How to retrieve the current state of an Alert in Azure using Powershell

Question

I'm writing a Powershell runbook that will scale up a VM ScaleSet until an Application Insights alert is resolved.

To do this, I need to query the status of the alert in my Powershell script, ie no if an alert has been triggered or resolved.

I have tried to use Get-AzureRmAlertRule and Get-AzureRmAlertHistory, but this only gives me respectively the disabled/enabled state of the alert rule, or the actions that were perform on the rule itself (ie updating the rule, or deleting the alert, etc).

Is there any way to simply know if an alert is currently being triggered or resolved?

Answer 1

So I'm actively working through this issue too and thought I would share what I found.

The following was pulled from Microsoft documentation:

The Get-AzureRmAlertHistory cmdlet gets the history of alerts as they are enabled, disabled, fired, resolved, and so on.

While messing around with this command, I found that if you don't give it any parameters, it will only return history for the current day; however, when you use the -StartTime and -EndTime parameters you can obtain details of alerts from further in the past.

While this doesn't give you the current status of an alert in a single command, can throw together some logic that will grab the latest alert within a given time range and check the status there.

For my purposes, this code with check the status of a sibling alert from within a runbook that was called from the alert webhook. So I can gather the time ranges based on the data provided in the webhook. I know this isn't a perfect solution for all cases, but at least it could be used as a starting point.

Note: The version of the AzureRM.Insights module I'm working with is 3.2.1 behavior may differ depending on the version of this module you're using.

Update:

As I continued to work on the code, I found that there are some issues with filtering with the -ResourceId parameter. When you provide the ResourceId for the alert that you want to find history on, it won't return any result. From what I can tell, the ResourceId isn't populated when the alert objects are returned when using the Get-AzureRmAlertHistory cmdlet with just the -ResourceId parameter. I did manage to find two ways to get this to work though.

1. Pass the -DetailedOutput parameter in before the -ResourceId parameter. It turns out that the ResourceId is populated in the DetailedOutput and can be matched there; however, if you pass the -ResourceId in first, the cmdlet acts as though it evaluates that first prior to bringing back the detailed output.

   Get-AzureRmAlertHistory -StartTime 2018-01-16 -EndTime 2018-01-17 -DetailedOutput -ResourceId $AlertResourceID

2. The property CorrelationId contains within it the ResourceId. Using the Where-Object syntax, you can match on your ResourceId using Regex.

   Get-AzureRmAlertHistory -StartTime 2018-01-16 -EndTime 2018-01-17 | Where-Object {$_.CorrelationId -Match "$AlertResourceID/incidents/.*"}

Now that you have the records you want, you can use a simple Sort-Object on the -EventTimestamp property and assign the results to a variable. Then if you reference the -1 index of the variable you assigned your results to, it should give you the latest alert instance along with the alert Status.

$AlertHistory = Get-AzureRmAlertHistory -StartTime 2018-01-16 -EndTime 2018-01-17 | Where-Object {$_.CorrelationId -Match "$AlertResourceID/incidents/.*"} | Sort-Object -Property EventTimestamp;

$AlertHistory[-1];