You can configure vRealize Log Insight to run specific queries at scheduled intervals.

If the number of events that match the query exceeds the thresholds that you have set, vRealize Log Insight can send email notifications and trigger notification events in vRealize Operations Manager.

To view the list of available alerts, navigate to the Interactive Analytics page and select Manage Alerts from the drop-down menu next to the Search button. The status of each alert appears under the alert name.


Alert queries are user specific. You can manage only your own alerts.

You can control the intervals at which alert queries run, and the conditions when vRealize Log Insight sends alert notifications by selecting one of the alert types.

Alert for Any Match

The alert query runs automatically every five minutes. A notification is triggered when at least one event within the last 5 minutes matches the query.

Alert Based on Number of Events Within a Custom Period of Time

Alert query intervals depend on your settings. A notification is triggered according to your settings, when more or less than X matching events occur in the last Y minutes.

If this type of alert is triggered, it is snoozed for the duration of its time period to prevent duplicate alerts from being raised for the same set of events. If you want to enable an alert while it is snoozing, you can disable and then re-enable it.

Alert Based on Chart Values

The alert query triggers a notification if at least one bar in the chart is above or below the threshold that you have set, within the period that you specified.

This alert type can be set for charts that do not visualize Count of events over time.

Content packs can contain alert queries. The vSphere content pack that is included in vRealize Log Insight by default contains several predefined alert queries. They can trigger alerts if an ESXi host stops sending syslog data, if vRealize Log Insight can no longer collect events, tasks, and alarms data from a vCenter Server, or when an alarm status changes to red. You can use these alert queries as templates to create alerts that are specific to your environment.

All content pack alerts are disabled by default.

Enabling the vCenter Server: ESX/ESXi stopped logging alert is a good practice, because certain versions of ESXi hosts might stop sending syslog data when you restart vRealize Log Insight. This alert monitors for the vCenter Server event esx.problem.vmsyslogd.remote.failure to detect whether there is an ESXi host that has stopped sending syslog feeds. For details about syslog problems and solutions, see VMware ESXi 5.x host stops sending syslogs to remote server (2003127).

You can add the following filter to the alert query and save it as a new alert to detect only ESXi hosts that stop sending feeds to your instance of vRealize Log Insight: vc_remote_host (VMware - vSphere) contains log-insight-hostname.

Content pack alert queries are read-only. To save changes to a content pack alert, you have to save the alert to your custom content.

You can configure alert queries in vRealize Log Insight to send email notifications when specific data appears in the logs.

You can configure alert queries in vRealize Log Insight to send notification events to vRealize Operations Manager when specific vRealize Log Insight queries return results above a given threshold.

You can view the alert queries that you have created and check whether the notifications for these queries are enabled.

You can change the trigger of a saved alert query, and enable or disable the notifications that the query sends.

When an alert query is disabled, vRealize Log Insight does not send notification emails and does not trigger vRealize Operations Manager notification events.

You can delete alert queries when you no longer need them.