Reputation: 31
Log Query Alert Example
I am designing a monitoring solution for a project and would like to create some alert rules for certain resources (for example application insights).
If I'd like to set up a log search alert, I need to define a specific query and tell the alert what to do.
However, I have not written a log query alert before and do not know how I could set that up. Currently, I have written an example for a log search in Bicep:
@description('Location of the resource.')
param location string
@description('Log Analytics workspace ID to associate with your Application Insights resource.')
param workspaceId string
@allowed([
0
1
2
3
4])
@description('Severity of the alert.')
param severity int = 2
resource appInsightsLogRule 'Microsoft.Insights/scheduledQueryRules@2022-06-15' = {
name: appInsightsLogRuleName
location: location
properties: {
displayName: appInsightsLogRuleName
severity: severity
enabled: true
evaluationFrequency: 'PT5M'
scopes: [
workspaceId
]
targetResourceTypes: [
'Microsoft.Insights/components'
]
windowSize: 'PT5M'
criteria: {
allOf: [
{
query: 'tbd.'
timeAggregation: 'Count'
dimensions: []
operator: 'GreaterThan'
threshold: 0
failingPeriods: {
numberOfEvaluationPeriods: 1
minFailingPeriodsToAlert: 3
}
}
]
}
autoMitigate: true
actions: {
actionGroups: [
actiongroups_team_blue
]
}
}
}
The query is currently still empty, as I don't know how I could fill this one.
Could someone maybe please share samples or queries for a useful scenario (for example Application Insights, Network Watcher, Sentinel, etc.) for a scheduledQueryAlert or general alert rule? Thank you very much!
Upvotes: 0
Views: 1258
Answers (1)
Reputation: 8018
First of all, Check the parameter.json file to avoid these kind of empty output issues and check whether the given query is valid.
Referring to MSDoc, I tried to create a sample scheduled log alert for log analytics workspace resource and verify that it was sent to the given email address. It worked and was successfully deployed as follows.
@description('Log Analytics workspace Resource ID.')
param sourceId string = ''
param location string = ''
param actionGroupId string = ''
resource logQueryAlert 'Microsoft.Insights/scheduledQueryRules@2018-04-16' = {
name: 'xxxxx log query alert'
location: location
properties: {
description: 'This is a sample alert'
enabled: 'true'
source: {
query: 'Event | where EventLevelName == "warning" | summarize count() by Computer' #query as per the requirement
dataSourceId: sourceId
queryType: 'ResultCount'
}
schedule: {
frequencyInMinutes: 15
timeWindowInMinutes: 60
}
action: {
'odata.type': 'Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction'
severity: '4'
aznsAction: {
actionGroup: array(actionGroupId)
emailSubject: 'xxxx Log Alert mail subject'
customWebhookPayload: '{ "alertname":"#samplealertrulename", "IncludeSearchResults":true }'
}
trigger: {
thresholdOperator: 'GreaterThan'
threshold: 1
}
}
}
}
Deployment succeeded:
Azure Portal:
Log query alert:
Mail triggered successfully:
Upvotes: 0
Related Questions
- Bluetooth connected device
- Multiple BLE Connections using Flutter
- Trouble to connect via bluetooth with flutter_reactive_ble
- How to set the Bluetooth device automatically connect and disconnect in flutter?
- Flutter blue instance connection disconnects automatically in Android
- flutter_reactive_ble - how to check if device is connected before subscribing
- Android save BLE device to reconnect after app close
- How to perform bonding with BLE device in Flutter
- BLE support in Flutter
- Using Flutter to connect and write to Bluetooth Devices