A new value alert fires when a value that has not been seen before appears in a log field within a time window. Coralogix builds the list of known values while the alert is active and tests each incoming log against it. Use it to detect first-time occurrences, for example a new domain connection in `security.highest_registered_domain` (a possible attack) or a new application `error_code` (a new issue).

## What you need

- Access to Coralogix with permission to create alerts
- A log field whose new values you want to track

## Define the new value alert

To start, go to **Alerts**, then select **Create alert**. The alert creation wizard opens on the Query step. This page covers the parts of the wizard specific to new value alerts. For the shared steps, see the [alert creation wizard](https://coralogix.com/docs/user-guides/alerting/configuring-alert-definition/index.md).

### Query step

1. Select the **New value** alert type.
1. Optionally write a DataPrime or Lucene query and adjust the application, subsystem, and severity filters to limit the logs the alert evaluates. Without a query, the alert evaluates all logs.

### Condition step

Set what the alert watches and how long it remembers values:

- **Key to track**: the log field to monitor for new values, for example a country name or an error code.
- **Notify on new value in the last**: the window over which a value counts as known. A value that has not appeared within this window triggers the alert when it next arrives. You can track a key for up to 3 months.

The alert fires the first time a value appears that is not already in the tracked list for the selected window.

Set routing and naming in the [alert creation wizard](https://coralogix.com/docs/user-guides/alerting/configuring-alert-definition/index.md) Notification and Details steps, then select **Create alert**. The alert becomes active within 15 minutes.

Alert behavior details

- A new or updated alert becomes active after the configured time window or 7 days, whichever is shorter. This lets Coralogix train on the set of values, capture a baseline, and reduce false notifications.
- The alert tracks up to 50K unique values in the time window. When the list reaches 50K, the alert does not trigger until values are cleared. A value is cleared when its age equals the alert time window, and its first detection after clearing triggers the alert again.
- The first 255 characters are used as the value. Two values that share the same first 255 characters are treated as the same value.
- After the alert triggers, a 5-minute silence period applies. During this time new values are added to the list but do not trigger the alert.

## Related resources

[Configure alert definition](https://coralogix.com/docs/user-guides/alerting/configuring-alert-definition/) [Notification Center](https://coralogix.com/docs/user-guides/notification-center/introduction/) [Cases](https://coralogix.com/docs/user-guides/cases/overview/) [Incidents](https://coralogix.com/docs/user-guides/alerting/incidents/)

## Next steps

Compare two log queries and alert on their ratio with [Ratio alerts](https://coralogix.com/docs/user-guides/alerting/create-an-alert/logs/ratio-alerts/index.md).
