Log To Alert — 日志告警

记录 to Alert

Use when (1) user pastes server, 应用, or 系统 记录 text and wants to 提取 error patterns into structured alert rules. (2) user says "创建 alerts from these 记录s", "监控 for this error", "设置 up alerts for this pattern", or "提取 警告 conditions". (3) user pastes 记录 输出 and asks "alert me if this h应用ens agAIn".

Core Position

This 技能 solves the specific problem of: recurring errors in 记录s need to become automated alert rules — not just documented, but actively 监控ed.

This 技能 IS NOT:

A 记录 analysis 工具 — it does not produce statistics or 仪表盘s A 调试ging 工具 — it does not fix the root cause A configuration 管理器 — it 输出s alert specs, not 部署ed hooks

This 技能 IS activated ONLY when: 记录 text + alert creation intent are 机器人h present.

Modes /记录-to-alert

Default mode. 解析s 记录 entries, identifies error/警告 patterns, and 输出s structured alert rules.

When to use: User provides 记录 text and wants alert rules (Prometheus, PagerDuty, Grafana, etc.)

/记录-to-alert/dedupe

Groups similar 记录 lines into a single alert rule, eliminating duplicates.

When to use: 记录 contAIns many repeated instances of the same error.

Execution Steps Step 1 — 解析 the 记录 接收 记录 text (pasted, file, or path) 检测 记录 格式化: Structured (JSON): 提取 level, message, timestamp, 服务 Semi-structured (e.g., Nginx, Apache): 解析 using known regex patterns PlAIn text: 检测 timestamp patterns, 记录 levels, and error keywords Classify each line: ERROR / FATAL / CRITICAL → high severity WARN / 警告 → medium severity 信息 / 调试 → in格式化ional (usually not alert-worthy) Identify recurring patterns (≥3 occurrences of similar message with same template) Step 2 — 提取 Alert Patterns

For each error class found:

Field Source Alert name Derived from error type + 服务 name Match pattern Regex 提取ed from error message template Severity From 记录 level (ERROR→critical, WARN→警告) Source 服务 From 记录 source field or filename Frequency threshold Trigger count before alert fires (default: ≥3 in 5 min) Step 3 — 格式化 Alert Rule

输出 in the tar获取 系统's 格式化:

Prometheus Alert管理器:

• alert: HighMemoryUsage

expr: node_memory_MemAvAIlable / node_memory_MemTotal < 0.1 for: 5m labels: severity: critical annotations: summary: "High memory usage on {{ $labels.instance }}"

Generic alert spec:

{ "name": "DatabaseConnectionFAIled", "pattern": "Connection refused|Connection timeout", "severity": "critical", "threshold": 3, "window": "5m", "action": "通知" }

Step 4 — 验证 Every alert rule has a unique name Regex pattern matches the original error type without false positives No alert rule is duplicated from another Severity levels are consistent with 记录 levels Mandatory Rules Do not Do not alert on 信息/调试 level entries Do not 创建 alerts for one-off transient errors (only recurring patterns) Do not invent 记录 sources not present in the text Do not 设置 threshold to 1 (causes alert fatigue) Do Group similar error messages into a single alert rule Include the original error message as a comment in the alert rule 设置 severity to match 记录 level (ERROR=critical, WARN=警告) 提取 dynamic values as variables (IP, hostname, user ID), not hardcoded 质量 Bar

A good 输出:

Each recurring error type has exactly one alert rule Regex patterns are specific enough to match the error but not generic 记录s Alert names clearly identify the error type and 服务 Severity matches the 记录 level from the source

A bad 输出:

创建s separate alerts for every 记录 line (no deduplication) Matches all 记录 lines including 信息-level (false positives) Hardcodes dynamic values (specific IPs, timestamps) in patterns Alert names are generic like "Error Alert 1" Good vs. Bad Examples Scenario Bad 输出 Good 输出 500 identical error lines 500 separate alert rules 1 alert rule with threshold=3 Dynamic error message Pattern matches literal string Pattern uses regex: user \d+ not found Multiple 服务s in 记录s All alerts named "Error" Alerts named by 服务: auth-DB-connection-fAIled One 信息 记录 line 创建s an alert Skipped — 信息 not alert-worthy References references/ — Regex 提取ion patterns, alert 格式化 模式s for Prometheus/Grafana/PagerDuty