Solved: DQL alert if log content is not found

sivart_89 · ‎13 Jun 2025

I'm trying to create 1 single alert (rather than 3 different ones) to alert if a particular log message is not found in my lambda log. I plan to run this via a workflow daily to alert if the message is not found for that day.

What I so far is below which will show me the log group and the count for when the message is found but what I am seeing is that if the message is not found then there is no record shown for that log group, see sample below. My query has 3 log groups but my result shows only 2 log groups because 'Successfully updated number of accounts:' was not found in log-group-3. Any thoughts on how I can get around this?

fetch logs,from:-24h
| filter (matchesPhrase(content, "Successfully deleted profile count:") AND (aws.log_group == "/aws/lambda/log-group-1" OR aws.log_group == "/aws/lambda/log-group-2")) OR matchesPhrase(content, "Successfully updated number of accounts:") AND aws.log_group == "/aws/lambda/log-group-3"
| summarize count = count(), by:{aws.log_group}
| fieldsAdd non_zero_count = if(count != 0, 0)

Sample output

Akhil-Jayendran · ‎14 Jun 2025

Hi @sivart_89 ,

Just a quick thought, can we convert this into a time series using makeTimeseries, and trigger an alert if there’s no data or the value is zero? Would that work here?

BR,

!!! Dynatrace !!!

sivart_89 · ‎16 Jun 2025

Thanks @Akhil-Jayendran for the suggestion, I honestly did not even think of that. I'm trying this out but instead of getting datapoints of 0 I am getting a 'There are not records' message. I'm trying something like the below, still looking into this.

fetch logs,from:-24h
| filter (matchesPhrase(content, "Successfully deleted profile count:") AND (aws.log_group == "lambda-1" OR aws.log_group == "lambda-2")) OR (matchesPhrase(content, "Successfully updated number of accounts:") AND aws.log_group == "lambda-3") OR (matchesPhrase(content, "Successfully deleted x accounts when running unregistered profile cleanup") OR matchesPhrase(content, "Successfully deleted x profiles when running unregistered profile cleanup") AND aws.log_group == "lambda-4")
| makeTimeseries count(default: 0), interval: 1m

sivart_89 · ‎16 Jun 2025

@Akhil-Jayendran found the issue, it was with the parenthesis. What I am running into now is when running this via a workflow I get the below response. The value of 14 is correct as there was 14 instances found but I need to tweak it to essentially create a problem card if there are no nonzero datapoints.

[
  {
    "interval": "1800000000000",
    "timeframe": {
      "end": "2025-06-16T13:00:00.000Z",
      "start": "2025-06-14T12:30:00.000Z"
    },
    "count(default:0)": [
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      14,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      14,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0
    ]
  }
]