Snowflake Alerting and Notifications
Snowflake provides built-in alerting capabilities through ALERT objects, enabling proactive monitoring and automated responses to data and system conditions.
What is Alerting?
- Evaluates SQL conditions on a schedule
- Sends notifications via email, Slack, or webhooks
- Supports complex AND/OR logic for multi-condition alerts
Architecture Overview
The alerting and notifications architecture flows through three stages:
- Data Sources β Query Results, Table Data, Metrics, Logs, System Status
- Alert Engine β Condition evaluation, threshold checks, pattern detection, rate limiting, state management
- Notification Channels β Email, Slack, Webhook, Teams
Alert Categories
| Category | Examples |
|---|---|
| Data Quality | Null rate, schema drift, freshness lag, volume anomalies |
| Performance | Query duration, queue wait time, spillage, credit consumption |
| Security | Failed logins, privilege escalation, unusual access patterns |
| Operational | Task failures, pipeline delays, stage issues |
Alert Creation
Basic Alert
-- Create alert for data quality
CREATE OR REPLACE ALERT data_quality_alert
WAREHOUSE = compute_wh
SCHEDULE = '5 MINUTE'
IF (SELECT COUNT(*) FROM my_table WHERE column_name IS NULL) > 100
THEN
CALL SYSTEM$SEND_EMAIL(
'my_integration',
'admin@company.com',
'Data Quality Alert',
'More than 100 null values detected in my_table.column_name'
);
END IF;
Complex Alert with Multiple Conditions
CREATE OR REPLACE ALERT comprehensive_alert
WAREHOUSE = compute_wh
SCHEDULE = '10 MINUTE'
AS
BEGIN
-- Check multiple conditions
LET null_count := (SELECT COUNT(*) FROM customer_data WHERE email IS NULL);
LET stale_count := (SELECT COUNT(*) FROM metrics WHERE updated_at < DATEADD(day, -1, CURRENT_TIMESTAMP()));
LET error_rate := (SELECT COUNT(*) FROM logs WHERE level = 'ERROR') / COUNT(*);
-- Alert if any condition met
IF (:null_count > 50 OR :stale_count > 1000 OR :error_rate > 0.05) THEN
CALL SYSTEM$SEND_SLACK_MESSAGE(
'my_slack_integration',
'#data-alerts',
'β οΈ Data Quality Alert\n' ||
'Null emails: ' || :null_count || '\n' ||
'Stale records: ' || :stale_count || '\n' ||
'Error rate: ' || ROUND(:error_rate * 100, 2) || '%'
);
END IF;
END;
Notification Integrations
Email Integration
CREATE OR REPLACE NOTIFICATION INTEGRATION email_integration
TYPE = QUEUE
NOTIFICATION_PROVIDER = AWS_SNS
DIRECTION = OUTBOUND
AWS_SNS_TOPIC_ARN = 'arn:aws:sns:us-east-1:123456789:my-topic'
AWS_SNS_ROLE_ARN = 'arn:aws:iam::123456789:role/snowflake-sns-role';
Slack Integration
CREATE OR REPLACE NOTIFICATION INTEGRATION slack_integration
TYPE = QUEUE
NOTIFICATION_PROVIDER = AWS_SNS
DIRECTION = OUTBOUND
AWS_SNS_TOPIC_ARN = 'arn:aws:sns:us-east-1:123456789:slack-topic';
Alert Monitoring
-- View alert history
SELECT
alert_name,
alert_condition,
last_triggered,
last_action,
state
FROM TABLE(INFORMATION_SCHEMA.ALERT_HISTORY(
START_TIME => DATEADD(day, -7, CURRENT_TIMESTAMP())
))
ORDER BY last_triggered DESC;
-- Alert performance
SELECT
alert_name,
COUNT(*) as trigger_count,
AVG(execution_time_ms) as avg_execution_ms,
MAX(last_triggered) as most_recent
FROM TABLE(INFORMATION_SCHEMA.ALERT_HISTORY(
START_TIME => DATEADD(day, -30, CURRENT_TIMESTAMP())
))
GROUP BY 1
ORDER BY trigger_count DESC;
Alerts use warehouse compute time. Optimize alert queries to minimize cost. Consider using STABLE results for deterministic conditions to reduce execution frequency.
Alert Patterns
| Pattern | Use Case | Frequency |
|---|---|---|
| Threshold | Data volume, null rate | 5-15 min |
| Anomaly | Sudden spikes, drops | Hourly |
| SLA Breach | Query duration, freshness | Near real-time |
| Cumulative | Error count, cost | Daily |
| Windowed | Rolling averages | Custom |
- Alerts evaluate SQL conditions on a schedule
- Multiple notification channels: email, Slack, webhooks
- Alert history tracks triggers and execution metrics
- Complex conditions support AND/OR logic
- Alerts use warehouse compute - optimize queries for cost