SOLVED

Alert delay

Copper Contributor

I am experimenting with creating alerts using the new query language against data uploaded through the data collector API.

I am consistently seeing a 10 minute delay between when an alert query is run and when the alert email is sent. With tight time restrictions in my query, it is definitely a delay in sending the email and not a delay in the availability of records.

Is this expected behavior?

3 Replies
best response confirmed by Stanislav Zhelyazkov (MVP)
Solution
This seems to be a bug. I've notified the responsible team for this and hopefully they will get it fixed.

It appears to be fixed now. For my latest alerts, it was a more reasonable 20 seconds between the start of the query and receipt of the alert email.

Thank you Stanislav and whoever did the fixing.

I run into this problem periodically (there are a variety of factors that can delay the data sources). Here's a query to check the latest in Hearbeat, but if you replace the DataSource with another, it'll tell you when it last saw information from that source. I alert based off of the value put out by the Latency value in the query.

 

Heartbeat
| summarize LatestHeartbeat=max(TimeGenerated)
| extend Latency=now()-LatestHeartbeat

 

I hope that helps!

1 best response

Accepted Solutions
best response confirmed by Stanislav Zhelyazkov (MVP)
Solution
This seems to be a bug. I've notified the responsible team for this and hopefully they will get it fixed.

View solution in original post