Forum Discussion

CampbellT's avatar
CampbellT
Copper Contributor
Oct 31, 2019
Solved

Alert from an HDInsight Query

Hi,    Firstly, apologies for what I'm sure is a really simple question!!   I'm trying to alert on CRITICAL events on our Production HDInsight instance. I've created the Kusto query below, that p...
azure monitor
Query Language
  • Stanislav_Zhelyazkov's avatar
    Stanislav_Zhelyazkov
    Oct 31, 2019

    HiCampbellT 

    I have a series of blog posts that focus on Azure Monitor Alerts. The blog post about Log Analytics alerts is here:

    https://cloudadministrator.net/2019/10/07/azure-monitor-alert-series-part-7/

    You can check it out as there I am explaining some concepts including using metric measurement alerts sub-type for event based log which seems to be your case.

    The query for your alert will probably look like this:

    metrics_cluster_alerts_CL
| where Alert_cluster_name_s == "enthdipd" and Alert_state_s == "CRITICAL" and Alert_maintenance_state_s == "OFF"
| extend AggregatedValue = 1 
| summarize arg_max(Alert_original_timestamp_d, *) by Alert_component_name_s, href_s, Alert_text_s, bin(TimeGenerated, 5m)

    Note that I have put AggregatedValue that is equal to 1 so your threshold will be greater than 0 in your alert configuration. Besides aggregated value bin() usage is also required for metric measurement alerts. Usually you will set the bin interval (in the above case 5m) to the time window you configure the alert. You will also have to metric column or columns when you create the alert. Those will be the unique values that compromise a single instance for alert.

    Let me know if you have figured all the details and managed to configure the desired alert.

Stanislav_Zhelyazkov's avatar
Stanislav_Zhelyazkov
MVP
Oct 31, 2019

HiCampbellT 

I have a series of blog posts that focus on Azure Monitor Alerts. The blog post about Log Analytics alerts is here:

https://cloudadministrator.net/2019/10/07/azure-monitor-alert-series-part-7/

You can check it out as there I am explaining some concepts including using metric measurement alerts sub-type for event based log which seems to be your case.

The query for your alert will probably look like this:

metrics_cluster_alerts_CL
| where Alert_cluster_name_s == "enthdipd" and Alert_state_s == "CRITICAL" and Alert_maintenance_state_s == "OFF"
| extend AggregatedValue = 1 
| summarize arg_max(Alert_original_timestamp_d, *) by Alert_component_name_s, href_s, Alert_text_s, bin(TimeGenerated, 5m)

Note that I have put AggregatedValue that is equal to 1 so your threshold will be greater than 0 in your alert configuration. Besides aggregated value bin() usage is also required for metric measurement alerts. Usually you will set the bin interval (in the above case 5m) to the time window you configure the alert. You will also have to metric column or columns when you create the alert. Those will be the unique values that compromise a single instance for alert.

Let me know if you have figured all the details and managed to configure the desired alert.

  • CampbellT's avatar
    CampbellT
    Copper Contributor
    Nov 01, 2019

    That is perfect, Stanislav_Zhelyazkov 

     

    As a newbie to Kusto, I really need to wrap my head around the structure of the query language. I'm getting there - once I am, I see that this can be extremely powerful.

     

    Thanks for the response.