Welcome to the health configuration reference.
This guide contains information about editing health configuration files to tweak existing alarms or create new health entities that are customized to the needs of your infrastructure.
To learn the basics of locating and editing health configuration files, see the health quickstart.
You can configure the Agent's health watchdog service by editing files in two locations:
netdata.conf. By editing the daemon's behavior, you can disable health monitoring altogether, run health checks more or less often, and more. See daemon configuration for a table of all the available settings, their default values, and what they control.
- The individual
health.d/. These health entity files are organized by the type of metric they are performing calculations on or their associated collector. You should edit these files using the
edit-configscript. For example:
sudo ./edit-config health.d/cpu.conf.
The following reference contains information about the syntax and options of health entities, which Netdata attaches to charts in order to trigger alarms.
There are two entity types: alarms and templates. They have the same format and feature set—the only difference is their label.
Alarms are attached to specific charts and use the
Templates define rules that apply to all charts of a specific context, and use the
template label. Templates help
you apply one entity to all disks, all network interfaces, all MySQL databases, and so on.
Alarms have higher precedence and will override templates. If an alarm and template entity have the same name and attach to the same chart, Netdata will use the alarm.
Netdata parses the following lines. Beneath the table is an in-depth explanation of each line's purpose and syntax.
templateline must be the first line of any entity.
online is always required.
everyline is required if not using
- Each entity must have at least one of the following lines:
- A few lines use space-separated lists to define how the entity behaves. You can use
*as a wildcard or prefix with
!for a negative match. Order is important, too! See our simple patterns docs for more examples.
|yes||Name of the alarm/template.|
|yes||The chart this alarm should attach to.|
|no||The general alarm classification.|
|no||What area of the system the alarm monitors.|
|no||Specific component of the type of the alarm.|
|no||Which operating systems to run this chart.|
|no||Which hostnames will run this alarm.|
|no||Restrict an alarm or template to only a certain plugin.|
|no||Restrict an alarm or template to only a certain module.|
|no||Restrict an alarm or template to only certain charts.|
|no||Restrict a template to only certain families.|
|yes||The database lookup to find and process metrics for the chart specified through |
|yes (see above)||A calculation to apply to the value found via |
|no||The frequency of the alarm.|
|no||Set the green and red thresholds of a chart.|
|yes (see above)||Expressions evaluating to true or false, and when true, will trigger the alarm.|
|no||A list of roles to send notifications to.|
|no||The script to execute when the alarm changes status.|
|no||Optional hysteresis settings to prevent floods of notifications.|
|no||The interval for sending notifications when an alarm is in WARNING or CRITICAL mode.|
|no||Add an option to not clear alarms.|
|no||List of labels present on a host.|
template line must be the first line of any entity.
This line starts an alarm or template based on the entity type you're interested in creating.
NAME can be any alpha character, with
. (period) and
_ (underscore) as the only allowed symbols, but the names
family name, or
chart variables names.
This line defines the chart this alarm should attach to.
CHART should be the unique ID or name of the chart you're interested in, as shown on the dashboard. In the
image below, the unique ID is
CONTEXT should be the context you want this template to attach to.
Need to find the context? Hover over the date on any given chart and look at the tooltip. In the image below, which
shows a disk I/O chart, the tooltip reads:
You're interested in what comes after the comma:
disk.io. That's the name of the chart's context.
If you create a template using the
disk.io context, it will apply an alarm to every disk available on your system.
This indicates the type of error (or general problem area) that the alarm or template applies to. For example,
Latency can be used for alarms that trigger on latency issues on network interfaces, web servers, or database systems. Example:
Netdata's stock alarms use the following `class` attributes by default:
class will default to
Unknown if the line is missing from the alarm configuration.
Type can be used to indicate the broader area of the system that the alarm applies to. For example, under the general
Database type, you can group together alarms that operate on various database systems, like
CouchDB etc. Example:
Netdata's stock alarms use the following `type` attributes by default, but feel free to adjust for your own requirements.
|Ad Filtering||Services related to Ad Filtering (like pi-hole)|
|Certificates||Certificates monitoring related|
|Cgroups||Alerts for cpu and memory usage of control groups|
|Computing||Alerts for shared computing applications (e.g. boinc)|
|Containers||Container related alerts (e.g. docker instances)|
|Database||Database systems (e.g. MySQL, Postgress, etc)|
|Data Sharing||Used to group together alerts for data sharing applications|
|DHCP||Alerts for dhcp related services|
|DNS||Alerts for dns related services|
|Kubernetes||Alerts for kubernetes nodes monitoring|
|KV Storage||Key-Value pairs services alerts (e.g. memcached)|
|Linux||Services specific to Linux (e.g. systemd)|
|Messaging||Alerts for message passing services (e.g. vernemq)|
|Netdata||Internal Netdata components monitoring|
|Other||When an alert doesn't fit in other types.|
|Power Supply||Alerts from power supply related services (e.g. apcupsd)|
|Search engine||Alerts for search services (e.g. elasticsearch)|
|Storage||Class for alerts dealing with storage services (storage devices typically live under |
|System||General system alarms (e.g. cpu, network, etc.)|
|Virtual Machine||Virtual Machine software|
|Web Proxy||Web proxy software (e.g. squid)|
|Web Server||Web server software (e.g. Apache, ngnix, etc.)|
|Windows||Alerts for monitor of wmi services|
If an alarm configuration is missing the
type line, its value will default to
Component can be used to narrow down what the previous
type value specifies for each alarm or template. Continuing from the previous example,
component might include
MongoDB, all under the same
Database type. Example:
As with the
type line, if
component is missing from the configuration, its value will default to
The alarm or template will be used only if the operating system of the host matches this list specified in
value is a space-separated list.
The following example enables the entity on Linux, FreeBSD, and macOS, but no other operating systems.
The alarm or template will be used only if the hostname of the host matches this space-separated list.
The following example will load on systems with the hostnames
server2, and any system with hostnames that
database. It will not load on the host
redis3, but will load on any other systems with hostnames that
plugin line filters which plugin within the context this alarm should apply to. The value is a space-separated
list of simple patterns. For example,
you can create a filter for an alarm that applies specifically to
plugin line is best used with other options like
module. When used alone, the
plugin line creates a very
inclusive filter that is unlikely to be of much use in production. See
module for a
comprehensive example using both.
module line filters which module within the context this alarm should apply to. The value is a space-separated
list of simple patterns. For
example, you can create an alarm that applies only on the
isc_dhcpd module started by
charts line filters which chart this alarm should apply to. It is only available on entities using the
The value is a space-separated list of simple patterns. For
example, a template that applies to
disk.svctm (Average Service Time) context, but excludes the disk
sdb from alarms:
families line, used only alongside templates, filters which families within the context this alarm should apply
to. The value is a space-separated list.
The value is a space-separate list of simple patterns. See our simple patterns docs for some examples.
For example, you can create a template on the
disk.io context, but filter it to only the
This line makes a database lookup to find a value. This result of this lookup is available as
The format is:
Everything is the same with badges. In short:
METHODis one of
incremental-sum. This is required.
AFTERis a relative number of seconds, but it also accepts a single letter for changing the units, like
-1s= 1 second in the past,
-1m= 1 minute in the past,
-1h= 1 hour in the past,
-1d= 1 day in the past. You need a negative number (i.e. how far in the past to look for the value). This is required.
at BEFOREis by default 0 and is not required. Using this you can define the end of the lookup. So data will be evaluated between
every DURATIONsets the updated frequency of the lookup (supports single letter units as above too).
OPTIONSis a space separated list of
match-names. Check the badges documentation for more info.
of DIMENSIONSis optional and has to be the last parameter. Dimensions have to be separated by
|. The space characters found in dimensions will be kept as-is (a few dimensions have spaces in their names). This accepts Netdata simple patterns (with
|instead of spaces) and the
match-namesoptions affect the searches for dimensions.
foreach DIMENSIONSis optional, will always be the last parameter, and uses the same
|rules as the
ofparameter. Each dimension you specify in
foreachwill use the same rule to trigger an alarm. If you set both
foreach, Netdata will ignore the
ofparameter and replace it with one of the dimensions you gave to
The result of the lookup will be available as
$NAME in expressions.
The timestamps of the timeframe evaluated by the database lookup is available as variables
$before (both are unix timestamps).
calc is designed to apply some calculation to the values or variables available to the entity. The result of the
calculation will be made available at the
$this variable, overwriting the value from your
lookup, to use in warning
and critical expressions.
When paired with
calc will perform the calculation just after
lookup has retrieved a value from Netdata's
You can use
lookup if you are using other available variables.
calc line uses expressions for its syntax.
Sets the update frequency of this alarm. This is the same to the
every DURATION given
s for seconds,
m is minutes,
h for hours,
d for days.
Set the green and red thresholds of a chart. Both are available as
$red in expressions. If multiple
alarms define different thresholds, the ones defined by the first alarm will be used. These will eventually visualized
on the dashboard, so only one set of them is allowed. If you need multiple sets of them in different alarms, use
absolute numbers instead of
Define the expression that triggers either a warning or critical alarm. These are optional, and should evaluate to either true or false (or zero/non-zero).
The format uses Netdata's expressions syntax.
This will be the first parameter of the script to be executed when the alarm switches status. Its meaning is left up to
alarm-notify.sh, uses this field as a space separated list of roles, which are then
consulted to find the exact recipients per notification method.
The script that will be executed when the alarm changes status.
SCRIPT is Netdata's
alarm-notify.sh, which supports all the notifications methods Netdata supports,
including custom hooks.
This is used to provide optional hysteresis settings for the notifications, to defend against notification floods. These
settings do not affect the actual alarm - only the time the
exec script is executed.
up Udefines the delay to be applied to a notification for an alarm that raised its status (i.e. CLEAR to WARNING, CLEAR to CRITICAL, WARNING to CRITICAL). For example,
up 10s, the notification for this event will be sent 10 seconds after the actual event. This is used in hope the alarm will get back to its previous state within the duration given. The default
down Ddefines the delay to be applied to a notification for an alarm that moves to lower state (i.e. CRITICAL to WARNING, CRITICAL to CLEAR, WARNING to CLEAR). For example,
down 1mwill delay the notification by 1 minute. This is used to prevent notifications for flapping alarms. The default
Dwhen an alarm changes state, while a notification is delayed. The default multiplier is
max Xdefines the maximum absolute notification delay an alarm may get. The default
max(U * M, D * M)(i.e. the max duration of
Dmultiplied once with
delay: up 10s down 15m multiplier 2 max 1h
The time is
00:00:00and the status of the alarm is CLEAR.
time of event new status delay notification will be sent why 00:00:01 WARNING
00:00:11 first state switch 00:00:05 CLEAR
down 15m x2
00:30:05 the alarm changes state while a notification is delayed, so it was multiplied 00:00:06 WARNING
up 10s x2 x2
00:00:26 multiplied twice 00:00:07 CLEAR
down 15m x2 x2 x2
00:45:07 multiplied 3 times.
Dare multiplied by
Mevery time the alarm changes state (any state, not just their matching one) and a delay is in place.
- All are reset to their defaults when the alarm switches state without a delay in place.
Defines the interval between repeating notifications for the alarms in CRITICAL or WARNING mode. This will override the
default interval settings inherited from health settings in
netdata.conf. The default settings for repeating
default repeat warning = DURATION and
default repeat critical = DURATION which can be found in
health stock configuration, when one of these interval is bigger than 0, Netdata will activate the repeat notification
off: Turns off the repeating feature for the current alarm. This is effective when the default repeat settings has been enabled in health configuration.
warning DURATION: Defines the interval when the alarm is in WARNING state. Use
0sto turn off the repeating notification for WARNING mode.
critical DURATION: Defines the interval when the alarm is in CRITICAL state. Use
0sto turn off the repeating notification for CRITICAL mode.
The only possible value for the
options line is
For some alarms we need compare two time-frames, to detect anomalies. For example,
health.d/httpcheck.conf has an
alarm template called
web_service_slow that compares the average http call response time over the last 3 minutes,
compared to the average over the last hour. It triggers a warning alarm when the average of the last 3 minutes is twice
the average of the last hour. In such cases, it is easy to trigger the alarm, but difficult to tell when the alarm is
cleared. As time passes, the newest window moves into the older, so the average response time of the last hour will keep
increasing. Eventually, the comparison will find the averages in the two time-frames close enough to clear the alarm.
However, the issue was not resolved, it's just a matter of the newer data "polluting" the old. For such alarms, it's a
good idea to tell Netdata to not clear the notification, by using the
Defines the list of labels present on a host. See our host labels guide for an explanation of host labels and how to implement them.
For example, let's suppose that
netdata.conf is configured with the following labels:
And more labels in
netdata.conf for workstations:
By defining labels inside of
netdata.conf, you can now apply labels to alarms. For example, you can add the following
line to any alarms you'd like to apply to hosts that have the label
room = server.
host labels is a space-separated list that accepts simple patterns. For example, you can create an alarm
that will be applied to all hosts installed in the last decade with the following line:
See our simple patterns docs for more examples.
Netdata has an internal infix expression parser. This parses expressions and creates an internal structure that allows fast execution of them.
These operators are supported
Boolean operators result in either
1 (true) or
The conditional evaluation operator
? is supported too. Using this operator IF-THEN-ELSE conditional statements can be
specified. The format is:
(condition) ? (true expression) : (false expression). So, Netdata will first evaluate the
condition and based on the result will either evaluate
true expression or
($this > 0) ? ($avail * 2) : ($used / 2).
Nested such expressions are also supported (i.e.
true expression and
false expression can contain conditional
Expressions also support the
Expressions can have variables. Variables start with
$. Check below for more information.
There are two special values you can use:
nan, for example
$this != nanwill check if the variable
thisis available. A variable can be
nanif the database lookup failed. All calculations (i.e. addition, multiplication, etc) with a
nanresult in a
inf, for example
$this != infwill check if
thisis not infinite. A value or variable can be set to infinite if divided by zero. All calculations (i.e. addition, multiplication, etc) with a
infresult in a
A common (but not necessarily obvious) use of the conditional evaluation operator is to provide hysteresis around the critical or warning thresholds. This usage helps to avoid bogus messages resulting from small variations in the value when it is varying regularly but staying close to the threshold value, without needing to delay sending messages at all.
An example of such usage from the default CPU usage alarms bundled with Netdata is:
The above say:
If the alarm is currently a warning, then the threshold for being considered a warning is 75, otherwise it's 85.
If the alarm is currently critical, then the threshold for being considered critical is 85, otherwise it's 95.
Which in turn, results in the following behavior:
While the value is rising, it will trigger a warning when it exceeds 85, and a critical alert when it exceeds 95.
While the value is falling, it will return to a warning state when it goes below 85, and a normal state when it goes below 75.
If the value is constantly varying between 80 and 90, then it will trigger a warning the first time it goes above 85, but will remain a warning until it goes below 75 (or goes above 85).
If the value is constantly varying between 90 and 100, then it will trigger a critical alert the first time it goes above 95, but will remain a critical alert goes below 85 (at which point it will return to being a warning).
You can find all the variables that can be used for a given chart, using
NODE with the IP address or hostname for your
Agent dashboard. For example, variables for the
system.cpu chart of the
If you don't know how to find the CHART_NAME, you can read about it here.
Netdata supports 3 internal indexes for variables that will be used in health monitoring.
The variables below can be used in both chart alarms and context templates.
alarm_variables link shows you variables for a particular chart, the same variables can also be used in
templates for charts belonging to a given context. The reason is that all charts of a given
context are essentially identical, with the only difference being the family that
identifies a particular hardware or software instance. Charts and templates do not apply to specific families anyway,
unless if you explicitly limit an alarm with the alarm line
chart local variables. All the dimensions of the chart are exposed as local variables. The value of
$thisfor the other configured alarms of the chart also appears, under the name of each configured alarm.
Charts also define a few special variables:
$last_collected_tis the unix timestamp of the last data collection
$collected_total_rawis the sum of all the dimensions (their last collected values)
$update_everyis the update frequency of the chart
$redthe threshold defined in alarms (these are per chart - the charts inherits them from the the first alarm that defined them)
Chart dimensions define their last calculated (i.e. interpolated) value, exactly as shown on the charts, but also a variable with their name and suffix
_rawthat resolves to the last collected value - as collected and another with suffix
_last_collected_tthat resolves to unix timestamp the dimension was last collected (there may be dimensions that fail to be collected while others continue normally).
family variables. Families are used to group charts together. For example all
family = eth0. This index includes all local variables, but if there are overlapping variables, only the first are exposed.
host variables. All the dimensions of all charts, including all alarms, in fullname. Fullname is
CHARTis either the chart id or the chart name (both are supported).
special variables* are:
$this, which is resolved to the value of the current alarm.
$status, which is resolved to the current status of the alarm (the current = the last status, i.e. before the current database lookup and the evaluation of the
calcline). This values can be compared with
$CRITICAL. These values are incremental, ie.
$status > $CLEARworks as expected.
$now, which is resolved to current unix timestamp.
Alarms can have the following statuses:
REMOVED- the alarm has been deleted (this happens when a SIGUSR2 is sent to Netdata to reload health configuration)
UNINITIALIZED- the alarm is not initialized yet
UNDEFINED- the alarm failed to be calculated (i.e. the database lookup failed, a division by zero occurred, etc)
CLEAR- the alarm is not armed / raised (i.e. is OK)
WARNING- the warning expression resulted in true or non-zero
CRITICAL- the critical expression resulted in true or non-zero
The external script will be called for all status changes.
health/health.d/ directory for all alarms shipped with Netdata.
Here are a few examples:
A simple check if an apache server is alive:
The above checks that Netdata is able to collect data from apache. In detail:
The above defines a template named
The name is important since
$apache_last_collected_secs resolves to the
So, try to give something descriptive.
The above applies the template to all charts that have
context = apache.requests
(i.e. all your apache servers).
$nowis a standard variable that resolves to the current timestamp.
$last_collected_tis the last data collection timestamp of the chart. So this calculation gives the number of seconds passed since the last data collection.
The alarm will be evaluated every 10 seconds.
If these result in non-zero or true, they trigger the alarm.
$thisrefers to the value of this alarm (i.e. the result of the
calcline. We could also use
$update_every is the update frequency of the chart, in seconds.
So, the warning condition checks if we have not collected data from apache for 5 iterations and the critical condition checks for 10 iterations.
Check if any of the disks is critically low on disk space:
$avail are the
avail chart dimensions as shown on the dashboard.
calc line finds the percentage of used space.
$this resolves to this percentage.
This is a repeating alarm and if the alarm becomes CRITICAL it repeats the notifications every 10 seconds. It also repeats notifications every 2 minutes if the alarm goes into WARNING mode.
Predict if any disk will run out of space in the near future.
We do this in 2 steps:
Calculate the disk fill rate:
$this is the result of the
lookup line (i.e. the free space 30 minutes
$avail is the current disk free space. So the
calc line will either have a positive
number of GB/second if the disk if filling up, or a negative number of GB/second if the disk is
freeing up space.
There is no
crit lines here. So, this template will just do the calculation and
Predict the hours after which the disk will run out of space:
calc line estimates the time in hours, we will run out of disk space. Of course, only
positive values are interesting for this check, so the warning and critical conditions check
for positive values and that we have enough free space for 48 and 24 hours respectively.
Once this alarm triggers we will receive an email like this:
Check if any network interface is dropping packets:
lookup line will calculate the sum of the all dropped packets in the last 30 minutes.
crit line will issue a critical alarm if even a single packet has been dropped.
Note that the drops chart does not exist if a network interface has never dropped a single packet. When Netdata detects a dropped packet, it will add the chart and it will automatically attach this alarm to it.
Check if user or system dimension is using more than 50% of cpu:
lookup line will calculate the average CPU usage from system and user in the last 3 seconds. Because we have
the foreach in the
lookup line, Netdata will create two independent alarms called
dim_template_user that will have all the other parameters shared among them.
Check if all dimensions are using more than 50% of cpu:
lookup line will calculate the average of CPU usage from system and user in the last 3 seconds. In this case
Netdata will create alarms for all dimensions of the chart.
You can compile Netdata with debugging and then set in
Then check your
/var/log/netdata/debug.log. It will show you how it works. Important: this will generate a lot of
output in debug.log.
You can find the context of charts by looking up the chart in either
NODE with the IP address or hostname for your Agent dashboard.
You can find how Netdata interpreted the expressions by examining the alarm at
http://NODE:19999/api/v1/alarms?all. For each expression, Netdata will return the expression as given in its
config file, and the same expression with additional parentheses added to indicate the evaluation flow of the
It's currently not possible to schedule notifications from within the alarm template. For those scenarios where you need to temporary disable notifications (for instance when running backups triggers a disk alert) you can disable or silence notifications are runtime. The health checks can be controlled at runtime via the health management api.