Alerts let you easily automate checking for important trends in your logs. This is done by creating an alert definition which will trigger an incident if its criteria are met.

Alert Definitions

At its core an alert definition is comprised of a query and a trigger condition.

A query is made either with lucene or KQL and specifies which logs will be included to check against your trigger condition. You might specify you are looking at logs from a particular source like a PostgreSQL database. Or you might be more interested in logs from a particular agent.

A trigger condition specifies the case that, when satisfied, will open an alert incident. As an example you might set a condition to trigger if the total number of logs coming from a source is zero for the last fifteen minutes, this could indicate there is a problem with your source.


An incident is created, or opened, when an alert definition's trigger condition has been met. An incident will remain open until its corresponding definition's trigger condition is no longer satisfied. At that point the incident will be closed.

For each alert definition only one incident can be active at a time, that is there is no way to "reopen* an incident, if the condition is met again then a new incident will be opened.


Notifiers are optional attachments to an alert definition. They are additional ways notification methods that observIQ will use to alert you when a new incident is opened. Supported notifications types include Slack, PagerDuty, and email.

Only one notification will be sent per 24 hours for an open incident.