Rules
Overview
Rules in Sift define logical conditions used to automatically evaluate telemetry data from one or more Channels during a Run. Built using the Common Expression Language (CEL), Rules enable users to identify behaviors, anomalies, or thresholds in live or historical data streams.
Rules support both real-time and retrospective evaluations. They are continuously evaluated as data is received from Assets, and can also be re-evaluated on historical data when a specific Run is selected. This allows Rules to drive analysis, diagnostics, and automation at scale.
Sift provides a rich set of built-in functions to define complex logic within Rules, enabling users to model sophisticated behaviors and system checks. In addition to built-in functions, users can also create and leverage User-defined Functions to encapsulate reusable logic, improve readability, and ensure consistency across their Rules and Calculated Channels.
Additionally, Rules can generate Annotations or send notifications when their logical condition evaluates to true, helping users capture important events and trigger downstream workflows automatically.
Each Rule benefits from versioning, allowing teams to track changes over time, maintain historical accuracy, and iterate safely as monitoring requirements evolve. Rules also support previews, enabling users to test their expressions against existing Run data before applying them to live or future telemetry streams, reducing risk and ensuring higher confidence in production rule behavior.
Rules can be created, previewed, and managed either through the intuitive Sift UI or programmatically using the Sift API. This flexibility empowers teams to seamlessly integrate rule management into their workflows, whether through manual configuration or automated deployment pipelines.
Rule configuration modes
While all Rules in Sift share the same structure and evaluation engine, they can be configured to behave differently depending on how they're created. These configurations are commonly referred to as internal Rules and external Rules. Each mode affects how a Rule is evaluated, managed, and integrated into workflows.
Internal Rules
Internal Rules in Sift are created and managed directly through the Sift UI or API and are fully visible in the Rules tab of the Sift web application. These Rules can be edited, previewed, versioned, and managed over time, providing a persistent and flexible framework for ongoing telemetry monitoring, automated diagnostics, and data quality checks across Runs and Assets. When evaluated during a Run, internal Rules can generate Annotations and populate Reports, enabling teams to standardize analysis workflows and surface insights consistently across their datasets. Internal Rules are ideal when teams need reusable, centrally managed logic embedded directly into their telemetry observability workflows.
External Rules
External Rules in Sift are designed for programmatic, ad hoc usage, typically within automated workflows such as CI/CD pipelines. External Rules are created using the Sift API by calling the BatchUpdateRules endpoint with the isExternal flag set to true. Unlike internal Rules, external Rules are not visible in the Rules tab of the Sift web application and cannot be edited once created. They exist to allow flexible, dynamic evaluation of logic without permanently altering the set of Rules managed through the UI.
Reports that involve external Rules still display the external Rule's logic, and any Annotations generated by their evaluation are accessible through the Annotations tab and Explore views. To preview an external Rule before committing results, users can simulate its evaluation using the EvaluateRulesPreview endpoint, which previews the Annotations that would be generated without saving them. To apply an external Rule and create persistent Annotations and a Report, users can use the EvaluateRules endpoint.
External Rules provide flexibility for scenarios where teams need to evaluate custom logic on demand without managing those Rules permanently inside the Sift UI.