Alert rules in Health Log Analytics

  • Release version: Zurich
  • Updated March 15, 2026
  • 2 minutes to read

    • Health Log Analytics (HLA) detects anomalies automatically by learning from your log data. However, some log types require a custom alert rule to generate alerts reliably.

    You can use custom alert rules to specify the metric, threshold, and alert properties for generating alerts that HLA might not detect automatically.

    Anomaly detection logic by log pattern

    HLA classifies incoming logs into three patterns before applying anomaly detection. This classification determines which detection logic is used.

    Table 1. Log patterns
    Pattern Description
    Lively Logs arrive frequently and consistently: at least once in 20 seconds.

    For example, an application writes hundreds of log entries per hour. The ML Engine has enough volume to build a reliable baseline, so it applies standard anomaly scoring to detect deviations.
    Sparse Logs arrive infrequently or irregularly: less than once in 1 minute (60 seconds).

    For example, a batch job runs every night and writes a small number of log entries. Standard anomaly scoring would produce unreliable results here, so the ML Engine applies probability distribution analysis instead. Sparse logs might not generate alerts if the volume is too low to establish a baseline.
    Stopped Logs have not arrived for more than the configured period. Default is 5 minutes (300 seconds). To modify the default value, update the HLA system property detective.resolution.signal_dead.

    For a log stream to be alerted as stopped or dead it must first be considered alive by running continuously for a minimum period of time. You can set this time in the HLA system property detective.alive_period_seconds_for_signal_dead.

    For information about setting and changing HLA system properties, see Configure global Health Log Analytics system properties.

    When to create custom alert rules

    • For high-frequency logs with a lively log pattern, there is no need for a custom rule. However, you can add a rule to generate alerts under specific conditions.
    • For low-frequency logs with a sparse log pattern, the system might not generate alerts automatically. If these logs should still generate alerts, define a custom alert rule.
    • For known critical conditions that HLA might not flag automatically, define a custom rule. For example, if a specific log message indicates that a critical service has failed, define a rule that generates an alert every time that message appears.
    Table 2. Using custom alert rules
    Scenario ML detection Custom rule
    High-frequency logs with a lively log pattern Likely sufficient Optional
    Low-frequency or periodic logs Unreliable Suggested
    Known critical conditions Insufficient Required