Defining Rules

On the rules on the Alert Rules & Settings page (Settings () > Alert Rules & Settings), you can set up detailed alert rules to help you manage the types of suggestions that the AI/ML engine creates. On the Alerts page, you can filter the list of suggestions and alerts based on the rules.

On the Alert Rules & Settings page, you can create the following types of rules for tags:

  • Custom alert rules. Custom alert rules deterministically create a suggestion or an alert and notify one or more channels when a log line matches the defined rule.
  • Include rules. When the AI/ML engine creates a suggestion, any nearby log lines that match the include rules below will also be included in the core of the suggestion.
  • Exclude rules. Prevent log lines that match the exclude rules from ever being part of any suggestion.
  • Routing rules. Routing rules allow you to tag a suggestion and notify one or more channels when log lines in the suggestion match the rule you define.

When you create any of these rules on the Alert Rules & Settings page, you will need to:

  1. Select the service group or groups for the rule.
  2. Specify the event label, which requires one or more labels to match a corresponding Regular Express (regex) or case-sensitive substring.
  3. Specify the event text, which requires that the event text matches a corresponding regex or case-sensitive substring.

These three elements are described in detail in the following sections.

Service Groups

On the Add Rule dialog on the Alert Rules & Settings page, select one or more named service groups from the Service Groups drop-down.

If you do not select a service group, the rule can match an event from any service group. If you select one service group, the rule only matches an event from that service group, If you select more than one service group, the rule only matches an event from any one of the named service groups (a logical OR across the selections).

Event Labels

The Event Labels field requires one or more labels to match a corresponding case-sensitive substring, case-sensitive regex, or case-insensitive regex. All provided label conditions must be satisfied by the same event for that event to match the rule (a logical AND across the conditions).

The Event Labels field consists of a list of parenthesized conditions. Each parenthesized condition consists of the label name, followed by a colon, followed by one of a case-sensitive substring, a case-sensitive regex, and a case-insensitive regex.

As an example, to require the "app" label to start with the word core, case-insensitive; the "version" label to have a first digit of 6; and the "State" label to have the value of DONE:

(app:/^core/i)(version:/^\D*6/)(State:DONE

Below are more details on entering each condition.

To require a case-sensitive substring match to the label value, enter something like this:

Exact Label Value Substring

To require a case-sensitive PCRE regex match to the label value, enter something like the following, surrounding the regex in forward slashes:

/Label Value With Digit\d/

It is generally recommended, but not required, to escape all non-alphanumeric literal characters within your regex as a best practice, such as:

/Label\ Value\ With\ Digit\d/

To require a case-sensitive PCRE regex match to the label value, enter something like this, surrounding the regex in forward slashes:

/Label Value With Digit \d/

It is generally recommended, but not required, to escape all non-alphanumeric literal characters within your regex as a best practice, such as:

/Label\ Value\ With\ Digit \d/

To require a case-insensitive PCRE regex match to the event text, enter something like this (note the ā€œiā€ after the second forward slash):

/label value with digit \d/i

It is generally recommended, but not required, to escape all non-alphanumeric literal characters within your regex as a best practice, such as:

/label\ value\ with\ digit\ \d/i

In general, any parse errors related to ambiguous patterns can be resolved by escaping all non-alphanumeric literal characters.

Event Text

The Event Text field requires the event text to match a corresponding case-sensitive substring, case-sensitive regex, or case-insensitive regex. All provided label conditions must be satisfied by the same event for that event to match the rule (a logical AND across the conditions).

For example, the following rule matches any event containing the phrase error code: followed by a number.

/error code:\d+/i

To require a case-sensitive substring match to the event text, enter something like this:

Exact Text to Match

To require a case-sensitive PCRE regex match to the event text, enter something like this, surrounding the regex in forward slashes:

/Matches Any Digit\: \d/

It is generally recommended, but not required, to escape all non-alphanumeric literal characters within your regex as a best practice, such as:

/Matches\ Any\ Digit\:\ \d/

To require a case-insensitive PCRE regex match to the event text, enter something like this (note the ā€œiā€ after the second forward slash):

/matches any digit\: \d/i