CODEWITHSUNDEEP
azureloggingautomationazure-rm-templateazure-log-analytics
achahbar
achahbar

Reputation: 1001

Is there an ARM template solution to create OMS alerts for Log analytics

I am trying to create an oms workspace with alerts attached to it through ARM templates. I already created an OMS workspace and for the alert part I followed the following tutorial. After some struggle why my alert won't deploy i saw in the commands of the same tuturial following note.

The "Action" scheme has been changed and additionally the alerts are in the Azure Monitor:) Here is link.

When I tried to read the documentation and get any smarter I just got stuck in a endless loop of reference links:

The link provided in the tutorial said that Beginning May 14, 2018, all alerts in an Azure public cloud instance of Log Analytics workspace began to extend into Azure. After some Time I found following link. Where I thought I finnaly found how the new alert will be explained. But this is for application insights not for log analytics.

TO my question than: Is there someone who can help me out try to find how the new Alert scheme works or try to guide me in the right direction.

Upvotes: 0

Views: 369

Answers (1)

4c74356b41
4c74356b41

Reputation: 72211

I'm not an OMS expert, but this is what we've been using:

{
    "apiVersion": "2017-03-15-preview",
    "name": "[concat(variables('namespace'), '/', variables('savedSearches').Search[copyIndex()].Name)]",
    "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
    "copy": {
        "name": "SavedSearchCopy",
        "count": "[length(variables('savedSearches').Search)]"
    },
    "dependsOn": [
        "[concat('Microsoft.OperationalInsights/workspaces/', variables('namespace'))]",
        "ActionGroupCopy"
    ],
    "properties": {
        "category": "Alerts",
        "displayName": "[variables('savedSearches').Search[copyIndex()].DisplayName]",
        "query": "[variables('savedSearches').Search[copyIndex()].Query]"
    }
},
{
    "name": "[tolower(concat(variables('namespace'), '/', variables('savedSearches').Search[copyIndex()].Name, '/',  variables('savedSearches').Search[copyIndex()].Schedule.Name))]",
    "type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/",
    "apiVersion": "2017-03-03-preview",
    "copy": {
        "name": "ScheduleCopy",
        "count": "[length(variables('savedSearches').Search)]"
    },
    "dependsOn": [
        "SavedSearchCopy"
    ],
    "properties": {
        "interval": "5",
        "queryTimeSpan": "10",
        "enabled": true
    }
},
{
    "name": "[tolower(concat(variables('namespace'), '/', variables('savedSearches').Search[copyIndex()].Name, '/',  variables('savedSearches').Search[copyIndex()].Schedule.Name, '/', variables('savedSearches').Search[copyIndex()].Alert.Name, '-', if(contains(variables('savedSearches').Search[copyIndex()].Alert, 'MetricsTrigger'), 'Total', 'Consecutive')))]",
    "type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions",
    "copy": {
        "name": "ActionCopy",
        "count": "[length(variables('savedSearches').Search)]"
    },
    "apiVersion": "2017-03-15-preview",
    "dependsOn": [
        "SavedSearchCopy"
    ],
    "properties": {
        "Type": "Alert",
        "Name": "[variables('savedSearches').Search[copyIndex()].Alert.Name]",
        "Description": "[variables('savedSearches').Search[copyIndex()].Alert.Description]",
        "Severity": "warning",
        "Threshold": "[variables('savedSearches').Search[copyIndex()].Alert.Threshold]",
        "Throttling": {
            "DurationInMinutes": 60
        },
        "AzNsNotification": {
            "GroupIds": [
                "[resourceId('microsoft.insights/actionGroups', 'xxx')]"
            ]
        }
    }
},
{
    "type": "Microsoft.Insights/actionGroups",
    "apiVersion": "2018-03-01",
    "name": "[variables('actionGroups')[copyIndex()].Name]",
    "copy": {
        "name": "ActionGroupCopy",
        "count": "[length(variables('actionGroups'))]"
    },
    "location": "Global",
    "properties": {
        "groupShortName": "[variables('actionGroups')[copyIndex()].Name]",
        "enabled": true,
        "emailReceivers": [
            {
                "name": "[variables('actionGroups')[copyIndex()].EmailName]",
                "emailAddress": "[variables('actionGroups')[copyIndex()].EmailAddress]"
            }
        ]
    }
},

here is a sample saved search variable which we use to map everything:

"savedSearches": {
    "Search": [
        {
            "Name": "HighCPU",
            "DisplayName": "CPU Above 90%",
            "Query": "Perf | where CounterName == \"% Processor Time\" and InstanceName ==\"_Total\" | summarize AggregatedValue = avg(CounterValue) by Computer, bin(TimeGenerated, 1m)",
            "Schedule": {
                "Name": "HighCPUSchedule"
            },
            "Alert": {
                "Name": "HighCPUAlert",
                "Description": "Alert for High CPU",
                "Threshold": {
                    "Operator": "gt",
                    "Value": 90,
                    "MetricsTrigger": {
                        "Value": 2,
                        "Operator": "gt",
                        "TriggerCondition": "Consecutive"
                    }
                }
            }
        },
        ...
    ]
}

Upvotes: 1

Related Questions