diff --git a/docs/alerts/monitors/create-monitor.md b/docs/alerts/monitors/create-monitor.md index 693ec31040..f2e8f703a1 100644 --- a/docs/alerts/monitors/create-monitor.md +++ b/docs/alerts/monitors/create-monitor.md @@ -108,7 +108,11 @@ Lets you detect an unusual change or a spike in a time series of a key indicator ### Query -In the next step, you'll need to provide a logs or metrics query. +:::tip +For guidance on optimizing scan costs when using Flex Pricing, refer to the [FAQ on optimizing scan costs for monitors](/docs/alerts/monitors/monitor-faq/#how-can-i-optimize-scan-costs-for-monitors-when-using-flex-pricing). +::: + +In this step, you'll need to provide a logs or metrics query. :::note logs and metrics monitors only No need to enter a query for **SLO** monitors. diff --git a/docs/alerts/monitors/monitor-faq.md b/docs/alerts/monitors/monitor-faq.md index a4b4be71ba..6e34ecc451 100644 --- a/docs/alerts/monitors/monitor-faq.md +++ b/docs/alerts/monitors/monitor-faq.md @@ -6,6 +6,15 @@ description: Frequently asked questions about Sumo Logic monitors. import AlertsTimeslice from '../../reuse/alerts-timeslice.md'; +## How can I optimize scan costs for monitors when using Flex Pricing? + +To optimize scan costs for monitors under [Flex Pricing](/docs/manage/partitions/flex), consider the following factors: + +- **Data scanned by the query**. This is the primary driver of cost and is incurred every time the monitor is evaluated. To reduce costs, optimize your query using [default scope](/docs/manage/partitions/flex/faq/#how-can-i-optimize-my-query-using-default-scope) to include only necessary partitions and minimize the amount of data scanned. +- **Time range of the monitor query**. For static monitors, adjust the detection window under [Trigger Type](/docs/alerts/monitors/create-monitor/#step-1-set-trigger-conditions) (for example, `"Alert when result is _____ within minutes"`) to use a shorter time range, which reduces the amount of data scanned. For outlier monitors, reduce the **datapoints** parameter under **Trigger Type** to lower the scanned bytes. + +By carefully configuring these elements, you can balance scan costs with monitoring requirements. + ## Can I convert my existing Scheduled Search to a monitor? Yes, however, it's a manualĀ process. You have to create a new monitor with the appropriate query and alerting condition based on your existing Scheduled Search. See the [differences between monitors and Scheduled Searches](/docs/alerts/difference-from-scheduled-searches) before you consider converting.