Monitoring & Ingestion

%3CLINGO-SUB%20id%3D%22lingo-sub-995530%22%20slang%3D%22en-US%22%3EMonitoring%20%26amp%3B%20Ingestion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-995530%22%20slang%3D%22en-US%22%3E%3CP%3EAnyone%20got%20any%20suggestions%20to%20get%20around%20some%20of%20the%20lengthy%20ingestion%20times%20you%20get%20with%20Log%20Analytics%20sometimes%20%3F%20Alerting%20on%20Heartbeat%20provides%20a%20simple%20way%20of%20checking%20a%20VM%20is%20up%20and%20running%20but%20we've%20seen%20instances%20of%20up%20to%20an%20hour%20for%20the%20latest%20Heartbeat%20to%20be%20available%20for%20querying%20in%20Log%20Analytics.%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20you%20either%20have%20a%20lengthy%20period%20to%20check%20for%20(i.e.%20if%20no%20Heartbeat%20received%20for%20%26gt%3B%2060mins%20then%20or%20alert)%20or%20you%20face%20plenty%20of%20false%20positives%20if%20you%20set%20the%20threshold%20for%20say%2010mins.%3C%2FP%3E%3CP%3EAny%20ideas%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-995530%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAlerting%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIngestion%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-997122%22%20slang%3D%22en-US%22%3ERe%3A%20Monitoring%20%26amp%3B%20Ingestion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-997122%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F452208%22%20target%3D%22_blank%22%3E%40JK_UK%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20%2Cmeasure%20the%20latency%20as%20well%2C%20see%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-ingestion-time%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-ingestion-time%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20product%20group%20are%20always%20looking%20on%20improving%20latency%2C%20and%20also%20note%20from%20the%20above%20link%20many%20tables%20differ%20in%20their%20upload%20frequency.%26nbsp%3B%20%26nbsp%3BSo%20you%20may%20need%20some%20monitoring%20logic%20to%20have%20a%20case%20for%20your%20data%20sources.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EGenerally%20the%20agent%20data%20is%20quick%20but%20factors%20like%20your%20agent%20location%20to%20the%20Azure%20Region%2C%20topology%20and%20time%20of%20day%20may%20affect%20this%3CBR%20%2F%3E%3CEM%3E%22To%20ensure%20the%20Log%20Analytics%20agent%20is%20lightweight%2C%20the%20agent%20buffers%20logs%20and%20periodically%20uploads%20them%20to%20Azure%20Monitor.%20Upload%20frequency%20varies%20between%2030%20seconds%20and%202%20minutes%20depending%20on%20the%20type%20of%20data.%20Most%20data%20is%20uploaded%20in%20under%201%20minute.%20Network%20conditions%20may%20negatively%20affect%20the%20latency%20of%20this%20data%20to%20reach%20Azure%20Monitor%20ingestion%20point.%22%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20the%20machine%20is%20also%20in%20Azure%2C%20consider%20a%20Azure%20Monitor%20Metric%20alert%2C%20as%20that%20will%20give%20you%20a%20second%20check.%26nbsp%3B%20The%20Metric%20alerts%20have%20a%20low%20latency%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Falerts-metric-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Falerts-metric-overview%3C%2FA%3E%2C%20some%20people%20check%20both.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-999120%22%20slang%3D%22en-US%22%3ERe%3A%20Monitoring%20%26amp%3B%20Ingestion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-999120%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20Clive%2C%20much%20appreciated.%20We've%20looked%20at%20measuring%20ingestion%20time%20and%20we%20might%20have%20to%20look%20at%20that%20further%2C%20my%20concern%20with%20that%20is%20can%20LA%20measure%20ingestion%20time%20for%20a%20resource%20that%20is%20taking%20a%20long%20time%20to%20report%20in%20%3F%20So%20for%20example%2C%20if%20a%20VM%20reports%20its%20Heartbeat%2030%20mins%20ago%20and%20the%20ingestion%20time%20was%201%20minute%20then%20would%20LA%20just%20measure%20that%20and%20say%20that's%20great%2C%20everything's%20fine%20%3F%3C%2FP%3E%3CP%3ELA%20surely%20won't%20know%20about%20a%20slow%20ingestion%20time%20until%20the%20latest%20Heartbeat%20(or%20whatever)%20arrives%20and%20by%20then%20it's%20too%20late%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'll%20also%20take%20a%20look%20at%20Metric%20Alerts%20but%20I%20think%20my%20hands%20are%20tied%20a%20bit%20there.%20We%20need%20to%20send%20over%20a%20custom%20JSON%20payload%20when%20an%20alert%20is%20triggered%20and%20unfortunately%20you%20can't%20do%20that%20with%20Metric%20Alerts.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20an%20update%2C%20I'm%20just%20looking%20into%20this%20further.%20If%20I%20enable%20the%20Dependency%20Agent%20extension%20on%20the%20appropriate%20VMs%20then%20that%20seems%20to%20push%20through%20ServiceMap%20data%20to%20Azure%20Monitor%2C%20is%20that%20correct%20%3F%20And%20if%20I%20do%20that%2C%20would%20VMConnection%20based%20on%20a%20Computer%20name%20give%20another%20option%20to%20check%20whether%20the%20VM%20is%20running%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20in%20simple%20terms%3A%3C%2FP%3E%3CP%3EHeartbeat%26nbsp%3B%20%26nbsp%3B%20%3A%20Check%20a%20Hearbeat%20has%20been%20received%20within%20the%20last%205%20mins%3C%2FP%3E%3CP%3EVMConnection%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%3A%20Check%20Computer%20has%20sent%20through%20'some'%20data%20within%20the%20last%205%20mins%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20either%20of%20those%20are%20true%20then%20we're%20happy%20the%20VM%20is%20running.%20The%20big%20question%20is%20though%2C%20would%20ingestion%20time%20affect%20VMConnection%20and%20Heartbeat%20data%20in%20different%20ways%20%3F%20I%20think%20you're%20saying%20(based%20on%20the%20article%20you%20mentioned%20above)%26nbsp%3B%20it%20would%2C%20which%20is%20a%20good%20thing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Anyone got any suggestions to get around some of the lengthy ingestion times you get with Log Analytics sometimes ? Alerting on Heartbeat provides a simple way of checking a VM is up and running but we've seen instances of up to an hour for the latest Heartbeat to be available for querying in Log Analytics. 

So you either have a lengthy period to check for (i.e. if no Heartbeat received for > 60mins then or alert) or you face plenty of false positives if you set the threshold for say 10mins.

Any ideas ?

 

2 Replies
Highlighted

@JK_UK 

 

You can ,measure the latency as well, see here: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-ingestion-time

 

The product group are always looking on improving latency, and also note from the above link many tables differ in their upload frequency.   So you may need some monitoring logic to have a case for your data sources.

 

Generally the agent data is quick but factors like your agent location to the Azure Region, topology and time of day may affect this
"To ensure the Log Analytics agent is lightweight, the agent buffers logs and periodically uploads them to Azure Monitor. Upload frequency varies between 30 seconds and 2 minutes depending on the type of data. Most data is uploaded in under 1 minute. Network conditions may negatively affect the latency of this data to reach Azure Monitor ingestion point."

 

If the machine is also in Azure, consider a Azure Monitor Metric alert, as that will give you a second check.  The Metric alerts have a low latency: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-metric-overview, some people check both.

 

 

 

 

Highlighted

@Clive Watson 

 

Thanks Clive, much appreciated. We've looked at measuring ingestion time and we might have to look at that further, my concern with that is can LA measure ingestion time for a resource that is taking a long time to report in ? So for example, if a VM reports its Heartbeat 30 mins ago and the ingestion time was 1 minute then would LA just measure that and say that's great, everything's fine ?

LA surely won't know about a slow ingestion time until the latest Heartbeat (or whatever) arrives and by then it's too late ?

 

I'll also take a look at Metric Alerts but I think my hands are tied a bit there. We need to send over a custom JSON payload when an alert is triggered and unfortunately you can't do that with Metric Alerts. 

 

As an update, I'm just looking into this further. If I enable the Dependency Agent extension on the appropriate VMs then that seems to push through ServiceMap data to Azure Monitor, is that correct ? And if I do that, would VMConnection based on a Computer name give another option to check whether the VM is running ?

 

So in simple terms:

Heartbeat    : Check a Hearbeat has been received within the last 5 mins

VMConnection     : Check Computer has sent through 'some' data within the last 5 mins 

 

If either of those are true then we're happy the VM is running. The big question is though, would ingestion time affect VMConnection and Heartbeat data in different ways ? I think you're saying (based on the article you mentioned above)  it would, which is a good thing.