Skip to main content
Match monitors allow you to continuously filter your log data and send you matching events. Axiom sends a notification for each matching event. By default, the notification message contains the entire matching event in JSON format. When you define your match monitor using APL, you can control which event attributes to include in the notification message. Axiom recommends using match monitors for alerting purposes only. A match monitor can send 10 notifications per minute and 500 notifications per day. A notification can usually include events up to 0.1 MB but the maximum size can be smaller depending on the type of the notifier.

Create match monitor

To create a match monitor, follow these steps:
  1. Click the Monitors tab, and then click New monitor.
  2. Click Match monitor.
  3. Name your monitor and add a description.
  4. Click Add notifier, and then select the notifiers that define how you want to receive notifications for this monitor. For more information, see Notifiers.
  5. To define your query, use one of the following options:
    • To use the visual query builder, click Simple query builder. Select the filters, and then click Run query to preview the recent events that match your filters. To preview matching events over a specific period, select the time range.
    • To use Axiom Processing Language (APL), click Advanced query language. Write a query using the where operator to filter for events, and then click Run query to preview the results. To transform matching events before sending them to you, use the extend and the project operators. Don’t use aggregations in your query. For more information, see Introduction to APL.
  6. When the preview displays the events that you want to match, click Create. You can’t create a match monitor if more than 500 events match your query within the past 24 hours.
You have created a match monitor, and Axiom alerts you about every event that matches the filters you set. Each notification contains the event details as shown in the preview.
If you define your query using APL, you can use the following limited set of tabular operators:This restriction only applies to tabular operators.

Handle ingestion delays

If your data experiences ingestion delays (the time between when an event occurs and when Axiom receives it), you may need to configure your match monitor to account for this delay. Without accounting for delays, your monitor may miss events that arrive late.
1

Identify your ingestion delay

Use the ingestion_time() function to measure the delay between event time (_time) and ingestion time:
['your-dataset']
| extend ingest_time = ingestion_time()
| extend delay_seconds = datetime_diff('second', ingest_time, _time)
| summarize avg(delay_seconds), max(delay_seconds)
This query shows you the average and maximum ingestion delay for your dataset.
2

Configure the secondDelay parameter

When creating or updating your monitor through the API, add the secondDelay parameter to account for ingestion delays. This parameter tells the monitor to wait before evaluating events, ensuring late-arriving data is included.For example, if your ingestion delay is 45 minutes (2,700 seconds), set secondDelay to 2700 or higher:
{
  "name": "My Match Monitor",
  "type": "MatchEvent",
  "aplQuery": "['your-dataset'] | where severity == 'error'",
  "intervalMinutes": 1,
  "secondDelay": 2700,
  "notifierIds": ["notifier_id"]
}
The secondDelay parameter is currently only available through the API and not in the UI. For more information, see the Monitors API documentation.
3

Verify the configuration

After configuring secondDelay, monitor the alerts to ensure events are being captured correctly. You may need to adjust the value based on your actual ingestion patterns.
Match monitors evaluate events based on their _time field (when the event occurred), not when Axiom received them. If you have a 45-minute ingestion delay and your monitor runs every minute, it checks for events that occurred roughly one minute ago according to _time. Without secondDelay, these events may not have arrived yet.

Examples

For real-world use cases, see Monitor examples.