Forum Discussion

Roman_Turovskyy's avatar
Roman_Turovskyy
Copper Contributor
Jan 07, 2019
Solved

Reliably trigger alerts for Log Analytics log entries

MSDN documentation at https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alert-log-troubleshoot states: "To mitigate data ingestion delay, the system waits and retries the alert query mult...
Azure Log Analytics
azure monitor
Stanislav_Zhelyazkov's avatar
Stanislav_Zhelyazkov
MVP
Jan 07, 2019

Hi,

My testing shows that when there is delay of data ingestion the alert is still fired up. Of course the alert is inheriting that delay but I haven't found missing alerts so far. May be you can share more about the experience you have: what kind of data source you use? when you have missing alerts have you compared ingested time with Time Generated for those events? What is your exact query?

Roman_Turovskyy's avatar
Roman_Turovskyy
Copper Contributor
Jan 07, 2019

The exact query is:

search *
| where ResourceProvider == "MICROSOFT.DATAFACTORY" and (Level == "Error" or status_s == "Failed")
| order by TimeGenerated

 

Query is running over Log Analytics to which Data Factory V2 writes them (with several minutes delay, but it is hard to tell the exact numbers).

When I set Period = Frequency = 5 minutes then more than 50% of alert emails are missing, for Period = Frequency = 15 almost all logs relult in alert email, but not 100% all.

Except described issue there is a more severe issue, which may be related to the described one. When I navigate to Monitor -> Alerts I always see "All is good! You have no alerts." message which is really strange. I expect to see statistics about triggered alerts.

Because of this "You have no alerts." message it is hard to be sure that the issue is with alerts but not with emails (configured via Action Group). Our assumption was "there might be an issue with emails delivering, e.g. because of spam filters" but this assumption was dismissed after we configured Azure Function action type - azure functions are not invoked when emails are missing and are invoked when emails are delivered, so at least there is consistency with emails and Azure Function action types.

What may be the reason of "All is good! You have no alerts." message is always present?