A ratio alert divides the count of one log query by the count of another and fires when the resulting ratio crosses a threshold. Use it to track proportions rather than raw counts, for example error code 504 responses as a share of all responses, denied requests as a share of all requests, or traffic from one region as a share of total traffic.

## What you need

- Access to Coralogix with permission to create alerts
- Two log queries whose ratio you want to monitor

## Define the ratio alert

To start, go to **Alerts**, then select **Create alert**. The alert creation wizard opens on the Query step. This page covers the parts of the wizard specific to ratio alerts. For the shared steps, see the [alert creation wizard](https://coralogix.com/docs/user-guides/alerting/configuring-alert-definition/index.md).

### Query step

1. Select the **Ratio** alert type.
1. Define **Query 1** (the numerator) and **Query 2** (the denominator). For each query, write a DataPrime or Lucene query, give it an alias that appears in notifications, and narrow it with application, subsystem, or severity filters.

The ratio is the count from Query 1 divided by the count from Query 2 over the evaluation window.

#### Query examples

- Error rate: Query 1 `status:504`, Query 2 `_exists_:status`. The ratio of 504 responses to all responses. A higher-than-usual ratio can indicate operational issues.
- Restricted traffic: Query 1 `NOT client_addr:/172\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/`, Query 2 `_exists_:client_addr`. The ratio of traffic outside the allowed range to all traffic. An abnormal ratio can indicate an attack.
- Failed requests: Query 1 `request_status:success`, Query 2 `response_status:rejectrequest`. The proportion of requests that were not answered successfully.

### Condition step

Set the trigger logic for the ratio:

- **Threshold**: alert when the ratio of Query 1 to Query 2 is more than or less than the value you set over the time window.
- **Group by**: evaluate the ratio separately for each combination of label values, for example per `region` or per `pod_name`. Only logs that contain all selected fields are counted.
- **Trigger on infinity**: select whether to alert when Query 2 returns 0. When the denominator is 0, the ratio is infinite.

Set routing and naming in the [alert creation wizard](https://coralogix.com/docs/user-guides/alerting/configuring-alert-definition/index.md) Notification and Details steps, then select **Create alert**. The alert becomes active within 15 minutes.

## Related resources

[Configure alert definition](https://coralogix.com/docs/user-guides/alerting/configuring-alert-definition/) [Notification Center](https://coralogix.com/docs/user-guides/notification-center/introduction/) [Cases](https://coralogix.com/docs/user-guides/cases/overview/) [Incidents](https://coralogix.com/docs/user-guides/alerting/incidents/)

## Next steps

Set up volume-based alerting for your logs with [Threshold alerts](https://coralogix.com/docs/user-guides/alerting/create-an-alert/logs/threshold-alerts/index.md).
