Managing static alerts
The following video (2:34) illustrates the steps to create an alert policy for static thresholds.
To create a static alert policy
- In BMC Helix Log Analytics, navigate to the Alerts > Alert Policies button page and click Create.
- Add the policy information by performing the following steps:
- Enter a unique name and description for the alert.
- In the Precedence field, set a precedence for the policy.
The precedence number defines the priority for executing the policy. A policy with a lower precedence number is executed first.
- In the Policy Selection Criteria section, perform the following steps:
Configure the condition for which the event will be generated.
For example, enter status Equals 401 AND filename EQUALS BMC_Apache_SantaClara.log. When you click in the box , you are prompted to make a selection. Each time you make a selection, you are progressively prompted to make another selection.
The selection criteria consist of an opening parenthesis, followed by the slot name, the operator, the slot value (which can be a string based on the type of slot selected), and the closing parenthesis. You can optionally select the logical operator AND or OR to add additional conditions. Specifying the opening and closing parentheses is optional.- To group occurrences of a condition, perform one of the following actions:
- In the Group by field, enter the values by which you want to group occurrences of a condition.
For example, to group all occurrences of status 401 on a particular host name, enter the host name. You can enter a maximum of three values, but one must be the host name. - Click in the Group by field and select an appropriate option.
The default value is log_source_host .
- In the Group by field, enter the values by which you want to group occurrences of a condition.
- Select the Static Thresholds button and perform the following steps:
- In the Alert Condition field, decide how many times the condition must occur in a time period to generate the event
- Enter the status of the event.
- Enter and select the values in the Minutes, Minimum count is fields.
For example, when status 401 is reported a minimum of 50 times within a 5-minute period, a critical event is generated.
- In the Alert Parameters section, complete the following steps:
- To add host name to the event, in the Alert Parameters section, perform one of the following actions:
This value helps you correlate events in BMC Helix AIOps.- In the Hostname field, enter a host name.
- Click in the Hostname field and select the appropriate option.
The default value is log_source_host .
- In the Message field, change the default message, if required.
To use a log field value in the message, put double curly brackets around the field name such as {{ $.location }} . - In Additional Details, configure additional event parameters such as source identifier.
These values are set for the generated event.
- To add host name to the event, in the Alert Parameters section, perform one of the following actions:
For data-level access control, select one or more user groups from the User Group list.
With this setting, the system generates alerts, and only the selected user group can access them.
Alerts are not generated if you select different user groups in the collection and alert policies.- Enable and save the policy by performing the following steps:
- Select Enable Policy.
You can choose to enable the collection policy later. - Click Save.
View all your policies on the Alert Policies page.
- Select Enable Policy.
To edit a static alert policy
- In BMC Helix Log Analytics, navigate to Alerts > Alert Policies.
- Click the Action menu of the policy that you want to edit.
Make your changes and save the policy.
Where to go from here
To create an alert policy to detect log anomalies, see Detecting-anomalies-from-logs.
For information about log events, see WIP-Log-events.