Alerts

Parseable offers realtime alerting based on contents of incoming events. Each dataset can have several alerts and each alert is evaluated independently.

How it works

Alerts in Parseable work by monitoring your log data in real-time and triggering notifications when specific conditions are met. Here's how it works in simple terms:

Define conditions: You set up rules that specify what to look for in your logs (like error codes, specific text patterns, or threshold values)
Automatic monitoring: Parseable continuously checks incoming logs against these rules
Notification: When a rule condition is met, Parseable sends notifications to your configured targets (like Slack or a webhook)

You can easily set up alerts through Parseable's user interface called Prism, which provides a simple way to configure all aspects of your alerts without writing complex code.

Targets in Parseable alerts are the destinations where notifications are sent when an alert is triggered. Each alert can be configured to send notifications to multiple targets simultaneously. A target can be a notification service like Slack, a webhook endpoint, or an alert management system like Alertmanager.

When an alert condition is met, Parseable sends the alert message to all the targets specified in the alert configuration. Each target has its own configuration parameters, such as endpoint URLs, authentication credentials, and notification frequency settings.

Configuration

You can configure alerts via the Prism UI. Follow these steps:

Navigate to the Alerts page from the side navigation menu
Click on "Create Alert" to set up a new alert
Fill in the required fields (name, message, rule conditions, and targets)
Save your configuration

Supported targets

Parseable supports sending alerts to Webhook, Slack, and Alertmanager targets. You can configure multiple targets for each alert.

Target Configuration

Targets are the destinations where notifications are sent when an alert is triggered. The targets field is an array of target objects, each with the following common parameters:

Variable Name	Required	Description
name	Yes	The name of target.
type	Yes	The type of target. Can be alertmanager, webhook, or slack.
endpoint	Yes	The URL of the target.
notificationConfig	No	Specify the frequency of sending the alert to the target. By default the `notificationConfig` field has interval set to 1 (minute) and times set to 1. `interval` accepts a `u64` and `times` accepts a `usize`. If you want the notification to be sent 5 times, once every minute, you would set `interval` to 1 and `times` to 5.

Sample target configuration:

{
    "name":"AlertManagerTarget",
    "type": "alertManager",
    "endpoint": "https://some.webhook.com",
    "username": "username",
    "password":"password",
    "skipTlsCheck": true,
    "notificationConfig": {
        "interval": 3,
        "times": 7
    }
}

Apart from above common parameters, there are target-specific parameters that can be configured. Refer to the sections below for details.

Alertmanager

The alertmanager target can be used to send notifications to Alertmanager instance. Note that by default if you don't provide repeat configuration for this then Parseable will continue to send alerts to Alertmanager while it is active.

Note that Alertmanager expects clients to continuously re-send alerts as long as they are still active (usually on the order of 30 seconds to 3 minutes). Avoid specifying repeat.times in configuration unless you want Parseable to stop re-sending alerts after specified number of times.

Variable Name	Required	Description
endpoint	Yes	The URL of the Alertmanager api to send notifications to. Compatible with Alertmanager API V2
username	No	Username for basic auth. See Prometheus Docs on how to setup basic auth.
password	No	Password for basic auth.
skipTlsCheck	No	Whether to skip TLS verification when sending the alert to Alertmanager.

Example JSON sent by Parseable to Alertmanager. Note that rule_config_* may differ depending on the type of rule that triggered the alert.

{
    "labels": {
        "alertname": "Status Alert",
        "deployment_id": "01GTFFFFFFFFFFFF",
        "rule_config_column": "status",
        "rule_config_operator": "exact",
        "rule_config_repeats": "2",
        "rule_config_value": "500",
        "rule_type": "column",
        "status": "firing",
        "stream": "app"
    },
    "annotations": {
        "message": "message that was set for this alert",
        "reason": "status column was equal to 500, 2 times"
    }
}

Webhook

The webhook target can be used to send notifications to a webhook URL. The target object contains the following parameters:

Variable Name	Required	Description
endpoint	Yes	The URL of the webhook to send notifications to.
headers	No	Any custom headers to include in the webhook request
skipTlsCheck	No	Whether to skip TLS verification when sending the webhook request.

Slack

The slack target can be used to send notifications to a Slack channel. The target object contains the following parameters:

Variable Name	Required	Description
endpoint	Yes	Slack webhook URL. Refer Slack docs for details.

Alert Configuration Fields

Field	Description
`version`	Should be `v1` for now
`severity`	Either `low`, `medium`, `high`, `critical`
`title`	The title of the alert
`stream`	The dataset on which the alert is being configured
`alertType`	Should be `threshold` for now
`targets`	An array of target IDs to which the notification will be sent

Evaluation Configuration

evalConfig - For now the evalConfig is set to rollingWindow

rollingWindow - This is the only supported evaluation type for now. The start time and end time keep moving constantly
- evalStart - The start time for evaluation. Should be of humantime type
- evalEnd - Should be now
- evalFrequency - An integer describing after how many minutes should an evaluation be run