Aria Operations for Logs, vRealize Log Insight

Aria Operations for Logs – Fields as Part of Alert Title – Quick Tip

| by Thomas Kopton

As described in the official VMware Aria Operations for Logs (formerly know as vRealize Log Insight) documentation, you can customize alert names by including a field in the format ${field name}.

For example in the following alert definition which will be triggered by VM migration operations the title will contain the name of the user who started the migration process.

Figure 01: Sample alert definition containing a field.

The following screenshot shows the email I have received after starting a VM migration in vCenter. The ${vmw_user} field has been replaced by its value.

Figure 02: Alert via email containing the value of the field.

This kind of adding additional information to the alert title works pretty well in most cases but sometimes you might discover unusual behavior and the configured field name will not be replaced by its actual value.

The reason for this, at least at the time of writing this post, is the way how Aria Operations for Logs processes the static fields. For example let us create our own static fields using Postman and push them via API as meta data together with the log message. The next picture shows a log message with some fields defined in the POST body. Please not the upper and lower case characters in names of the fields.

Figure 03: Sending a log message including static fields via REST API.

NOTE: This is the behavior as for the time of writing this post and using Aria Operations for Logs Version 8.14.1-22806512

The first important fact is that the names of the fields I have defined in the JSON body are all written in lower case after the ingestion in Aria Operations for Logs.

Figure 04: Ingested log message and its fields in the log explorer.

Let’s create an alert based on the myoperation Contains "poweroff" query. In the following picture you can see that the field in the query definition is also provided containing all lower case letters.

Figure 05: Alert definition without any fields in the alert name.

This alert definition works as expected, the next time my Aria Operations for Logs has received such a log message, the alert has been triggered and I have received this email:

Figure 06: Alert received – no issues.

As I would like to see the VM name right in the alert name, I will add the corresponding myvmname field to it:

Figure 07: Alert definition with a field in the alert name – all lower case.

This time I have received an email and to my surprise, the field was not replaced by the actual value.

Figure 08: Alert received – field has not been replaced by its value.

After few tests I have figured out that Aria Operations for Logs expects the field names in the same lower and upper case writing as they were specified in the originating log message to correctly replace them by their values in the title and btw. also in the description. The following picture shows my final alert definition including the fields myVMname in the title and myUsername in the description.

Figure 09: Final alert definition including fields in the alert name and alert description.

This time the received email shows the values instead of the field names.

Figure 10: Alert received – no issues – again.

I hope it helps you create alerts that provide useful information at first glance.

Stay safe.

Thomas – https://twitter.com/ThomasKopton

Leave a Reply

Your email address will not be published. Required fields are marked *