Logz.io · Schema
Logz.io Alert Rule
Representation of a Logz.io v2 alert rule. An alert rule encodes a sub-account scope, a query, a list of sub-components describing what to watch for, severity thresholds, schedule, and the notification endpoints to fire when an alert triggers.
ObservabilityLoggingMetricsTracingSIEMELKElasticsearchOpenSearchPrometheusGrafanaOpenTelemetryAIOpsCloud ObservabilityManaged ELKCost Management
Properties
| Name | Type | Description |
|---|---|---|
| id | integer | Alert rule identifier. |
| title | string | Human-readable alert title. |
| description | string | Operator-facing description. |
| tags | array | Tags applied to the alert. |
| searchTimeFrameMinutes | integer | Lookback window in minutes for evaluating the alert. |
| isEnabled | boolean | Whether the alert is currently armed. |
| notificationEmails | array | Email recipients. |
| alertNotificationEndpoints | array | IDs of notification endpoints (Slack, PagerDuty, etc.) to fire. |
| suppressNotificationsMinutes | integer | Suppression window after a fire to avoid notification storms. |
| subComponents | array | One or more sub-components defining the conditions of the alert. |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://raw.githubusercontent.com/api-evangelist/logz-io/main/json-schema/logz-io-alert-rule-schema.json",
"title": "Logz.io Alert Rule",
"description": "Representation of a Logz.io v2 alert rule. An alert rule encodes a sub-account scope, a query, a list of sub-components describing what to watch for, severity thresholds, schedule, and the notification endpoints to fire when an alert triggers.",
"type": "object",
"properties": {
"id": {"type": "integer", "description": "Alert rule identifier."},
"title": {"type": "string", "description": "Human-readable alert title."},
"description": {"type": "string", "description": "Operator-facing description."},
"tags": {"type": "array", "items": {"type": "string"}, "description": "Tags applied to the alert."},
"searchTimeFrameMinutes": {"type": "integer", "description": "Lookback window in minutes for evaluating the alert."},
"isEnabled": {"type": "boolean", "description": "Whether the alert is currently armed."},
"notificationEmails": {"type": "array", "items": {"type": "string", "format": "email"}, "description": "Email recipients."},
"alertNotificationEndpoints": {"type": "array", "items": {"type": "integer"}, "description": "IDs of notification endpoints (Slack, PagerDuty, etc.) to fire."},
"suppressNotificationsMinutes": {"type": "integer", "description": "Suppression window after a fire to avoid notification storms."},
"subComponents": {
"type": "array",
"description": "One or more sub-components defining the conditions of the alert.",
"items": {
"type": "object",
"properties": {
"queryDefinition": {
"type": "object",
"description": "Query that produces the count or aggregation evaluated against thresholds.",
"properties": {
"query": {"type": "string", "description": "Lucene-syntax search query."},
"filters": {"type": "object"},
"groupBy": {"type": "array", "items": {"type": "string"}, "description": "Fields to group by."},
"aggregation": {
"type": "object",
"properties": {
"aggregationType": {"type": "string", "enum": ["NONE", "COUNT", "AVG", "MIN", "MAX", "SUM", "UNIQUE_COUNT"]},
"fieldToAggregateOn": {"type": "string"}
}
},
"shouldQueryOnAllAccounts": {"type": "boolean"},
"accountIdsToQueryOn": {"type": "array", "items": {"type": "integer"}}
}
},
"trigger": {
"type": "object",
"properties": {
"operator": {"type": "string", "enum": ["LESS_THAN", "LESS_THAN_OR_EQUALS", "GREATER_THAN", "GREATER_THAN_OR_EQUALS", "EQUALS", "NOT_EQUAL_TO"]},
"severityThresholdTiers": {
"type": "object",
"additionalProperties": {"type": "number"},
"description": "Mapping of severity → threshold (e.g. HIGH=100, INFO=10)."
}
}
},
"output": {
"type": "object",
"properties": {
"type": {"type": "string", "enum": ["JSON", "TABLE"]},
"columns": {"type": "array", "items": {"type": "object"}}
}
}
}
}
}
},
"required": ["title", "subComponents"]
}