Forum Discussion

Ravi Gupta's avatar
Ravi Gupta
Copper Contributor
Jul 06, 2018

How to export Azure Alert Rules (Log Analytics)

Hi,   I am trying to export all rules (Enabled/Disabled) from Azure Portal using Get-AzureRMALertRule cmdlet, however, it is returning blank output. I have more than 10 Rules configured. Some are ...
azure monitor
Powershell and Rest API
GouravIN's avatar
GouravIN
Brass Contributor
Sep 01, 2018

Hi Ravi,

 

I think Stanislav is pointing you in the right direction. I have used the given script to querying the Alerts API for Log Analytics. But no luck!

 

https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-api-alerts

 

I can give you a little explanation on the API but you will have to write your own script or if you are good in scripting. Otherwise wait like me to someone write this kinda script. :)

Basically in the example from the docs they use a tool (exe program) that queries the Azure Resource Manager API to get the information. You can use your armclient tool or create your own script with web requests to the API. I would suggest the first if you do not have much experience with querying REST APIs. About the Alerts API for Log Analytics. Basically you have 3 resources that needs to be created so you can have an alert:

- Saved search

- Schedule

- Action

Saved Search is the top resource. You will have to create Saved Search in order to create Schedule and Action. Schedule is sub resource for Saved Search and Action is sub resource of Schedule. So you also have to create Schedule in order to create action. The definition of those 3 resources makes an alert and the definition of those 3 you want to export so you can have the full definition of alert. Keep in mind that not every saved search has schedule and action so only saved searches that are used for alerts will have the other 2 resources. Looking at the API you will first have to get all saved searches. That way you will get the query and the name of the query. For each saved search you have to check if there is Schedule resource. If there is schedule resource you get the schedule resource for each query that has it. That way for each query you will get the schedule information which will give you the frequency and the time frame of the alert. For each saved search with schedule you will have to check also if there is action. You will get the action for those that have it. That way you will get the information of the threshold, severity, action group and name of the alert. The information for saved search, schedule and action for each one that has those is the definition for each alert.

I usually create my alerts via ARM template rather UI. That way I can always deploy the same alerts on different workspaces without needing to export them.

Here is example of creating alert with arm template I've found:

 

https://docs.microsoft.com/en-us/azure/monitoring/monitoring-solutions-resources-searches-alerts

Resources