Effective alerting is essential for maintaining optimal performance and quickly addressing issues. Various strategies for alerting with logs provide timely notifications based on log data. Each strategy offers unique benefits and configurations, catering to different use cases and requirements.
Understanding these approaches will help you choose the most suitable alerting method to ensure your applications and systems run smoothly.
Use Davis anomaly detectors with metrics based on logs when you need to
Metrics based on logs are particularly useful for detecting anomalies in the number of occurrences of log records, or of values that are derived from log fields, such as http.response_time.
Keep in mind that metric analyzers are triggered every minute, which means they are not suitable for real-time alerting.
For detailed instructions, see Set up Davis alerts based on metrics.
For simple alerting scenarios where setting thresholds is not necessary, use Davis events extracted from logs.
This method is ideal in cases of very sparse occurrences of log pattern (once a week, once per month) when metrics wouldn’t be useful. It also provides near real-time alerting and instant notifications without the need for an additional overview of matching data over time.
It is particularly useful when you require prompt responses to specific log events without the complexity of statistical analysis.
For detailed instructions, see Set up Davis alerts based on events.
Use DQL queries in Davis anomaly detectors when you need to define custom alert conditions based on specific log data patterns, and metric or event extraction is not possible. This approach allows for flexible and precise querying to identify events or trends within your logs.
Keep in mind that these queries are executed every minute, which can increase license consumption. Therefore, make sure you use only optimized queries.
This method is not typically recommended as the primary alerting strategy. However, it can serve as a fallback when alerting with metrics or events is not possible.
For detailed instructions, see Create log alerts for a log event or summary of log data.
| Aspect | Log-Based Events | Log-Based Metrics (recommended) | Log Queries in Davis Anomaly Detector |
|---|---|---|---|
| Alerting Type | Simple alerting without thresholds | Threshold-based alerting using statistical analyzers | Custom queries to define alert conditions |
| Response Time | Fastest | Triggered every minute | Triggered every minute |
| Configuration Complexity | Low (only Event Extraction) | High (requires setting Metric Extraction and Davis Anomaly Detector configuration) | Medium (requires Davis Anomaly Detector configuration) |
| Use Case | Prompt responses to specific log events when ingested | Detecting anomalies in record occurrences or values derived from log fields | Custom alert conditions based on log data |
| Example | Instant alert for a specific log entry | Alert for anomalies in http.response_time field values; alert when matching record occurred 10 times | Alert for specific log query results and apply statistical analyzers |
| Cost | Depends on the number of generated events and event size | Depends on the number of data points and metric size | Depends on query complexity and scanned volumes |