Forum Discussion
Trying to create an alert on eventhub throttled messages
Hi all,
I am trying to create alert an alert for throttled message in eventhub. And the query i am using is:
And my condition is my alert should be fired when throttled message is between > 10 and < 25.
Could someone please check my kql? whether i am heading to right direction or not
AzureMetrics
| where TimeGenerated > ago(30m)
| where MetricName == "OutgoingMessages" or MetricName == "IncomingMessages"
| extend Total_Outgoing_Messages = iif(MetricName == "OutgoingMessages", Total, 0.00)
| extend Total_Incoming_Messages = iif(MetricName == "IncomingMessages", Total, 0.00)
| summarize sum(Total_Outgoing_Messages), sum(Total_Incoming_Messages) by TimeGenerated
| extend Throttled_messages = abs(sum_Total_Incoming_Messages - sum_Total_Outgoing_Messages)
| extend condition = Throttled_messages > 10 and Throttled_messages < 25
Thanks
2 Replies
Maybe you did the last line for testing but it should be a where to test for the condition? I was checking in the demo logs and I didn't ever see a Total above zero (but it is sample data). I tweaked line 3 and 8
Go to Log Analytics and run queryAzureMetrics | where TimeGenerated > ago(30m) | where MetricName in ("OutgoingMessages","IncomingMessages") | extend Total_Outgoing_Messages = iif(MetricName == "OutgoingMessages", Total, 0.00) | extend Total_Incoming_Messages = iif(MetricName == "IncomingMessages", Total, 0.00) | summarize sum(Total_Outgoing_Messages), sum(Total_Incoming_Messages) by TimeGenerated | extend Throttled_messages = abs(sum_Total_Incoming_Messages - sum_Total_Outgoing_Messages) | where Throttled_messages between (10 .. 25)- Thanks for the help Clive_Watson
