/install log-to-alert
Log to Alert
Use when (1) user pastes server, application, or system log text and wants to extract error patterns into structured alert rules. (2) user says "create alerts from these logs", "monitor for this error", "set up alerts for this pattern", or "extract warning conditions". (3) user pastes log output and asks "alert me if this happens again".
Core Position
This skill solves the specific problem of: recurring errors in logs need to become automated alert rules — not just documented, but actively monitored.
This skill IS NOT:
- A log analysis tool — it does not produce statistics or dashboards
- A debugging tool — it does not fix the root cause
- A configuration manager — it outputs alert specs, not deployed hooks
This skill IS activated ONLY when: log text + alert creation intent are both present.
Modes
/log-to-alert
Default mode. Parses log entries, identifies error/warning patterns, and outputs structured alert rules.
When to use: User provides log text and wants alert rules (Prometheus, PagerDuty, Grafana, etc.)
/log-to-alert/dedupe
Groups similar log lines into a single alert rule, eliminating duplicates.
When to use: Log contains many repeated instances of the same error.
Execution Steps
Step 1 — Parse the Log
- Receive log text (pasted, file, or path)
- Detect log format:
- Structured (JSON): extract
level,message,timestamp,service - Semi-structured (e.g., Nginx, Apache): parse using known regex patterns
- Plain text: detect timestamp patterns, log levels, and error keywords
- Structured (JSON): extract
- Classify each line:
ERROR/FATAL/CRITICAL→ high severityWARN/WARNING→ medium severityINFO/DEBUG→ informational (usually not alert-worthy)
- Identify recurring patterns (≥3 occurrences of similar message with same template)
Step 2 — Extract Alert Patterns
For each error class found:
| Field | Source |
|---|---|
| Alert name | Derived from error type + service name |
| Match pattern | Regex extracted from error message template |
| Severity | From log level (ERROR→critical, WARN→warning) |
| Source service | From log source field or filename |
| Frequency threshold | Trigger count before alert fires (default: ≥3 in 5 min) |
Step 3 — Format Alert Rule
Output in the target system's format:
Prometheus AlertManager:
- alert: HighMemoryUsage
expr: node_memory_MemAvailable / node_memory_MemTotal \x3C 0.1
for: 5m
labels:
severity: critical
annotations:
summary: "High memory usage on {{ $labels.instance }}"
Generic alert spec:
{
"name": "DatabaseConnectionFailed",
"pattern": "Connection refused|Connection timeout",
"severity": "critical",
"threshold": 3,
"window": "5m",
"action": "notify"
}
Step 4 — Validate
- Every alert rule has a unique name
- Regex pattern matches the original error type without false positives
- No alert rule is duplicated from another
- Severity levels are consistent with log levels
Mandatory Rules
Do not
- Do not alert on INFO/DEBUG level entries
- Do not create alerts for one-off transient errors (only recurring patterns)
- Do not invent log sources not present in the text
- Do not set threshold to 1 (causes alert fatigue)
Do
- Group similar error messages into a single alert rule
- Include the original error message as a comment in the alert rule
- Set severity to match log level (ERROR=critical, WARN=warning)
- Extract dynamic values as variables (IP, hostname, user ID), not hardcoded
Quality Bar
A good output:
- Each recurring error type has exactly one alert rule
- Regex patterns are specific enough to match the error but not generic logs
- Alert names clearly identify the error type and service
- Severity matches the log level from the source
A bad output:
- Creates separate alerts for every log line (no deduplication)
- Matches all log lines including INFO-level (false positives)
- Hardcodes dynamic values (specific IPs, timestamps) in patterns
- Alert names are generic like "Error Alert 1"
Good vs. Bad Examples
| Scenario | Bad Output | Good Output |
|---|---|---|
| 500 identical error lines | 500 separate alert rules | 1 alert rule with threshold=3 |
| Dynamic error message | Pattern matches literal string | Pattern uses regex: user \d+ not found |
| Multiple services in logs | All alerts named "Error" | Alerts named by service: auth-DB-connection-failed |
| One INFO log line | Creates an alert | Skipped — INFO not alert-worthy |
References
references/— Regex extraction patterns, alert format schemas for Prometheus/Grafana/PagerDuty
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install log-to-alert - 安装完成后,直接呼叫该 Skill 的名称或使用
/log-to-alert触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
Log To Alert 是什么?
Use when (1) user pastes server, application, or system log text and wants to extract error patterns into structured alert rules. (2) user says "create alert... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 143 次。
如何安装 Log To Alert?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install log-to-alert」即可一键安装,无需额外配置。
Log To Alert 是免费的吗?
是的,Log To Alert 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Log To Alert 支持哪些平台?
Log To Alert 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Log To Alert?
由 王继鹏(@wangjipeng977)开发并维护,当前版本 v1.0.1。