This document provides troubleshooting information for using log-based alertingpolicies.

No matching logs are available

When you test your filter for a log-based alerting policy, no logs are returned.Check the following common errors:

• You are trying to filter on excluded logs. Log-based alerting policies operateonly on included logs.

• You are trying to filter by log buckets, or for other Google Cloudresources such as Cloud Billing accounts or organizations.Log-based alerting policies operate at Google Cloud project level.

• Your query is too restrictive. Check that your field names and regularexpressions are correct. You can use theQuery pane in Logs Exploreror thePreview logs button in the alert-configuration interface tohelp validate the query. For information about creating queries, seeLogging query language.

Alerting policy isn't working

You've created a log-based alerting policy, but it isn't working as youexpected. For example:

• Cloud Monitoring isn't sending notifications for the alerting policy.

  If your alerting policy extracts labels, then verify that it isn'textracting thetimestamp label. Extraction of this label prevents thealerting policy from creating incidents and sending notifications.

  If you've stopped receiving notifications, then you might have reachedthe rate limit of 20 incidents a day for each log-based alerting policy. Check the most recentnotification you received for this log-based alerting policy and look for astatement that the incident limit has been exceeded for the day.

  If you aren't receiving as many notifications as you expect, then checkthe configuration of the log-based alerting policy. You might need to adjustthe value for time between notifications.

• Cloud Monitoring isn't creating incidents when policy conditions aremet.

  If your alerting policy extracts labels, then verify that it isn'textracting thetimestamp label. Extraction of this label prevents thealerting policy from creating incidents and sending notifications.

  Go to theIncidents page in Cloud Monitoring and filter thetable by policy name. The results show the current and past alerts:

  • If there are no incidents, then verify that the query used isfinding matching logs. Check that your field names and regularexpressions are correct. You can use theQuery pane in Logs Exploreror thePreview logs button in the alert-configuration interface tohelp validate the query. For information about creating queries, seeLogging query language.

  • If there are past incidents but no recent ones for the current day,then you might have reached the limit of 20 incidents a day for each log-based alerting policy.Check the most recent notification you received for this alertingpolicy and look for a statement that the incident limit has beenexceeded for the day.

• Cloud Monitoring creates incidents for more log entries than youexpected:

  It's possible that your log query is insufficiently restrictive.Check that your field names and regularexpressions are correct. You can use theQuery pane in Logs Exploreror thePreview logs button in the alert-configuration interface tohelp validate the query. For information about creating queries, seeLogging query language.

Incidents aren't closing

If you don't close an incident, then Cloud Logging closes theincident after the autoclose duration for the alerting policy has passed.The default autoclose duration is 7 days, but you can setit to any value between 30 minutes and7 days. You can also manually close incidents atany time, as described inClosing incidents.