Add a Log Analytics alert rule in Health Log Analytics

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 3 minutes de lecture

    • Define a Log Analytics alert rule when you encounter log data that should generate an alert. The alert rule generates an alert for a specified metric with a threshold that you specify and sets the properties of the generated alert.

    Avant de commencer

    Role required: evt_mgmt_operator or evt_mgmt_admin

    Procédure

    1. Open the Log Viewer using one of the following methods:
      • Navigate to Workspaces > Service Operations Workspace and select the Log Viewer icon (Log Viewer icon.).
      • While viewing log entries for an alert on the Surrounding logs tab, select Log Viewer.
    2. Define and run a search.
      For more information, see Define, save, and share a search of log data in Health Log Analytics.
    3. When a search returns log data that should generate an alert, click Save or Save as to save the search.
      Remarque :
      If you are using Health Log Analytics application, Version 20.0.11 - July 2021, and the Health Log Analytics Viewer application, Version 20.0.4 - July 2021, available from the ServiceNow Store , you don't have to perform this step.
    4. Access the form for creating an alert rule by selecting Define alert at the top right of the Log viewer tab.
    5. On the form, provide the name and description for the alert rule.
      The name appears on the Anomaly card for generated alerts.
    6. Determine whether the rule generates alerts when the threshold conditions are met in the log data by setting the State field.
      To activate the rule, select Enabled.
    7. If you have installed the Health Log Analytics application, Version 20.0.11 - July 2021 , set the Severity value for the alert generated by this alert rule.
      • Low: Attention is required even though the resource is still functional.
      • Medium: Either performance has degraded or a partial, non-critical loss of functionality has occurred.
      • High: Major functionality is severely impaired or performance has degraded.
      • Critical: Immediate action is required. Either the resource is not functional or critical problems are imminent.
    8. If you have installed the Health Log Analytics application, Version 20.0.11 - July 2021, and the Health Log Analytics Viewer application, Version 20.0.4 - July 2021, fill in the details for the query.
      Tableau 1. Query details
      Field Description
      Your query The query to search for in the log data.

      By default, this is the query that was defined on the Log viewer. You can modify the query by adding search requirements to it.

      To search for all queries, specify an asterisk (*).
      Active filters The filters defined for the query on the Log viewer. You can delete the filters.
      Component The component to which this alert rule applies.

      By default, this is the component that was defined on the Log viewer. You can choose a different component by selecting the search icon (Search icon.) in the Component row and then selecting the required component from the list.
    9. Fill in the fields related to the threshold that will trigger the alert rule.
      Tableau 2. Threshold
      Field Description
      Operator Mathematical comparison operator that qualifies how the hit count triggers an alert of this kind. This field is automatically set to Bigger Than.
      Hit count Number of matching log entries that serve as the trigger for an alert of this kind.
      Time period Period of time over which the hit count is measured. The period is measured in the units specified by the Time unit value.
      Time unit Units of the time period. This field is automatically set to minutes.
      Persistence Time period over which the specified hit count per unit time must persist in order to trigger an alert of this kind. The field is automatically set to 1 minute.
    10. Select Save.