Skip to content

Create Alert Strategy

Create

  1. Define the name of the current alert strategy.

  2. Optionally enter a description for this strategy.

  3. Select the monitors to associate.

  4. Select the notification timezone.

  5. Choose to configure the alert strategy that triggers notifications based on severity level or based on members.

  6. Select the time range for repeated alerts (original alert muting).

  7. Optionally choose the alert aggregation mode to determine the final aggregated form of alert notifications.

  8. Optionally add operation permissions for the strategy rules.

  9. Save to successfully create.

Associate

On the configuration page, you can click to select the monitoring rules to associate with the current alert strategy, including:

  • All

  • Monitors

  • Intelligent Inspection

  • SLO

  • Security Check

Here, you can quickly create new monitoring rules as needed.

Set Notification Rules

Configuration Notes

  • Recovery Notification: When a historically sent abnormal alert event recovers, the system will send a recovery notification to the corresponding notification targets. For example: if a critical notification for a related event was sent to a certain group, when this status starts to recover, a recovery notification will be sent to this group.

  • Notification Delay: Alert notifications are not sent immediately after generation; there may be a delay of up to 1 minute due to issues like data ingestion.

Two notification configurations are currently supported:

Based on Severity Level: After selecting the event severity level, set the notification targets for this type of abnormal event. If filter conditions are set, the data scope for a specific severity level is further restricted, and notifications are ultimately sent to the targets.

Based on Members: First select members or teams, define the scope of event data they need to focus on or be responsible for, then within this data scope, delineate the event severity levels and the corresponding targets to notify, achieving a strong association between events and targets.

Notification Configuration Based on Severity Level

Define the notification targets for alerts at each severity level.

  1. Select the event severity level.

    • One event severity level can be selected multiple times.

    • Based on the selected event severity level, you can link alert aggregation.

  2. Select the notification targets for events of this severity level.

Type
 Description
Workspace Members Email notification; Can be viewed in Management > Member Management
Teams Email notification; A team can add multiple workspace members, can be viewed in Management > Member Management > Team Management
DingTalk/WeCom/Lark Bot Group notification; Can be viewed in Monitor > Notification Targets Management
Webhook Custom User-defined; Can be viewed in Monitor > Notification Targets Management
SMS SMS notification; An SMS group can add multiple workspace members, can be viewed in Monitor > Notification Targets Management
Custom External Email Enter email and press Enter; Only available for Commercial Plan and Deployment Plan users

Notification Configuration Based on Members

Configuring notification rules based on members enables precise point-to-point alert notifications. Furthermore, within a single alert rule, different notification scopes, severity levels, and methods can be configured for multiple groups of members, along with custom notification time ranges.

  1. Define the name of the notification rule.

  2. Select the members and teams to notify.

  3. Add filter conditions to achieve tag matching.

  4. For the filtered event data, you can set corresponding notification targets for different event severity levels.

  5. Optionally enable the configuration for custom notification time range.

Configuration Notes

  • Hover to quickly reuse existing member notification configurations.

  • If you configure multiple custom notification time ranges, the system will match them in order from top to bottom and use only the notification rules within the first matched time range to send alerts.

Add Filter Conditions

Whether configuring notifications by level or by members, adding specific filter conditions can:

  • For level-based notifications, further refine the data scope for specific severity level events.

  • For member-based notifications, restrict members or teams to only focus on events matching specific tags.

After adding filters, only events that meet both the severity level requirements and the filter conditions will trigger notifications.

After clicking the filter button, the system automatically retrieves the fields of the current workspace and sets filter conditions in the form of key:value. You can choose the following matching methods: equal to, not equal to, wildcard, wildcard negation, and regex match. Multiple filter conditions for the same key field have an OR relationship, while filter conditions for different key fields have an AND relationship.

You can configure filter conditions in two ways:

  • Directly select fields and set conditions on the page.

  • Write regular expressions to achieve more complex screening logic, meeting refined configuration requirements.

Configuration Notes

  • Only one set of filter conditions can be added under each alert rule. One set can contain one or multiple filtering rules, and the system will combine all rules for conditional filtering.

  • Filter conditions cannot be empty.

Escalation Notification

If a monitor frequently detects abnormalities of the same level in a short period, it may indicate an ongoing issue. In such cases, other notification targets might be needed to resolve the problem. You can use the method of adding escalation notification rules. This way, when abnormalities persist, the system will automatically escalate them to critical notifications and send them to designated recipients, ensuring timely attention and handling.

If a notification rule configures two escalation notifications, then:

  • When alerts of the same level continue to occur, the system checks the time interval to determine whether to send the first escalation notification.

  • After sending the first escalation notification, the system judges whether a second escalation notification is needed based on the time interval configured for the second escalation notification.

Configuration Notes

  • Each notification rule supports configuring up to two escalation notifications.

  • Each escalation notification is triggered only once; duplicate alerts will not occur.

Custom Notification Time

The scenarios discussed above primarily revolve around the immediacy of automatically triggering notifications upon detecting abnormalities. However, you can also set specific times for notification delivery according to your needs.

  1. Optionally modify the configuration name.

  2. Divide the cycle in which events occur based on the four dimensions: day, week, month, and custom.

    • If custom is selected, a CSV file needs to be uploaded. The system will automatically populate based on the dates filled in the file. (❗️ The date format in the file must be Year/Month/Day & YYYY/MM/DD; the number of dates in the file cannot exceed 365.)

  3. Limit the time when events occur on the day based on the cycle and send notifications according to the selected time interval. For example, if 09:00 - 10:00 is selected, after the strategy takes effect, abnormal events generated within this hour will match and flow into this custom configuration.

  4. After completing the configuration related to cycle and time, you can select the alert severity level and notification targets.

Configuration Notes

  • In a single custom notification configuration within the same alert strategy, if multiple rules are configured, generated abnormal events will be matched in order from top to bottom, and alert notifications will be sent according to the first matched custom configuration. If no rule is matched, no notification will be sent.

  • When configuring a monitor, if multiple alert strategies are selected, after the monitor is enabled, generated abnormal events will respectively match the selected alert strategies.

Repeated Alerts

After setting repeated alert notifications, within a certain time range, event data will continue to be generated, but alert notifications will not be sent again. The generated data records will be stored in the event explorer.

Configuration Notes

If the "Permanent" option for repeated alerts is selected, the system only sends the first alert notification and does not send repeated notifications afterwards.

Set Repeated Alerts by Level

After checking, you can separately set the non-sending time interval for repeated alerts for different alert levels (e.g., Critical, Error, Warning, etc.).

This setting only takes effect for the selected alert levels: Alerts of the selected levels will not send repeated notifications within the set time interval, while unselected levels continue to follow the original repeated alert sending rules.

Advanced Configuration

Recovery events do not send notifications: After enabling this option, all recovery conditions only generate events and do not send external notifications.

Set Notification Aggregation Rules

No Aggregation

Default configuration; In this mode, alert events are merged into one notification and sent to the corresponding notification targets at 20-second intervals.

Rule Aggregation

In this mode, you can choose the following aggregation rules and send alert notifications based on the aggregation cycle:

Rule Aggregation
Description
All Based on the severity level dimension configured in the alert strategy, generate corresponding alert notifications within the selected aggregation cycle.
Monitor/Intelligent Inspection/SLO Generate corresponding alert notifications linked to the aggregation cycle according to the unique ID of the monitor's detection rules, intelligent inspection, or SLO.
Detection Dimension Generate corresponding alert notifications linked to the aggregation cycle according to the detection dimension, e.g., host.
Tags Multiple selections allowed; Can link global tags with monitors, generating corresponding alert notifications according to the aggregation cycle.

❗️ If an event has multiple tag values simultaneously, it will preferentially match the corresponding alert notification based on the order of tags configured on the page. The relationship between multiple tag values is OR.
Trigger Strategy

In rule aggregation mode, if "Send first alert" is checked here, it means that df_status is additionally attached on the basis of All, Monitor/Intelligent Inspection/SLO, Detection Dimension, and Tags, and alerts are sent externally to avoid missing important abnormal events due to waiting for aggregation.

Intelligent Aggregation

In this mode, events generated within the aggregation cycle will be clustered into groups based on the selected title or content, and each group will generate one alert notification.

AI Aggregation

Uses a large language model to aggregate new events into one alert within a set number of minutes. Automatically generates the next alert after timeout to avoid repeated disturbances.

Custom

Flexibly specify specific field combinations for aggregating alerts according to actual business needs. You can enter one or more field names, and the system will strictly aggregate alerts according to the field combinations you specify. Alert aggregation based on these fields will only be triggered when the event data contains all specified fields and each field has a valid value.

Fields are separated by English commas, e.g.: host, source, service_name; supports single fields (e.g., host) or multiple field combinations.

If two fields like host,source are specified, but some events only contain host and lack source, then these events will not be aggregated.

Aggregation Cycle

In rule aggregation and intelligent aggregation modes, you can choose to manually set a time range (1-30 minutes).

Within this time period, new events will be aggregated into one alert notification and sent. If this aggregation cycle is exceeded, new events will be aggregated into a new alert notification.

Set Operation Permissions

After setting the operation permissions for the alert strategy, roles, team members, and workspace users in your current workspace will perform corresponding operations on the alert strategy according to the assigned permissions. This ensures that different users perform operations compliant with the configuration based on their roles and permission levels.

  • Do not enable this configuration: Follow the default permissions of "Alert Strategy Configuration Management".

  • Enable this configuration and select custom permission objects: Only the creator and the objects granted permissions can perform enable/disable, edit, and delete operations on the rules set by this alert strategy.

  • Enable this configuration, but do not select custom permission objects: Only the creator has the enable/disable, edit, and delete permissions for this alert strategy.

Configuration Notes

The Owner role of the current workspace is not affected by the operation permission configuration here.

More Reading

Feedback

Is this page helpful? ×