Grafana Alert expression without functions

mrostamii · April 9, 2024, 7:14am

The following is an alert I wanted to use on Loki:

      - alert: myservice_error
        expr: |
          {systemd_unit="myservice.service", instance=~"server-x-.*"} |~ "error|Error" !~ "Error while fetching receipt | Error sending milestone"
        labels:
          alerting: myservice_error
          severity: critical
          channel: mychannel
        annotations:
          summary: "myservice error"
          description: "myservice has error! Reported by instance {{ $labels.instance }} of job {{ $labels.job }}. Log: {{ $value }}"

When I query exactly that expr in Loki, it responds but somehow ignores the trigger alert. I must mention that it sends alerts if I use functions like sum or count_over_time in that expression.

So, is it impossible to create alerts based on logs directly? Or maybe the alert value has more than one response, and Loki’s alerting service is unhandled.

Thanks in advance!

tonyswumac · April 9, 2024, 10:59pm

You need some sort of condition, what would be the condition to create alert based on logs?

mrostamii · April 10, 2024, 8:11am

I would like to receive alert right after a log is in that stream, without any condition. The goal is to have log/json-log in alert message like Log: <logs here> and I used {{ $value }} there which is the value of that expr. If I use conditions for the expr, the {{ $value }} will be the numeric value and not the log itself.
Any idea here?

tonyswumac · April 10, 2024, 8:51pm

If you expect an alert to fire after the log is present, then your condition is count of said log > 0. I don’t think you can include the logline as part of error, but you can work around it by making the entire logline into a label and then aggregate on it.

For example, let’s say your alert expression is like this:

 sum (count_over_time({SOME_LOG} [1m])) > 0

You can do something like:

 sum by (logline, <OTHER_LBELS>) (count_over_time({SOME_LOG} | label_format logline="{{ __line__ }}"  [1m])) > 0

mrostamii · April 11, 2024, 8:13am

Creative idea, it’s fixed the issue I had.
The new alert pattern is like:

- alert: myservice_error
        expr: |
          sum by (logline) (count_over_time( {systemd_unit="myservice.service", instance=~"server-x-.*"} |~ "error|Error" !~ "Error while fetching receipt | Error sending milestone" | label_format logline="{{ __line__ }}"  [1m])) > 0
        labels:
          alerting: myservice_error
          severity: critical
          channel: mychannel
        annotations:
          summary: "myservice error"
          description: "myservice has error! Reported by instance {{ $labels.instance }} of job {{ $labels.job }}. Log: {{ $labels.logline }}"

Thanks!

system · April 11, 2025, 8:13am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Including full log error message in alert notification using Loki Grafana Loki alerting , logs	14	12091	September 22, 2024
Is it possible to have labels in Loki managed alerts summary/description? Grafana Loki alerting , loki	8	2200	May 22, 2024
How to setup an alert if a string is present in logs? Grafana Loki alerting	2	337	June 11, 2025
Warning when creating an Alert: "Expression warning - 1 items dropped from union(s): ["${B} > 1.000000": (1.000000: {})]" Grafana Loki alerting	5	2281	June 5, 2025
Include recent log message in alert? Alerting loki	1	192	December 27, 2024

Grafana Alert expression without functions

Related topics