Support for log monitors dependant on multiple log queries and formulas

[piotrekzurek]

Currently this seems not supported. Please consider adding this as a feature.

The JSON exported monitor looks like this (but it's not possible to include formula within the single query: field with Datadog Kubernetes Operator yaml configuration - the support and CRDs would need to be made supporting such a structure first):

	"name": "STG - High number of responses with 4xx error codes on FD",
	"type": "log alert",
	"query": "formula(\"cutoff_min(query, 50) / cutoff_min(query1, 50) * 100\").last(\"15m\") > 30",
	"message": "High number of responses with 4xx error codes on FD @email-address.example.com",
	"tags": [
		"soc2",
	],
	"options": {
		"enable_logs_sample": false,
		"include_tags": true,
		"new_host_delay": 300,
		"notify_no_data": false,
		"on_missing_data": "default",
		"require_full_window": false,
		"thresholds": {
			"critical": 30,
			"critical_recovery": 15,
			"warning": 20,
			"warning_recovery": 5
		},
		"variables": [
			{
				"compute": {
					"aggregation": "count"
				},
				"data_source": "logs",
				"group_by": [],
				"indexes": [
					"*"
				],
				"name": "query",
				"search": {
					"query": "source:azure.cdn @properties.httpStatusCode:[400 TO 499]"
				}
			},
			{
				"compute": {
					"aggregation": "count"
				},
				"data_source": "logs",
				"group_by": [],
				"indexes": [
					"*"
				],
				"name": "query1",
				"search": {
					"query": "source:azure.cdn"
				}
			}
		],
		"notify_audit": false,
		"groupby_simple_monitor": false,
		"silenced": {}
	},
	"priority": 2,
	"restricted_roles": null
}```

[em-le-ts]

+1

[dd-octo-sts[bot]]

This issue has been automatically marked as stale because it has not had activity in the past 15 days.

It will be closed in 30 days if no further activity occurs. If this issue is still relevant, adding a comment will keep it open. Also, you can always reopen the issue if you missed the window.

Thank you for your contributions!