Oct 31 2019 07:13 AM
Oct 31 2019 07:13 AM
Firstly, apologies for what I'm sure is a really simple question!!
I'm trying to alert on CRITICAL events on our Production HDInsight instance. I've created the Kusto query below, that polls for critical events in non-maintenance mode, and then summarises on original timestamp, so I collect all events associated with the same 'href' together.
Now, that's all good, but I want to alert on this. As I see a new 'href', I want to be able to trigger an alert on distinct Alert_text, just once.
When I try to create a new alert from the query text in Log, it says I need an aggregated value - I'm assuming I would trigger if the aggregated value was greater than '0' on the Original_timestamp, but I'm not sure how to structure the query to do this.
Thanks in advance,
| where Alert_cluster_name_s == "enthdipd" and Alert_state_s == "CRITICAL" and Alert_maintenance_state_s == "OFF"
| summarize arg_max(Alert_original_timestamp_d, *) by Alert_component_name_s, href_s, Alert_text_s
| sort by Alert_component_name_s asc , Alert_original_timestamp_d desc
Oct 31 2019 11:50 PMSolution
I have a series of blog posts that focus on Azure Monitor Alerts. The blog post about Log Analytics alerts is here:
You can check it out as there I am explaining some concepts including using metric measurement alerts sub-type for event based log which seems to be your case.
The query for your alert will probably look like this:
metrics_cluster_alerts_CL | where Alert_cluster_name_s == "enthdipd" and Alert_state_s == "CRITICAL" and Alert_maintenance_state_s == "OFF" | extend AggregatedValue = 1 | summarize arg_max(Alert_original_timestamp_d, *) by Alert_component_name_s, href_s, Alert_text_s, bin(TimeGenerated, 5m)
Note that I have put AggregatedValue that is equal to 1 so your threshold will be greater than 0 in your alert configuration. Besides aggregated value bin() usage is also required for metric measurement alerts. Usually you will set the bin interval (in the above case 5m) to the time window you configure the alert. You will also have to metric column or columns when you create the alert. Those will be the unique values that compromise a single instance for alert.
Let me know if you have figured all the details and managed to configure the desired alert.