Dry-run
Replay a Watchdog rule against the past 24 hours of logs to see how often it would have fired before enabling it
Always dry-run before enabling. Watchdog rules can be subtle — a threshold that feels right can fire 100 times a day, or zero. The dry-run replays the rule against historical logs and shows the result.
How to run one
In the rule editor, click Dry-run (top-right of the rule form). Watchdog evaluates the rule against the last 24 hours of logs from the source you've configured. Results appear in a few seconds.
What it returns
| Field | Notes |
|---|---|
| Hypothetical firings | How many times the rule would have fired in the last 24 hours, given your current thresholds |
| Sample log lines | Up to 10 lines that triggered the firings — useful for sanity-checking pattern matches |
| Hourly distribution | Mini chart showing when firings clustered |
| Estimated cost (if auto-analyze) | Monthly analyses consumption based on the hypothetical fire rate |
How to read it
| Hypothetical firings (24h) | Verdict |
|---|---|
| 0 | The rule is too tight, or there's nothing matching — verify your thresholds aren't accidentally unreachable |
| 1–3 | Likely a real signal worth alerting on |
| 4–10 | Tunable — probably good for notify_only, may be too noisy for auto_analyze |
| 10+ | Almost certainly noise. Tighten thresholds, narrow the lookback, or rewrite the regex |
Iterating
Adjust thresholds in the editor and re-run the dry-run. Common iterations:
Too noisy
Increase the count threshold, raise the rate floor, or extend the lookback window. For pattern matches, narrow the regex.
Too quiet
Lower the count threshold, drop the min-error-count guard, or shorten the lookback. For spike detection, lower the multiplier.
Pattern matches the wrong lines
Look at the sample log lines. Refine the regex to be more specific —
e.g., OutOfMemoryError instead of just Memory.
Caveats
- Dry-runs use the same log source the live rule will use, so they count against your log source's API quota (small, but not free).
- The 24-hour window is a snapshot; weekend traffic or end-of-month spikes won't appear in a Tuesday morning dry-run.
- Dry-runs don't post to channels or run analyses — they're entirely read-only.
After a successful dry-run, the rule is still disabled by default. Toggle the Enabled switch to put it live.