Alerts Are Available Only if a Filter Is Selected Please Add at Least 1 Filter and Try Again

Y'all can use NRQL queries to create warning conditions. Once y'all've defined your signal, you tin can further define your warning and critical threshold levels. This determines when an alerts violation is created.

Read on to learn more about how to practice this.

Go to one.newrelic.com, click Alerts & AI, in the left sidebar click Alert weather condition (Policies), select a policy, then Add a condition. Click NRQL, and so Next, define thresholds.

Set up to get started? If you haven't already, exist certain to sign up for a New Relic account. It's complimentary, forever.

Create a NRQL alert condition

To create a NRQL alert condition for a policy:

• On ane.newrelic.com, in the header click Alerts & AI, so in the left sidebar click Alert conditions (Policies).
• Select an existing policy or click New alert policy to create a new policy.
• Click Add a condition.
• Under Select a production click NRQL, and then click Next, define thresholds.

Annotation that editing an existing status tin can issue in resetting its evaluation.

Create a condition from a chart

You can use a chart to create a NRQL alarm status.

To create a NRQL alerts status from a nautical chart, click the chart menu , then click Create warning condition.

Once y'all've named and customized your condition, you can add together it to an existing policy or create a new one.

Caution

A small number of our older charts don't include the option to create an warning status.

NRQL alert syntax

Hither's the bones syntax for creating all NRQL alarm conditions.

                              
                  
                    SELECT function(attribute)                  
                
                
                  
                                          FROM Event                  
                
                
                  
                                          WHERE attribute [comparing] [AND|OR ...]                  
                
                          

Clause	Notes
SELECT part(attribute) Required	Supported functions that render numbers include: apdex average count latest max min percentage percentile sum uniqueCount Tip If y'all use the percentile aggregator in a faceted alert condition with many facets, this may cause the following error to appear: An fault occurred while fetching chart information. If you see this mistake, apply boilerplate instead.
FROM data blazon Required	Only one information blazon can be targeted. Supported data types: Upshot Metric (RAW data points volition exist returned)
WHERE attribute [comparison] [AND|OR ...]	Use the WHERE clause to specify a series of ane or more conditions. All the operators are supported.
FACET attribute	Include an optional FACET clause in your NRQL syntax depending on the threshold type (static or baseline). Use the FACET clause to carve up your results by aspect and warning on each attribute independently. No LIMIT clause is allowed, but all queries will receive the maximum number of facets possible. Faceted queries tin can render a maximum of 5000 values for static and baseline conditions. Important If the query returns more than the maximum number of values, the alert condition can't be created. If you lot create the condition and the query returns more than this number subsequently, the alert will fail. Modify your query so that it returns a fewer number of values.

Reformatting incompatible NRQL

Some elements of NRQL used in charts don't make sense in the streaming context of alerts. Here's a list of the most common incompatible elements and suggestions for reformatting a NRQL alarm query to achieve the same event.

Element	Notes
SINCE and UNTIL	Example: SELECT percentile(largestContentfulPaint, 75) FROM PageViewTiming WHERE (appId = 837807) SINCE yesterday NRQL conditions produce a never-ending stream of windowed query results, and then the SINCE and UNTIL keywords to scope the query to a signal in time are not uniform. Every bit a convenience, we automatically strip SINCE and UNTIL from a query when creating a status from the context of a chart.
TIMESERIES	In NRQL queries, the TIMESERIES clause is used to render data as a time serial broken out by a specified menstruation of time. For NRQL conditions, the equivalent property of a signal is the assemblage duration window.
histogram()	The histogram() assemblage function is used to generate histograms. histogram() is not uniform with NRQL alerting: histogram aggregations can not be formatted every bit a time series. To create an warning from a portion of a histogram (for instance, 95th percentile), utilize the percentile() aggregation function.
bytecountestimate(), cardinality()	These functions are not yet supported for NRQL alerting.
Multiple aggregation functions	Each condition tin merely target a unmarried aggregated value. To alarm on multiple values simultaneously, you'll need to decompose them into private weather within the aforementioned policy. Original Query: SELECT count(foo), average(bar), max(baz) from Transaction Decomposed: SELECT count(foo) from Transaction SELECT average(bar) from Transaction SELECT max(baz) from Transaction
COMPARE WITH	The COMPARE WITH clause is used to compare the values for 2 different time ranges. This type of query is incompatible with NRQL alerting. We recommend using a Baseline Warning Condition to dynamically find deviations for a detail signal.
SLIDE BY	The SLIDE BY clause supports a feature known as sliding windows. With sliding windows, SLIDE BY information is gathered into "windows" of fourth dimension that overlap with each other. These windows can assistance to smoothen out line graphs with a lot of variation in cases where the rolling aggregate (such every bit a rolling mean) is more important than aggregates from narrow windows of time. You lot can enable sliding windows in the UI. When creating or editing a condition, go to Fine-tune advanced signal settings > Data aggregation settings > Apply sliding window assemblage.
LIMIT	In NRQL queries, the LIMIT clause is used to command the amount of information a query returns, either the maximum number of facet values returned past FACET queries or the maximum number of items returned by SELECT * queries. LIMIT is not compatible with NRQL alerting: evaluation is e'er performed on the full result set.

NRQL alert threshold examples

Here are some mutual use cases for NRQL conditions. These queries will work for static and baseline condition types.

NRQL atmospheric condition and query lodge of operations

By default, the aggregation window duration is 1 minute, but you can change the window to suit your needs. Whatever the aggregation window, New Relic will collect data for that window using the function in the NRQL status's query. The query is parsed and executed by our systems in the following order:

1. FROM clause – which event type needs to be grabbed?
2. WHERE clause – what tin exist filtered out?
3. SELECT clause – what information needs to be returned from the now-filtered data set?

Case: null value returned

Let'south say this is your alarm condition query:

                              
                  
                    SELECT count(*) FROM SyntheticCheck WHERE monitorName = 'My Absurd Monitor' AND upshot = 'FAILURE'                  
                
                          

If there are no failures for the aggregation window:

1. The organization volition execute the FROM clause by grabbing all SyntheticCheck events on your business relationship.
2. Then it will execute the WHERE clause to filter through those events by looking only for the ones that lucifer the monitor name and result specified.
3. If in that location are still events left to scan through subsequently completing the FROM and WHERE operations, the SELECT clause volition be executed. If there are no remaining events, the SELECT clause will not exist executed.

This means that aggregators like count() and uniqueCount() will never render a zero value. When at that place is a count of 0, the SELECT clause is ignored and no data is returned, resulting in a value of Nil.

Example: zero value returned

If you accept a information source delivering legitimate numeric zeroes, the query will return nada values and not null values.

Let's say this is your alarm condition query, and that MyCoolEvent is an attribute that can sometimes return a zero value.

                              
                  
                    SELECT boilerplate(MyCoolAttribute) FROM MyCoolEvent                  
                
                          

If, in the aggregation window being evaluated, there's at least one case of MyCoolEvent and if the average value of all MyCoolAttribute attributes from that window is equal to zero, then a 0 value will be returned. If there are no MyCoolEvent events during that minute, then a NULL will exist returned due to the gild of operations.

Instance: null vs. zilch value returned

To determine how null values will be handled, arrange the loss of indicate and gap filling settings in the Alarm weather condition UI.

You can avoid Cipher values entirely with a query order of operations shortcut. To do this, employ a filter sub-clause, then include all filter elements within that sub-clause. The primary body of the query volition run and render data, at which indicate the SELECT clause will and then run and apply the filter elements. The query will return a value of 0 if the filter elements result in no matching data. Here'southward an example:

                              
                  
                    SELECT filter(count(*), WHERE upshot = 'SUCCESS' AND monitorName = 'My Favorite Monitor') FROM SyntheticCheck                  
                
                          

For more information, check out our blog post on troubleshooting for cipher versus null values.

Nested aggregation NRQL alerts

Nested aggregation queries are a powerful way to query your data. However, they have a few restrictions that are of import to note.

NRQL status cosmos tips

Here are some tips for creating and using a NRQL condition:

Topic	Tips
Condition types	NRQL status types include static and baseline.
Create a description	For NRQL conditions, you tin can create a custom description to add to each violation. Descriptions tin can be enhanced with variable substitution based on metadata in the specific violation. For details, see Clarification
Query results	Queries must render a number. The condition evaluates the returned number confronting the thresholds yous've set.
Time period	NRQL weather condition evaluate data based on how it's aggregated, using aggregation windows from 30 seconds to 120 minutes, in increments of 15 seconds. For best results, we recommend using the event menstruation or event timer aggregation methods. For the cadence assemblage method, the implicit SINCE ... UNTIL clause specifying which minute to evaluate is controlled by your delay/timer setting. Since very recent data may exist incomplete, yous may desire to query information from three minutes agone or longer, especially for: Applications that run on multiple hosts. SyntheticCheck data: Timeouts can accept 3 minutes, so 5 minutes or more is recommended. Also, if a query will generate intermittent data, consider using the advanced signal slide past pick.
Lost signal threshold (loss of indicate detection)	Y'all tin utilize loss of signal detection to warning on when your data (a telemetry signal) should exist considered lost. A signal loss can betoken that a service or entity is no longer online or that a periodic job failed to run. Yous tin also use this to make sure that violations for sporadic data, such as error counts, are airtight when no signal is coming in.
Advanced betoken settings	These settings requite you options for better handling continuous, streaming information signals that may sometimes exist missing. These settings include the aggregation window duration, the delay/timer, and an pick for filling data gaps. For more on using these, see Avant-garde point settings.
Condition settings	Use the Condition settings to: Create a concise, descriptive status name. Provide a custom violation description for the condition that will be included in violations and notifications. Add together the runbook URL to include your arrangement'due south procedures for treatment incidents. Yous may also add together this data to the custom violation description.
Limits on weather condition	See the maximum values.
Health status	In club for a NRQL alert status wellness status display to part properly, the query must be scoped to a single entity. To do this, either use a WHERE clause (for example, WHERE appName = 'MyFavoriteApp') or use a FACET clause to scope each signal to a single entity (for example, FACET hostname or FACET appName).
Examples	For more than information, meet: Expected NRQL syntax Examples of NRQL status queries

Managing tags on atmospheric condition

When you edit an existing NRQL condition, yous have the option to add or remove tags associated with the condition entity. To practice this, click the Manage tags button below the status name. In the menu that pops upwardly, add or delete a tag.

Status edits can reset condition evaluation

When you edit NRQL alarm weather in some specific ways (detailed below), their evaluations are reset, significant that any evaluation up until that betoken is lost, and the evaluation starts over from that signal. The 2 ways this will affect you are:

• For "for at to the lowest degree x minutes" thresholds: because the evaluation window has been reset, at that place volition exist a delay of at least x minutes before whatsoever violations tin be reported.
• For baseline conditions: the condition starts over again and all baseline learning is lost.

The following deportment cause an evaluation reset for NRQL conditions:

• Changing the query
• Irresolute the aggregation window, aggregation method, or aggregation delay/timer setting
• Irresolute the "shut violations on signal loss" setting
• Changing whatever gap make full settings
• Changing the baseline direction (if applicable) – higher, lower, or college/lower
• Change the threshold value, threshold window, or threshold operator
• Change the slide-by interval (on sliding windows assemblage conditions only)

The following actions (along with any other actions non covered in the above list) volition not reset the evaluation:

• Changing the loss of signal time window (expiration elapsing)
• Irresolute the fourth dimension function (switching "for at least" to "at least one time in," or vice-versa)
• Toggling the "open violation on signal loss" setting

Alert condition types

When y'all create a NRQL alert, you tin cull from different types of weather:

NRQL alert condition types	Clarification
Static	This is the simplest blazon of NRQL condition. It allows you to create a status based on a NRQL query that returns a numeric value. Optional: Include a FACET clause.
Baseline (Dynamic)	Uses a cocky-adjusting condition based on the by behavior of the monitored values. Uses the same NRQL query form as the static type, including the optional FACET clause.

Set the loss of signal threshold

Loss of signal occurs when no data matches the NRQL status over a specific flow of time. You can set your loss of signal threshold elapsing and also what happens when the threshold is crossed.

Go to i.newrelic.com, click Alerts & AI, in the left sidebar click Warning conditions (Policies), select a policy, then Add a condition. Loss of signal is only available for NRQL conditions.

You may likewise manage these settings using the GraphQL API (recommended), or the Residue API. Go here for specific GraphQL API examples.

Loss of betoken settings:

Loss of signal settings include a fourth dimension duration and two possible actions.

• Signal loss expiration time
  • UI label: Bespeak is lost afterwards:
  • GraphQL Node: expiration.expirationDuration
  • Expiration elapsing is a timer that starts and resets when we receive a data point in the streaming alerts pipeline. If we don't receive some other data betoken before your 'expiration fourth dimension' expires, we consider that bespeak to be lost. This can exist because no data is being sent to New Relic or the WHERE clause of your NRQL query is filtering that data out before information technology is streamed to the alerts pipeline. Notation that when you lot have a faceted query, each facet is a betoken. Then if any one of those signals ends during the elapsing specified, that volition be considered a loss of signal.
  • The loss of signal expiration time is independent of the threshold elapsing and triggers as soon as the timer expires.
  • The maximum expiration duration is 48 hours. This is helpful when monitoring for the execution of infrequent jobs. The minimum is 30 seconds, only we recommend using at least iii-5 minutes.
• Loss of point actions Once a indicate is considered lost, you lot can shut open violations, open new violations, or both.
  • Close all current open violations: This closes all open violations that are related to a specific indicate. It won't necessarily close all violations for a condition. If you're alerting on an ephemeral service, or on a sporadic point, you'll want to cull this action to ensure that violations are closed properly. The GraphQL node name for this is "closeViolationsOnExpiration"
  • Open new violations: This will open a new violation when the signal is considered lost. These violations will indicate that they are due to a loss of indicate. Based on your incident preferences, this should trigger a notification. The graphQL node name for this is "openViolationOnExpiration"
  • When y'all enable both actions, we'll close all open violations first, and then open a new violation for loss of signal.

To create a NRQL alert configured with loss of bespeak detection in the UI:

1. For a policy, when yous create a condition, under Select a production, click NRQL, then click Next, define thresholds.
2. Write a NRQL query that returns the values you want to alarm on.
3. For Threshold blazon, select Static or Baseline.
4. Click + Add together lost signal threshold, then set the signal expiration duration time in minutes or seconds in the Signal is lost after field.
5. Choose what you want to happen when the signal is lost. You can check i or both of Close all current open violations and Open new "lost indicate" violation. These command how loss of signal violations volition be handled for the status.
6. Make sure you name your condition before you save it.

Violations open up due to loss of signal close when

• the signal comes back. Newly opened lost signal violations volition close immediately when new information is evaluated.
• the condition they belong to expires. By default, conditions elapse later on 3 days.
• you manually close the violation with the Shut all electric current open violations option.

Tip

Loss of point detection doesn't piece of work on NRQL queries that apply nested aggregation or sub-queries.

Avant-garde point settings

When creating a NRQL alert condition, use the advanced signal settings to control streaming alert data and avoid false alarms.

When creating a NRQL condition, there are several advanced signal settings:

• Aggregation window duration
• Sliding window aggregation
• Streaming method
• Delay/timer
• Fill data gaps

To read an caption of what these settings are and how they relate to each other, meet Streaming alerts concepts. Beneath are instructions and tips on how to configure them.

Aggregation window elapsing

You lot tin can set the assemblage window duration to choose how long data is accumulated in a streaming time window earlier it'due south aggregated. You can set it to anything between 30 seconds and 120 minutes. The default is one infinitesimal.

Sliding window aggregation

Yous tin apply sliding windows to create smoother charts. This is done past creating overlapping windows of data.

Larn how to set sliding windows in this short video (2:30 minutes):

Once enabled, set the "slide by interval" to control how much overlap time your aggregated windows have. The interval must be shorter than the aggregation window while as well dividing evenly into it.

Of import

Immediately after you create a new sliding windows alert condition or perform any action that can cause an evaluation reset, your condition will need time build upwardly an "aggregated buffer" for the elapsing of the first aggregation window. During that fourth dimension, no violations will trigger. Once that unmarried assemblage window has passed, a complete "buffer" will take been built and the condition volition function normally.

Streaming method

Choose between three streaming aggregation methods to become the all-time evaluation results for your conditions.

Delay/timer

You can adjust the delay/timer to coordinate our streaming alerting algorithm with your data's behavior. If your data is thin or inconsistent, you may want to use the event timer assemblage method.

For the cadence method, the total supported latency is the sum of the aggregation window duration and the delay.

If the data type comes from an APM linguistic communication agent and is aggregated from many app instances (for case, Transactions, TransactionErrors, etc.), we recommend using the effect menses method with the default settings.

Important

When creating NRQL conditions for data collected from Infrastructure Cloud Integrations such every bit AWS Cloudwatch or Azure, we recommend that y'all use the result timer method.

Fill up data gaps

Gap filling lets y'all customize the values to use when your signals don't take any data. Y'all can fill gaps in your data streams with one of these settings:

• None: (Default) Choose this if y'all don't desire to take whatsoever action on empty aggregation windows. On evaluation, an empty aggregation window volition reset the threshold duration timer. For case, if a condition says that all aggregation windows must take information points to a higher place the threshold for v minutes, and 1 of the 5 aggregation windows is empty, so the condition won't be in violation.
• Custom static value: Choose this if you lot'd like to insert a custom static value into the empty aggregation windows before they're evaluated. This option has an additional, required parameter of fillValue (equally named in the API) that specifies what static value should be used. This defaults to 0.
• Last known value: This selection inserts the last seen value before evaluation occurs. We maintain the state of the last seen value for 2 hours.

Tip

The alerts system fills gaps in actively reported signals. This signal history is dropped afterwards 2 hours of inactivity. For gap filling, data points received after this period of inactivity are treated as new signals.

To learn more than most signal loss, gap filling, and how to asking access to these features, see this Explorers Hub post.

Options for editing data gap settings:

• In the NRQL weather condition UI, go to Condition settings > Advanced signal settings > fill data gaps with and choose an option.
• If using our Nerdgraph API (preferred), this node is located at: actor : account : alerts : nrqlCondition : signal : fillOption | fillValue
• NerdGraph is our recommended API for this but if you're using our REST API, y'all can discover this setting in the Remainder API explorer under the "signal" section of the Alarm NRQL conditions API.

roushneash1957.blogspot.com

Source: https://docs.newrelic.com/docs/alerts-applied-intelligence/new-relic-alerts/alert-conditions/create-nrql-alert-conditions/

Share this post