log management platform that is built on top of the open-source ELK Stack and can be used for log analysis, application monitoring, business intelligence, and more. Start your free trial today!

Asaf Yigal is co-founder and VP Product at Logz.io. Prior to Logz.io, Asaf co-founded Currensee, a social-trading platform, which was later acquired by OANDA in 2013. Prior to Currensee, Asaf played executive roles at Akorri in developing an end-to-end performance monitoring platform and at Onaro in developing a storage resource management platform. Both Akorri and Onaro were acquired by NetApp. Prior to Onaro, Asaf headed a research team in the Israeli Navy, taking an artificial intelligence system to military deployment. Asaf holds a B.S. from the Technion and is an Instrument-rated private pilot.