hello team i am using this query for an alert rule sum(count_over_time({_app_="test"} |~ request.put() completed| regexp(?Prequest.put() success)| line_format{{.message}}[1h]))
to count the number of logs and if that number is lower than 20 per
hour to alert , i use instant vector and see this message on the alert
In Grafana alerts work on strict numbers. Lots of datasources are producing time series. To reduce a time serie to a number, we’re using Reduce expressions. However, when you’re using an instant query, your result will be a single number, since that’s how instant query works. The warning tells you that there’s no need for you to use Reduce expression, since it doesn’t matter which function you’ll use - you’ll still have the same number (imagine getting Mean / Sum from a single number - it will still be the same number). You can delete it and change the input of your next expression (probably threshold with is more than 20 ).
thank you for the explanation, so i should leave only count_over_time({_app_="test"} |~ request.put() completed| regexp(?Prequest.put() success)| line_format{{.message}}[1h]) and my check to be something like this
If you’re leaving instant query, you don’t have to use reduce. So you can delete it entirely and then in threshold (econd screenshot) you set input to A (instead of B), since A refers to your query
okay cool, and if i use range query the above is correct ?
correct depending on what you want - different reduce functions will yield different results. Count is the count of datapoints the query will return.
yeah count of the data points will also work in my case , i understood your explanation it helped me. I will use instant for now. Do you recommend the one over the other in this case for example that i just need the total number of data points during the last hour ?
I’ve seen somewhere that instant queries are generally better for alerts, since all calculations are delegated to datasource. I guess that reduce functions are there mostly because of some datasources that cannot perform aggregations. Anyway, it all depends. Sometimes it’s nice to have a graph in your alert view, sometimes it’s more readable to create a simpler query in datasource and let Grafana do the computing and comparing. I don’t think Grafana struggles with those, so it’s basically up to you. As long as you know what’s going on with your query and can perform calculations in there, I’d go with instant (especially if you’d had resource problems with Grafana already).
cool thanks a lot i will use this query count_over_time({_app_="test"} |~ request.put() completed| regexp(?Prequest.put() success)| line_format{{.message}}[1h]) with this check you advised
As for query I unfortunately cannot say anything (I know nothing about Loki query language 
) but I think you should also change is above to 20 (I was too late for that 
) (just reminding you of doing so). Other things looked alright
yeah i noticed thanks:sweat_smile:
