ARM Template for KQL Query Alert

Hi,

If someones wants to create the template for you he can feel free to do it but I usually do not do those things. The reason for that is, there is not learning experience.  Next time you will have to create another template and may result in another thread for the same ask. If you are able to learn you will be able to do it your self. I am not sure how familiar you are with ARM templates so I would suggest to start with the documentation and some of the How-To's there. Even if the examples there are not related to Log Analytics you will get understanding of how templates work. With that said knowing the basics is easier modifying the template example for alerts. Keep in mind that it is example and you do not need to follow it strictly. What that does mean? For example you do not need to create solutions resource. You can completely remove that part. Alerts can be deployed fine without that resource. Adding more alerts this template is easy. You need to copy the savedSearches, schedules and actions resources in the resources section. Of course you will need to modify the properties of those resources so they point either to different variables or if it will be easier for you you can enter the data directly without using variables. Some values you probably do not need to change (depending on scenario) for example the Action Group references. To create third alert you will do another copy and change values again. A few things to note:

- Make sure your dependencies are correct. the schedule rely on the saved search, the action rely on schedule. The dependencies are per alert instance.

- Make sure names are unique for resource.

- Make sure names are consistent. As the name of the saved search is references in the schedule those needs to match. The same goes for action where you need to put the names of the saved search and the schedule.

I hope this helps! Happy learning!