Alert monitor - Rules that dont change to fired and keep trigger themselves

%3CLINGO-SUB%20id%3D%22lingo-sub-1782979%22%20slang%3D%22en-US%22%3EAlert%20monitor%20-%20Rules%20that%20dont%20change%20to%20fired%20and%20keep%20trigger%20themselves%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1782979%22%20slang%3D%22en-US%22%3E%3CP%3EI%20created%20a%20rule%20called%20Test%20Rule%20Notepad.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20rule%20is%20simple.%26nbsp%3B%3C%2FP%3E%3CP%3EIts%20based%20on%20a%20custom%20log%20search%20and%20it%20looks%20if%20notepad%20is%20running%20on%20a%20VM.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20the%20rule%3A%26nbsp%3B%3C%2FP%3E%3CP%3E--------------------------------------%20Rule%20--------------------------------------------------------------%3C%2FP%3E%3CP%3EPerf%3CBR%20%2F%3E%7Cwhere%20Computer%20%3D%3D%20%22ServerName%22%3CBR%20%2F%3E%7Cwhere%20(CounterName%20%3D%3D%20%22Process%20ID%22)%20or%20(CounterName%20%3D%3D%20%22ID%20Process%22)%3CBR%20%2F%3E%7Cproject%20TimeGenerated%2C%20Computer%2C%20ObjectName%2C%20CounterName%20%2C%20CounterValue%2CInstanceName%3CBR%20%2F%3E%7Csummarize%20count()%20by%20bin(TimeGenerated%2C%201m)%2C%20Computer%2C%20CounterName%2C%20CounterValue%20%2C%20InstanceName%3CBR%20%2F%3E%7Csummarize%20AggregatedValue%3Davg(InstanceName%3D%3D%22notepad%22)%20by%20bin(TimeGenerated%2C%201m)%2C%20Computer%2CRunning%3D%20InstanceName%3D%3D%22notepad%22%3CBR%20%2F%3E%7Cextend%20Running%20%3D%20iff((Running%3D%3D%22true%22)%2C%20%221%22%2C%20%220%22)%3CBR%20%2F%3E%7Crender%20timechart%3C%2FP%3E%3CP%3E--------------------------------------%20Rule%20--------------------------------------------------------------%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20tried%20multiple%20flavors%20of%20this%20rule%2C%20but%20feel%20free%20to%20suggest.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethe%20configuration%20of%20the%20rule%20is%20this%3A%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20540px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F226840iD19150B97A0A2ABB%2Fimage-dimensions%2F540x362%3Fv%3D1.0%22%20width%3D%22540%22%20height%3D%22362%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20the%20end%20result%20is%20something%20like%20this%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F226842iF33F23779607A56F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20behavior%20that%20I%20get%20is%20that%20the%20rule%20is%20triggered%2C%20multiple%20times%2C%20instead%20of%20the%20rule%20being%20triggered%201%20time%2C%20or%20at%20least%20%22aggregate%22%20the%20alerts.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20just%20want%20to%20%22use%22%20the%20custom%20log%20search%20%22like%20the%20metric%22.%20One%20alert%20one%20entrance.%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20creates%20a%20major%20issue%2C%20when%20you%20are%20trying%20to%20manage%20multiple%20client%20subscriptions%2C%20and%20honestly%20kind%20of%20shoots%20in%20the%20foot%2C%20the%20tool%20itself.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20can%20a%20custom%20log%20search%20be%20used%20in%20the%20same%20way%20as%20metric%20alerts%2C%3CBR%20%2F%3Eand%20trigger%20only%201%20alert.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20want%20to%20use%20suppression%20on%20alerts%2C%20because%20it%20still%20creates%20an%20entrance%20on%20the%20alert%20tool%20for%20every%20time%20it%20verifies%20the%20alert%2C%20creating%20like%201000%20alerts%20for%20just%20one%20situation.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20only%20happens%20with%20Custom%20log%20Searches%2C%20either%20been%20a%20%22metric%22%20(using%20the%20aggregated%20value%2C%20like%20the%20rule%20above)%20or%20a%20count.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EPLEASE%20HELP%20ME!!%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20already%20looked%20into%20a%20lot%20of%20post's%20here%20and%20in%20some%20of%20the%20they%20talk%20of%20a%20bug%2C%20and%20fix%20in%20azure%20monitor%2C%20however%2C%20i%20still%20see%20this%20happening%20today.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1803973%22%20slang%3D%22en-US%22%3ERe%3A%20Alert%20monitor%20-%20Rules%20that%20dont%20change%20to%20fired%20and%20keep%20trigger%20themselves%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1803973%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F714167%22%20target%3D%22_blank%22%3E%40loadedlouie27%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3EThis%20is%20not%20a%20bug%20it%20is%20the%20design%20of%20log%20alert%2C%20which%20was%20built%20to%20find%20things%20in%20logs%20(which%20you%20can't%20really%20resolve).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20are%20planning%20to%20provide%20stateful%20log%20alerts%2C%20but%20recommend%20you%20investigate%20using%20metric%20alerts%20and%2For%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fazure-monitor%2Fplatform%2Falerts-metric-logs%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Emetric%20alerts%20for%20logs%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eto%20achieve%20state%20alerts%20on%20what%20you%20need%20for%20now.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I created a rule called Test Rule Notepad. 

 

The rule is simple. 

Its based on a custom log search and it looks if notepad is running on a VM. 

 

This is the rule: 

-------------------------------------- Rule --------------------------------------------------------------

Perf
|where Computer == "ServerName"
|where (CounterName == "Process ID") or (CounterName == "ID Process")
|project TimeGenerated, Computer, ObjectName, CounterName , CounterValue,InstanceName
|summarize count() by bin(TimeGenerated, 1m), Computer, CounterName, CounterValue , InstanceName
|summarize AggregatedValue=avg(InstanceName=="notepad") by bin(TimeGenerated, 1m), Computer,Running= InstanceName=="notepad"
|extend Running = iff((Running=="true"), "1", "0")
|render timechart

-------------------------------------- Rule --------------------------------------------------------------

 

I have tried multiple flavors of this rule, but feel free to suggest. 

 

the configuration of the rule is this: image.png

 

And the end result is something like this: 

 

image.png

 

The behavior that I get is that the rule is triggered, multiple times, instead of the rule being triggered 1 time, or at least "aggregate" the alerts. 

 

I just want to "use" the custom log search "like the metric". One alert one entrance. 

This creates a major issue, when you are trying to manage multiple client subscriptions, and honestly kind of shoots in the foot, the tool itself. 

 

How can a custom log search be used in the same way as metric alerts,
and trigger only 1 alert. 

I don't want to use suppression on alerts, because it still creates an entrance on the alert tool for every time it verifies the alert, creating like 1000 alerts for just one situation. 

 

This only happens with Custom log Searches, either been a "metric" (using the aggregated value, like the rule above) or a count. 


PLEASE HELP ME!! 

 

I have already looked into a lot of post's here and in some of the they talk of a bug, and fix in azure monitor, however, i still see this happening today.  

 

 

 

1 Reply

Hi @loadedlouie27,

This is not a bug it is the design of log alert, which was built to find things in logs (which you can't really resolve).

 

We are planning to provide stateful log alerts, but recommend you investigate using metric alerts and/or metric alerts for logs to achieve state alerts on what you need for now.