SOLVED
Home

Azure Monitor Query not working any more arg_max

%3CLINGO-SUB%20id%3D%22lingo-sub-201656%22%20slang%3D%22en-US%22%3EAzure%20Monitor%20Query%20not%20working%20any%20more%20arg_max%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-201656%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20had%20an%20azure%20monitor%20query%20to%20alert%20on%20low%20disk%20space%20on%20the%20VMs%2C%20i%20want%20to%20modify%20it%2C%20but%20suddenly%20the%20query%20is%20not%20accepted%2C%20even%20if%20it%20is%20the%20same%20that%20was%20working.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ehere%20is%20the%20query%20and%20you%20can%20see%20in%20the%20screenshot%20the%20error%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPerf%20%7C%20where%20ObjectName%20%3D%3D%20%22LogicalDisk%22%26nbsp%3B%20and%20CounterName%20%3D%3D%20%22%25%20Free%20Space%22%20and%20InstanceName%20!%3D%20%22_Total%22%20%7C%20summarize%20AggregatedValue%3Darg_max(CounterValue%2CTimeGenerated%2CCounterName)%20by%20Computer%2C%20InstanceName%20%2C%20bin(TimeGenerated%2C%2015m)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20tried%20using%20%3CSTRONG%3Eargmax%3C%2FSTRONG%3E%20instead%20of%20%3CSTRONG%3Earg_max%3C%2FSTRONG%3E%20but%20no%20luck%20as%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Edoes%20anyone%20know%20how%20to%20get%20it%20working%20again%20%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-201656%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Monitor%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-202209%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Monitor%20Query%20not%20working%20any%20more%20arg_max%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-202209%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%0A%3CP%3EAzure%20Log%20Analytics%20alerts%20will%20not%20work%20on%20aggregating%20more%20than%20one%20field.%20In%20your%20case%20you%20are%20aggregating%20by%20Computer%20and%20InstanceName.%20If%20you%20have%20configured%20such%20alert%20the%20alert%20will%20work%20by%20aggregating%20only%20the%20first%20filed%20and%20skip%20all%20the%20others%20that%20are%20not%20bin().%20Basically%20your%20alert%20will%20not%20have%20the%20desired%20affect.%20I%20would%20guess%20they%20now%20have%20implemented%20this%20block%20on%20UI%20level%20to%20be%20clear%20for%20user%20of%20the%20service.%3C%2FP%3E%0A%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-201699%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Monitor%20Query%20not%20working%20any%20more%20arg_max%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-201699%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3B%3C%2FP%3E%3CP%3Eyou%20can%26nbsp%3Btry%20this%20one.%3C%2FP%3E%3CP%3E%3CSPAN%3E%7C%20where%20ObjectName%20%3D%3D%20%22LogicalDisk%22%20and%20CounterName%20%3D%3D%20%22%25%20Free%20Space%22%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E%7C%20summarize%20FreeSpace%20%3D%20min(CounterValue)%20by%20Computer%2C%20InstanceName%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E%7C%20where%20strlen(InstanceName)%20%3D%3D2%20and%26nbsp%3B%20InstanceName%20contains%20%22%3A%22%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E%7C%20where%20FreeSpace%20%26lt%3B%2015%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E%7C%20sort%20by%20FreeSpace%20asc%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Ahmed Atef
Contributor

Hi, 

 

I had an azure monitor query to alert on low disk space on the VMs, i want to modify it, but suddenly the query is not accepted, even if it is the same that was working.

 

here is the query and you can see in the screenshot the error, 

 

Perf | where ObjectName == "LogicalDisk"  and CounterName == "% Free Space" and InstanceName != "_Total" | summarize AggregatedValue=arg_max(CounterValue,TimeGenerated,CounterName) by Computer, InstanceName , bin(TimeGenerated, 15m)

 

i tried using argmax instead of arg_max but no luck as well.

 

does anyone know how to get it working again ? 

2 Replies

Hi, 

you can try this one.

| where ObjectName == "LogicalDisk" and CounterName == "% Free Space"
| summarize FreeSpace = min(CounterValue) by Computer, InstanceName
| where strlen(InstanceName) ==2 and  InstanceName contains ":"
| where FreeSpace < 15
| sort by FreeSpace asc

Solution

Hi

Azure Log Analytics alerts will not work on aggregating more than one field. In your case you are aggregating by Computer and InstanceName. If you have configured such alert the alert will work by aggregating only the first filed and skip all the others that are not bin(). Basically your alert will not have the desired affect. I would guess they now have implemented this block on UI level to be clear for user of the service.