Stay organized with collectionsSave and categorize content based on your preferences.
This document provides troubleshooting information for using log-based alerting
policies.
No matching logs are available
When you test your filter for a log-based alerting policy, no logs are returned.
Check the following common errors:
You are trying to filter on excluded logs. Log-based alerting policies operate
only on included logs.
You are trying to filter by log buckets, or for other Google Cloud
resources such as Cloud Billing accounts or organizations.
Log-based alerting policies operate at Google Cloud project level.
Your query is too restrictive. Check that your field names and regular
expressions are correct. You can use theQuerypane in Logs Explorer
or thePreview logsbutton in the alert-configuration interface to
help validate the query. For information about creating queries, seeLogging query language.
Alerting policy isn't working
You've created a log-based alerting policy, but it isn't working as you
expected. For example:
Cloud Monitoring isn't sending notifications for the alerting policy.
If your alerting policy extracts labels, then verify that it isn't
extracting thetimestamplabel. Extraction of this label prevents the
alerting policy from creating incidents and sending notifications.
If you've stopped receiving notifications, then you might have reached
the rate limit of 20 incidents a day for each log-based alerting policy. Check the most recent
notification you received for this log-based alerting policy and look for a
statement that the incident limit has been exceeded for the day.
If you aren't receiving as many notifications as you expect, then check
the configuration of the log-based alerting policy. You might need to adjust
the value for time between notifications.
Cloud Monitoring isn't creating incidents when policy conditions are
met.
If your alerting policy extracts labels, then verify that it isn't
extracting thetimestamplabel. Extraction of this label prevents the
alerting policy from creating incidents and sending notifications.
Go to theIncidentspage in Cloud Monitoring and filter the
table by policy name. The results show the current and past alerts:
If there are no incidents, then verify that the query used is
finding matching logs. Check that your field names and regular
expressions are correct. You can use theQuerypane in Logs Explorer
or thePreview logsbutton in the alert-configuration interface to
help validate the query. For information about creating queries, seeLogging query language.
If there are past incidents but no recent ones for the current day,
then you might have reached the limit of 20 incidents a day for each log-based alerting policy.
Check the most recent notification you received for this alerting
policy and look for a statement that the incident limit has been
exceeded for the day.
Cloud Monitoring creates incidents for more log entries than you
expected:
It's possible that your log query is insufficiently restrictive.
Check that your field names and regular
expressions are correct. You can use theQuerypane in Logs Explorer
or thePreview logsbutton in the alert-configuration interface to
help validate the query. For information about creating queries, seeLogging query language.
Incidents aren't closing
If you don't close an incident, then Cloud Logging closes the
incident after the autoclose duration for the alerting policy has passed.
The default autoclose duration is 7 days, but you can set
it to any value between 30 minutes and
7 days. You can also manually close incidents at
any time, as described inClosing incidents.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Troubleshoot log-based alerting policies\n\n\u003cbr /\u003e\n\nThis document provides troubleshooting information for using log-based alerting\npolicies.\n\nNo matching logs are available\n------------------------------\n\nWhen you test your filter for a log-based alerting policy, no logs are returned.\nCheck the following common errors:\n\n- You are trying to filter on excluded logs. Log-based alerting policies operate\n only on included logs.\n\n- You are trying to filter by log buckets, or for other Google Cloud\n resources such as Cloud Billing accounts or organizations.\n Log-based alerting policies operate at Google Cloud project level.\n\n- Your query is too restrictive. Check that your field names and regular\n expressions are correct. You can use the **Query** pane in Logs Explorer\n or the **Preview logs** button in the alert-configuration interface to\n help validate the query. For information about creating queries, see\n [Logging query language](/logging/docs/view/logging-query-language).\n\nAlerting policy isn't working\n-----------------------------\n\nYou've created a log-based alerting policy, but it isn't working as you\nexpected. For example:\n\n- Cloud Monitoring isn't sending notifications for the alerting policy.\n\n If your alerting policy extracts labels, then verify that it isn't\n extracting the `timestamp` label. Extraction of this label prevents the\n alerting policy from creating incidents and sending notifications.\n\n If you've stopped receiving notifications, then you might have reached\n the rate limit of 20 incidents a day for each log-based alerting policy. Check the most recent\n notification you received for this log-based alerting policy and look for a\n statement that the incident limit has been exceeded for the day.\n\n If you aren't receiving as many notifications as you expect, then check\n the configuration of the log-based alerting policy. You might need to adjust\n the value for time between notifications.\n- Cloud Monitoring isn't creating incidents when policy conditions are\n met.\n\n If your alerting policy extracts labels, then verify that it isn't\n extracting the `timestamp` label. Extraction of this label prevents the\n alerting policy from creating incidents and sending notifications.\n\n Go to the **Incidents** page in Cloud Monitoring and filter the\n table by policy name. The results show the current and past alerts:\n - If there are no incidents, then verify that the query used is\n finding matching logs. Check that your field names and regular\n expressions are correct. You can use the **Query** pane in Logs Explorer\n or the **Preview logs** button in the alert-configuration interface to\n help validate the query. For information about creating queries, see\n [Logging query language](/logging/docs/view/logging-query-language).\n\n - If there are past incidents but no recent ones for the current day,\n then you might have reached the limit of 20 incidents a day for each log-based alerting policy.\n Check the most recent notification you received for this alerting\n policy and look for a statement that the incident limit has been\n exceeded for the day.\n\n- Cloud Monitoring creates incidents for more log entries than you\n expected:\n\n It's possible that your log query is insufficiently restrictive.\n Check that your field names and regular\n expressions are correct. You can use the **Query** pane in Logs Explorer\n or the **Preview logs** button in the alert-configuration interface to\n help validate the query. For information about creating queries, see\n [Logging query language](/logging/docs/view/logging-query-language).\n\nIncidents aren't closing\n------------------------\n\nIf you don't close an incident, then Cloud Logging closes the\nincident after the autoclose duration for the alerting policy has passed.\nThe default autoclose duration is 7 days, but you can set\nit to any value between 30 minutes and\n7 days. You can also manually close incidents at\nany time, as described in [Closing incidents](/logging/docs/alerting/log-based-incidents#closing)."]]
