Advanced Alert Thresholds

Advanced alerts allow you to define a threshold as a custom Boolean expression which can involve multiple conditions. These advanced expressions require a specific syntax, which is described in this support document.


Basic Examples

Here are two examples of valid expressions:

timeAvg(cpu.used.percent) > 50 AND timeAvg(memory.used.percent) > 75
timeAvg(cpu.used.percent) > 50 OR timeAvg(memory.used.percent) > 75

If you like learning by examples, just skip to the end of this doc for more :)


Multiple conditions

Multiple conditions can be combined into boolean expressions using logical operators:

condition1 AND condition2
condition1 OR condition2
NOT condition1

Order of operations can be manipulated using parentheses:

NOT (condition1 AND (condition2 OR condition3))

Single conditions

Each condition has five parts:

  1. Metric
  2. Group aggregation (optional)
  3. Time aggregation
  4. Operator
  5. Value

So a condition looks like:

groupAggregation(timeAggregation( operator value

Metric name syntax

Exact metric names must be used. To help avoid typos, click the "HELP" link next to the advanced threshold expression input box to access a drop down list of all available metrics names. Clicking a metric name will automatically drop that metric name into the threshold expression you are currently editing. 


Time aggregation functions tell Sysdig Monitor how to aggregate individual data points across a stretch of time. Group aggregation functions tell Sysdig Monitor how to aggregate individual data points across a group of nodes. For more details, see the support page on this topic.

Guidelines for aggregation functions:

  • Time aggregation functions are required
  • Group aggregation functions are optional - if no group function is used, a reasonable default will be applied (either sum or average, depending on the metric)
  • Group aggregation functions must be applied outside of time aggregation functions

The following time aggregation functions are supported:


The following group aggregation functions are supported:



The following relational operators are supported:


More Examples

timeAvg(container.count) != 10  
min(min(cpu.used.percent)) <= 30 OR max(max(cpu.used.percent)) >= 60
sum( > 0 OR sum( > 0
timeAvg(cpu.used.percent) > 50 AND (timeAvg( > 20 OR timeAvg(memory.used.percent) > 75)
Have more questions? Submit a request