Forum Discussion
Auto Disabled (Rule Name)
Hi Team,
One of scheduled rule is auto disabled 2 days ago (31-aug) and showing like "The alert rule was disabled due to too many consecutive failures. Reason: The query was blocked as it was consuming too many resources."
When I tried to re-enabled and it showing:
"Failed to save analytics rule 'rule name'. Conflict:Newer instance of rule 'ID' exists for workspace 'workspace id' (Etag does not match). Data was not saved."
I made some changes in KQL but still showing same message.
Can someone help me to find out solution ?
"
2 Replies
akshay25june- Sometimes the GUI can cause issues like this when a rule cannot be overwritten, I recommend
Export the rule via the gui to save it, remove using powershell and re-import.
Searching for the rule, capture the rule ID and then utilise Remove-AzSentinelAlertRule.Get-AzSentinelAlertRule -ResourceGroupName <RG-Name> -WorkspaceName <LogAnalytics-Name> `
| where Name -eq "<Rule-ID>"And the equivalent removal PS: https://learn.microsoft.com/en-us/powershell/module/az.securityinsights/remove-azsentinelalertrule?view=azps-13.0.0
I would try deleting the old one and then create a new analytic with the adjusted logic. Let me know if that helps.
G.
