cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

ARM Template for KQL Query Alert

GouravIN
Brass Contributor

‎Jan 31 2019 03:24 AM - last edited on ‎Apr 07 2022 05:37 PM by

‎Jan 31 2019 03:24 AM - last edited on ‎Apr 07 2022 05:37 PM by

ARM Template for KQL Query Alert

Hi All,

I want to configure Log Analytics alert using ARM templates so just following given link:-https://docs.microsoft.com/en-in/azure/azure-monitor/insights/solutions-resources-searches-alerts#sa...

But problem is, I am working on a requirement to create CPU, Memory and Disk alert. And for this I need to write 3 different ARM with different KQL.  Could anyone please help me to edit this given template to achieve my requirement to generate all alert using single ARM.

If I will create 3 different template then the major problem is I will have 3 solution under my Log Analytics as this template is creating solution for each alert. So just looking for a way to edit this template in such a way to configure multiple alert using single template.

Looking forward from your side.

 

Elaborating more about question:-

 

Why I want to create multiple alert using one template:-


• As it is creating solution for every alert so if I will use new template for every single alert then I will have lots of solution under Azure.



• And creation of multiple template will create a mess too.


Now suppose I need to create a new alert of Disk then I need to edit below fields in template (highlighted in Brown for Disk Alert).  This will create a new solution for alert but I want to create multiple alerts under this one solution.

 

"SolutionName": "SolutionTest2",

  "SolutionVersion": "1.0",

      "SolutionPublisher": "SolutionTesters",

      "ProductName": "SolutionTest2",

      "LogAnalyticsApiVersion": "2017-03-03-preview",

"MySearch": {

        "displayName": "Disk over 70%",

        "query": 'Perf | where ObjectName=="LogicalDisk" and CounterName=="% Free Space" and CounterValue>70 ',

        "category": "Samples",

        "name": "Samples-Count of  Disk Data"

      },

      "MyAlert": {

        "Name": "[toLower(concat('myalert-',uniqueString(resourceGroup().id, deployment().name)))]",

        "DisplayName": "Disk over 70%",

        "Description": "Disk alert.  Fires when 3 error records found over hour interval.",

        "Severity": "critical",

        "ThresholdOperator": "gt",

        "ThresholdValue": 70,

        "Schedule": {

          "Name": "[toLower(concat('myschedule-',uniqueString(resourceGroup().id, deployment().name)))]",

          "Interval": 15,

          "TimeSpan": 60

        },

        "MetricsTrigger": {

          "TriggerCondition": "Consecutive",

          "Operator": "gt",

          "Value": 3

        },

        "ThrottleMinutes": 60,

        "AzNsNotification": {

          "GroupIds": [

            "[parameters('actiongroup')]"

          ],

 

 

And I also got to know the API used in given link are deprecated however still working. So we need to create template THESE APIs.

 

 

3,357 Views
0 Likes
4 Replies
Reply
4 Replies
Stanislav Zhelyazkov

‎Jan 31 2019 11:59 PM

‎Jan 31 2019 11:59 PM

Re: ARM Template for KQL Query Alert

Hi,

If someones wants to create the template for you he can feel free to do it but I usually do not do those things. The reason for that is, there is not learning experience.  Next time you will have to create another template and may result in another thread for the same ask. If you are able to learn you will be able to do it your self. I am not sure how familiar you are with ARM templates so I would suggest to start with the documentation and some of the How-To's there. Even if the examples there are not related to Log Analytics you will get understanding of how templates work. With that said knowing the basics is easier modifying the template example for alerts. Keep in mind that it is example and you do not need to follow it strictly. What that does mean? For example you do not need to create solutions resource. You can completely remove that part. Alerts can be deployed fine without that resource. Adding more alerts this template is easy. You need to copy the savedSearches, schedules and actions resources in the resources section. Of course you will need to modify the properties of those resources so they point either to different variables or if it will be easier for you you can enter the data directly without using variables. Some values you probably do not need to change (depending on scenario) for example the Action Group references. To create third alert you will do another copy and change values again. A few things to note:

- Make sure your dependencies are correct. the schedule rely on the saved search, the action rely on schedule. The dependencies are per alert instance.

- Make sure names are unique for resource.

- Make sure names are consistent. As the name of the saved search is references in the schedule those needs to match. The same goes for action where you need to put the names of the saved search and the schedule.

 

I hope this helps! Happy learning!

0 Likes
Reply
best response confirmed by GouravIN (Brass Contributor)
Scott Allison

‎Feb 04 2019 04:50 AM

‎Feb 04 2019 04:50 AM

Solution

Re: ARM Template for KQL Query Alert

While not exactly what you're looking for, we're automating Alert creation using the alert toolkit here: 

https://github.com/Microsoft/manageability-toolkits 

 

 

0 Likes
Reply
GouravIN

‎Feb 04 2019 08:59 PM

‎Feb 04 2019 08:59 PM

Re: ARM Template for KQL Query Alert

Thanks Scott, this worked like a charm on my requirement.

 

Amazing!!

0 Likes
Reply
GouravIN

‎Feb 06 2019 05:15 AM

‎Feb 06 2019 05:15 AM

Re: ARM Template for KQL Query Alert

Hi Scott,

 

I am added an update management alert in DefaultAlertConfig file. But when I am trying to execute this script for alert creation I am getting below error.

 

Note: - I have checked the JSON format and it is valid.

 

Please find the below JSON "DefaultAlertConfig" file for further clarification.

 

{ 
"ConfigFileVersion":"1.3",
"ApiVersion":"2015-03-20",
"Alerts":[ 
{ 
"AlertName":"High CPU Usage",
"AlertGuid":"8a9b0a3b-5f17-4a55-8132-0fe6dcbf968f",
"Tags":[ 
"Core"
],
"SavedSearch":{ 
"Category":"Core",
"DisplayName":"Alert - High CPU Usage",
"Query":"let _maxValue = 85; let _timeWindow = 4h; let _AvgCpu = Perf | where TimeGenerated >= ago(_timeWindow) | where CounterName == \"% Processor Time\" and InstanceName =~ \"_Total\" | summarize mtgPerf=max(TimeGenerated), CounterValue=round(avg(CounterValue)), SampleCount=count(CounterValue) by Computer, InstanceName, CounterName, ObjectName; _AvgCpu | where CounterValue > _maxValue | project Computer , ObjectName , CounterName , InstanceName , TimeGenerated=mtgPerf , CounterValue , AlertType_s = \"Sustained High CPU Utilization\" , Severity = 4 , SeverityName_s = \"WARNING\" , AffectedCI_s = strcat(Computer, \"/CPUPercent/\", InstanceName) , AlertTitle_s = strcat(Computer, \": Sustained High CPU Utilization\") , AlertDetails_s = strcat(\"Computer: \", Computer, \"\\r\\nAverage CPU Utilization: \", CounterValue, \"%\\r\\nSample Period: Last \", _timeWindow, \"\\r\\nSample Count: \", SampleCount, \"\\r\\nAlert Threshold: > \", _maxValue, \"%\")",
"Version":"1"
},
"Schedule":{ 
"Interval":30,
"QueryTimeSpan":240,
"Active":"true"
},
"AlertDefinition":{ 
"Name":"High CPU Usage",
"Description":"Triggers an alert for a high CPU usage condition",
"Version":"1",
"Severity":"critical",
"Type":"Alert",
"Threshold":{ 
"Operator":"gt",
"Value":0
},
"AzNsNotification":{ 
"GroupIds":[ 
"/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
],
"CustomEmailSubject":"Alert - High CPU Usage"
}
}
},
{ 
"AlertName":"Update Missing On Server",
"AlertGuid":"7a8b0a4b-7f17-4a55-8123-0fe4dcbf354f",
"Tags":[ 
"Core"
],
"SavedSearch":{ 
"Category":"Core",
"DisplayName":"Alert - Update Missing on Server",
"Query":"Update | where UpdateState =~ \"Needed\" and iff(isnotnull(toint(Optional)), Optional == false, Optional == \"false\") == true and Classification == \"Critical Updates\" and iff(isnotnull(toint(Approved)), Approved != false, Approved != \"false\") == true | summarize AggregatedValue = count() by Computer",
"Version":"1"
},
"Schedule":{ 
"Interval":30,
"QueryTimeSpan":30,
"Active":"true"
},
"AlertDefinition":{ 
"Name":"Critical Update Missing on Server",
"Description":"Triggers an alert when a critical or needed update missing on server",
"Version":"1",
"Severity":"critical",
"Type":"Alert",
"Threshold":{ 
"Operator":"gt",
"Value":0
},
"AzNsNotification":{ 
"GroupIds":[ 
"/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
],
"CustomEmailSubject":"Alert - Update Missing on Server"
}
}
},
{ 
"AlertName":"Low Disk Space Windows - Critical",
"AlertGuid":"844d2068-65ea-45d0-98d0-44e34a0548c6",
"Tags":[ 
"Core"
],
"SavedSearch":{ 
"Category":"Core",
"DisplayName":"Alert - Low Disk Space Windows",
"Query":"let _minValue = 10; Perf | where TimeGenerated >= ago(1h) | where CounterValue <= _minValue | where CounterName == \"% Free Space\" and InstanceName in (\"C:\", \"E:\", \"F:\", \"G:\") | summarize mtgPerf=max(TimeGenerated), CounterValue=max(CounterValue) by Computer, InstanceName, CounterName, ObjectName, DriveLetter=replace(@\"(\\w).\",@\"\\1\", InstanceName) | join kind=inner ( Heartbeat | where OSType == \"Windows\" | summarize max(TimeGenerated) by Computer ) on Computer | project Computer , ObjectName , CounterName , InstanceName , TimeGenerated=mtgPerf , round(CounterValue) , DriveLetter , AlertType_s = \"Windows Low Disk Space\" , Severity = 3 , SeverityName_s = \"WARNING\" , AffectedCI_s = strcat(Computer, \"/\", DriveLetter) , AlertTitle_s = strcat(Computer, \": Low Disk Space on Drive \", DriveLetter) , AlertDetails_s = strcat(\"Computer: \", Computer, \"\\r\\nDrive Letter: \", DriveLetter, \"\\r\\nPercent Free Space: \", round(CounterValue), \"%\\r\\nAlert Threshold: <= \", _minValue, \"%\")",
"Version":"1"
},
"Schedule":{ 
"Interval":30,
"QueryTimeSpan":35,
"Active":"true"
},
"AlertDefinition":{ 
"Name":"Low Disk Space Windows",
"Description":"Triggers an alert for a low disk space condition",
"Version":"1",
"Severity":"critical",
"Type":"Alert",
"Threshold":{ 
"Operator":"gt",
"Value":0
},
"AzNsNotification":{ 
"GroupIds":[ 
"/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
],
"CustomEmailSubject":"Alert - Low Disk Space Windows"
}
}
},
{ 
"AlertName":"Low Memory",
"AlertGuid":"1fcf8156-fcca-45d2-be45-aca07b90aee8",
"Tags":[ 
"Core"
],
"SavedSearch":{ 
"Category":"Core",
"DisplayName":"Alert - Low Memory",
"Query":"let _minAvailableMB = 1024;\nlet _sampleInterval = 4h;\nlet _linuxMem = Perf\n| where TimeGenerated >= ago(_sampleInterval)\n| where CounterName == \"Available MBytes Memory\"\n| summarize mtgPerf=max(TimeGenerated), CounterValue=avg(CounterValue), SampleCount=count(CounterValue) by Computer\n| join kind=inner\n(\n Heartbeat\n | where OSType == \"Linux\"\n | summarize max(TimeGenerated) by Computer\n)\non Computer\n| project Computer, mtgPerf, AvailableMBytes=round(CounterValue), SampleCount;\nlet _windowsMem = Perf\n| where TimeGenerated >= ago(_sampleInterval)\n| where CounterName == \"Available MBytes\"\n//and ObjectName == \"Logical Disk\"\n\n//and InstanceName matches regex \"/.*\"\n| summarize mtgPerf=max(TimeGenerated), CounterValue=avg(CounterValue), SampleCount=count(CounterValue) by Computer\n| join kind=inner\n(\n Heartbeat\n | where OSType == \"Windows\"\n | summarize max(TimeGenerated) by Computer\n)\non Computer\n| project Computer, mtgPerf, AvailableMBytes=round(CounterValue), SampleCount;\n_linuxMem\n| union _windowsMem\n| where AvailableMBytes < _minAvailableMB\n| project Computer , TimeGenerated=mtgPerf , CounterValue=AvailableMBytes , AlertType_s = \"Low Available Memory\" , Severity = 4 , SeverityName_s = \"WARNING\" , AffectedCI_s = strcat(Computer, \"/FreeMemoryMB/\") , AlertTitle_s = strcat(Computer, \": Low Available Memory\") , AlertDetails_s = strcat(\"Computer: \", Computer, \"\\r\\nAverage Free Memory: \", AvailableMBytes, \" MB\\r\\nSample Period: Last \", _sampleInterval, \"\\r\\nSample Count: \", SampleCount, \"\\r\\nAlert Threshold: < \", _minAvailableMB, \" MB\")",
"Version":"1"
},
"Schedule":{ 
"Interval":30,
"QueryTimeSpan":240,
"Active":"true"
},
"AlertDefinition":{ 
"Name":"Low Memory",
"Description":"Triggers an alert for a low memory condition",
"Version":"1",
"Severity":"critical",
"Type":"Alert",
"Threshold":{ 
"Operator":"gt",
"Value":0
},
"AzNsNotification":{ 
"GroupIds":[ 
"/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
],
"CustomEmailSubject":"Alert - Low Memory"
}
}
},
{ 
"AlertName":"NTFS - File System Corrupt",
"AlertGuid":"bb8527b1-6152-4d28-be04-c3d81cf98407",
"Tags":[ 
"Core"
],
"SavedSearch":{ 
"Category":"Core",
"DisplayName":"Alert - NTFS - File System Corrupt",
"Query":"Event | where EventLog == \"System\" and Source == \"DISK\" or Source == \"Ntfs\" and EventID == 55 | project Computer, TimeGenerated, AlertType_s = \"NTFS - File System Corrupt\", Severity = 4, SeverityName_s = \"WARNING\", AffectedCI_s = Computer, AlertTitle_s = strcat(Computer, \": NTFS - File System Corrupt\"), AlertDetails_s = strcat(\"Event Description:\\r\\n\", RenderedDescription)",
"Version":"1"
},
"Schedule":{ 
"Interval":30,
"QueryTimeSpan":30,
"Active":"true"
},
"AlertDefinition":{ 
"Name":"NTFS - File System Corrupt",
"Description":"Core monitoring alert for monitoring disk",
"Version":"1",
"Severity":"critical",
"Type":"Alert",
"Threshold":{ 
"Operator":"gt",
"Value":0
},
"AzNsNotification":{ 
"GroupIds":[ 
"/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
],
"CustomEmailSubject":"Alert - NTFS - File System Corrupt"
}
}
},
{ 
"AlertName":"Unexpected shutdown",
"AlertGuid":"39128bb3-9a64-4d81-bc36-58be5e101514",
"Tags":[ 
"Core"
],
"SavedSearch":{ 
"Category":"Core",
"DisplayName":"Alert - Unexpected shutdown",
"Query":"Event | where EventLog == \"System\" and EventID == 6008 | project Computer, TimeGenerated, AlertType_s = \"Unexpected shutdown\", Severity = 4, SeverityName_s = \"WARNING\", AffectedCI_s = strcat(Computer), AlertTitle_s = strcat(Computer, \": Unexpected Shutdown\"), AlertDetails_s = strcat(\"Multiple shutdowns detected in the past 24 hours\\r\\nEventID: 6008\\r\\nEvent Description: \", RenderedDescription)",
"Version":"1"
},
"Schedule":{ 
"Interval":1440,
"QueryTimeSpan":1440,
"Active":"true"
},
"AlertDefinition":{ 
"Name":"Unexpected shutdown",
"Version":"1",
"Description":"Unexpected shutdown monitoring from core monitoring",
"Severity":"critical",
"Type":"Alert",
"Threshold":{ 
"Operator":"gt",
"Value":1
},
"AzNsNotification":{ 
"GroupIds":[ 
"/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
],
"CustomEmailSubject":"Alert - Unexpected shutdown"
}
}
},
{ 
"AlertName":"HP Windows (SNMP) Power sub system degraded or failed",
"AlertGuid":"c40aab23-0622-4648-9a67-6118858bdbd5",
"Tags":[ 
"Physical,HP"
],
"SavedSearch":{ 
"Category":"Core",
"DisplayName":"Alert - HP Windows (SNMP) Power sub system degraded or failed",
"Query":"Event | where EventLog == \"System\" | where EventID == 1103 or EventID == 1128 or EventID == 1126 or EventID == 1124 or EventID == 1125 or EventID == 1184 | where RenderedDescription contains \"System Information Agent: Health\" | project Computer, TimeGenerated, AlertType_s = \"HP Windows (SNMP) Power sub system degraded or failed\", Severity = 4, SeverityName_s = \"WARNING\", AffectedCI_s = strcat(Computer, \"/EventId-\", EventID), AlertTitle_s = strcat(Computer, \": HP Windows (SNMP) Power sub system degraded or failed with Event ID \", EventID), AlertDetails_s = strcat(\"Computer: \", Computer, \"\\r\\nEvent ID: \", EventID, \"\\r\\nRenderedDescription: \", RenderedDescription)",
"Version":"1"
},
"Schedule":{ 
"Interval":30,
"QueryTimeSpan":30,
"Active":"true"
},
"AlertDefinition":{ 
"Name":"HP Windows (SNMP) Power sub system degraded or failed",
"Description":"Power sub system degraded or failed. The fault tolerant power supply has degraded, failed or lost redundancy.",
"Version":"1",
"Severity":"critical",
"Type":"Alert",
"Threshold":{ 
"Operator":"gt",
"Value":0
},
"AzNsNotification":{ 
"GroupIds":[ 
"/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
],
"CustomEmailSubject":"Alert - HP Windows (SNMP) Power sub system degraded or failed"
}
}
},
{ 
"AlertName":"HP Windows (SNMP) Fan degraded",
"AlertGuid":"804809b2-8cac-4d72-b186-ecd40f59ed95",
"Tags":[ 
"Physical,HP"
],
"SavedSearch":{ 
"Category":"Core",
"DisplayName":"Alert - HP Windows (SNMP) Fan degraded",
"Query":"Event | where EventLog == \"System\" | where Source == \"Server Agents\" | where EventID == 1131 or EventID == 1129 or EventID == 1086 | where RenderedDescription contains \"CPQHLTH.MIB\" | project Computer, TimeGenerated, AlertType_s = \"HP Windows (SNMP) Fan degraded\", Severity = 4, SeverityName_s = \"WARNING\", AffectedCI_s = strcat(Computer, \"/EventId-\", EventID), AlertTitle_s = strcat(Computer, \": HP Windows (SNMP) Fan degraded with Event ID \", EventID), AlertDetails_s = strcat(\"Computer: \", Computer, \"\\r\\nEvent ID: \", EventID, \"\\r\\nRenderedDescription: \", RenderedDescription)",
"Version":"1"
},
"Schedule":{ 
"Interval":30,
"QueryTimeSpan":30,
"Active":"true"
},
"AlertDefinition":{ 
"Name":"HP Windows (SNMP) Fan degraded",
"Description":"Fan degraded. A fault tolerant fan or system fan has been degraded.",
"Version":"1",
"Severity":"critical",
"Type":"Alert",
"Threshold":{ 
"Operator":"gt",
"Value":0
},
"AzNsNotification":{ 
"GroupIds":[ 
"/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
],
"CustomEmailSubject":"Alert - HP Windows (SNMP) Fan degraded"
}
}
},
{ 
"AlertName":"HP Windows (SNMP) Rack Enclosure Fan Failed or Degraded",
"AlertGuid":"73032be3-1f4e-44a4-88be-ca25b797b1bc",
"Tags":[ 
"Physical,HP"
],
"SavedSearch":{ 
"Category":"Core",
"DisplayName":"Alert - HP Windows (SNMP) Rack Enclosure Fan Failed or Degraded",
"Query":"Event | where EventID == 1150 or EventID == 1151 | where RenderedDescription contains \"CPQRACK.MIB\" | project Computer, TimeGenerated, AlertType_s = \"HP Windows (SNMP) Rack Enclosure Fan Failed or Degraded\", Severity = 4, SeverityName_s = \"WARNING\", AffectedCI_s = strcat(Computer, \"/EventId-\", EventID), AlertTitle_s = strcat(Computer, \": HP Windows (SNMP) Rack Enclosure Fan Failed or Degraded with Event ID\", EventID), AlertDetails_s = strcat(\"Computer: \", Computer, \"\\r\\nEvent ID: \", EventID, \"\\r\\nRenderedDescription: \", RenderedDescription)",
"Version":"1"
},
"Schedule":{ 
"Interval":30,
"QueryTimeSpan":30,
"Active":"true"
},
"AlertDefinition":{ 
"Name":"HP Windows (SNMP) Rack Enclosure Fan Failed or Degraded",
"Version":"1",
"Description":"Rack fans have failed.",
"Severity":"critical",
"Type":"Alert",
"Threshold":{ 
"Operator":"gt",
"Value":0
},
"AzNsNotification":{ 
"GroupIds":[ 
"/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
],
"CustomEmailSubject":"Alert - HP Windows (SNMP) Rack Enclosure Fan Failed or Degraded"
}
}
},
{ 
"AlertName":"HP Windows (SNMP) Drive Array Physical Drive degraded",
"AlertGuid":"eca68326-ebc4-490d-b33b-071af8380e81",
"Tags":[ 
"Physical,HP"
],
"SavedSearch":{ 
"Category":"Core",
"DisplayName":"Alert - HP Windows (SNMP) Drive Array Physical Drive degraded",
"Query":"Event | where EventID == 1202 or EventID == 1203 or EventID == 1216 | where RenderedDescription contains \"CPQIDA.MIB\" | project Computer, TimeGenerated, AlertType_s = \"HP Windows (SNMP) Drive Array Physical Drive degraded\", Severity = 4, SeverityName_s = \"WARNING\", AffectedCI_s = strcat(Computer, \"/EventId-\", EventID), AlertTitle_s = strcat(Computer, \": HP Windows (SNMP) Drive Array Physical Drive degraded with Event ID \", EventID), AlertDetails_s = strcat(\"Computer: \", Computer, \"\\r\\nEvent ID: \", EventID, \"\\r\\nRenderedDescription: \", RenderedDescription)",
"Version":"1"
},
"Schedule":{ 
"Interval":30,
"QueryTimeSpan":30,
"Active":"true"
},
"AlertDefinition":{ 
"Name":"HP Windows (SNMP) Drive Array Physical Drive degraded",
"Version":"1",
"Description":"The drive array physical drive has degraded.",
"Severity":"critical",
"Type":"Alert",
"Threshold":{ 
"Operator":"gt",
"Value":0
},
"AzNsNotification":{ 
"GroupIds":[ 
"/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
],
"CustomEmailSubject":"Alert - HP Windows (SNMP) Drive Array Physical Drive degraded"
}
}
},
{ 
"AlertName":"HP Windows (SNMP) Drive Array Logical Drive Status is readyForRebuild",
"AlertGuid":"372ffd1b-2a78-4ef4-b801-2c902bc8d3c1",
"Tags":[ 
"Physical,HP"
],
"SavedSearch":{ 
"Category":"Core",
"DisplayName":"Alert - HP Windows (SNMP) Drive Array Logical Drive Status is readyForRebuild",
"Query":"Event | where EventLog == \"System\" | where EventID == 1200 | where Source == \"Storage Agents\" | where RenderedDescription contains \"new status of 6\" and RenderedDescription contains \"CPQIDA.MIB\" | project Computer, TimeGenerated, AlertType_s = \"HP Windows (SNMP) Drive Array Logical Drive Status is readyForRebuild\", Severity = 4, SeverityName_s = \"WARNING\", AffectedCI_s = strcat(Computer, \"/EventId-\", EventID, \"/readyForRebuild\"), AlertTitle_s = strcat(Computer, \": HP Windows (SNMP) Drive Array Logical Drive Status is readyForRebuild\"), AlertDetails_s = strcat(\"Computer: \", Computer, \"\\r\\nEvent ID: \", EventID, \"\\r\\nRenderedDescription: \", RenderedDescription)",
"Version":"1"
},
"Schedule":{ 
"Interval":30,
"QueryTimeSpan":30,
"Active":"true"
},
"AlertDefinition":{ 
"Name":"HP Windows (SNMP) Drive Array Logical Drive Status is readyForRebuild",
"Version":"1",
"Description":"The drive array logical drive status has changed to 'readyForRebuild'",
"Severity":"critical",
"Type":"Alert",
"Threshold":{ 
"Operator":"gt",
"Value":0
},
"AzNsNotification":{ 
"GroupIds":[ 
"/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
],
"CustomEmailSubject":"Alert- HP Windows (SNMP) Drive Array Logical Drive Status is readyForRebuild"
}
}
},
{ 
"AlertName":"HP Windows (SNMP) Drive Array Logical Drive Status is failed",
"AlertGuid":"749aee97-1666-4635-8f88-38afd598e9b5",
"Tags":[ 
"Physical,HP"
],
"SavedSearch":{ 
"Category":"Core",
"DisplayName":"Alert - HP Windows (SNMP) Drive Array Logical Drive Status is failed",
"Query":"Event | where EventLog == \"System\" | where EventID == 1200 | where Source == \"Storage Agents\" | where RenderedDescription contains \"new status of 3\" and RenderedDescription contains \"CPQIDA.MIB\" | project Computer, TimeGenerated, AlertType_s = \"HP Windows (SNMP) Drive Array Logical Drive Status is failed\", Severity = 4, SeverityName_s = \"WARNING\", AffectedCI_s = strcat(Computer, \"/EventId-\", EventID, \"/failed\"), AlertTitle_s = strcat(Computer, \": HP Windows (SNMP) Drive Array Logical Drive Status is failed\"), AlertDetails_s = strcat(\"Computer: \", Computer, \"\\r\\nEvent ID: \", EventID, \"\\r\\nRenderedDescription: \", RenderedDescription)",
"Version":"1"
},
"Schedule":{ 
"Interval":30,
"QueryTimeSpan":30,
"Active":"true"
},
"AlertDefinition":{ 
"Name":"HP Windows (SNMP) Drive Array Logical Drive Status is failed",
"Version":"1",
"Description":"The drive array logical drive status has changed to 'failed'",
"Severity":"critical",
"Type":"Alert",
"Threshold":{ 
"Operator":"gt",
"Value":0
},
"AzNsNotification":{ 
"GroupIds":[ 
"/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
],
"CustomEmailSubject":"Alert - HP Windows (SNMP) Drive Array Logical Drive Status is failed"
}
}
},
{ 
"AlertName":"HP Windows (SNMP) Memory degraded",
"AlertGuid":"c1446d74-f632-49eb-b426-0e536386cfc6",
"Tags":[ 
"Physical,HP"
],
"SavedSearch":{ 
"Category":"Core",
"DisplayName":"Alert - HP Windows (SNMP) Memory degraded",
"Query":"Event | where EventLog == \"System\" | where Source == \"Server Agents\" | where EventID == 1025 or EventID == 1026 or EventID == 1027 or EventID == 1028 or EventID == 1031 or EventID == 1071 or EventID == 1035 or EventID == 1039 | where RenderedDescription contains \"CPQHLTH.MIB\" | project Computer, TimeGenerated, AlertType_s = \"HP Windows (SNMP) Memory degraded\", Severity = 4, SeverityName_s = \"WARNING\", AffectedCI_s = strcat(Computer, \"/EventId-\", EventID), AlertTitle_s = strcat(Computer, \": HP Windows (SNMP) Memory degraded with Event ID \", EventID), AlertDetails_s = strcat(\"Computer: \", Computer, \"\\r\\nEvent ID: \", EventID, \"\\r\\nRenderedDescription: \", RenderedDescription)",
"Version":"1"
},
"Schedule":{ 
"Interval":30,
"QueryTimeSpan":30,
"Active":"true"
},
"AlertDefinition":{ 
"Name":"HP Windows (SNMP) Memory degraded",
"Version":"1",
"Description":"Memory degraded. Advanced Memory Protection has detected a memory fault.",
"Severity":"critical",
"Type":"Alert",
"Threshold":{ 
"Operator":"gt",
"Value":1
},
"AzNsNotification":{ 
"GroupIds":[ 
"/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
],
"CustomEmailSubject":"Alert - HP Windows (SNMP) Memory degraded"
}
}
}
],
"Events":[ 
{ 
"EventLogName":"Application",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-ClusterAwareUpdating/Admin",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-Desired State Configuration/Operational",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-FailoverClustering-CsvFs/Operational",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-FailoverClustering/Operational",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-GroupPolicy/Operational",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-Hyper-V-Config/Admin",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-Hyper-V-High-Availability/Admin",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-Hyper-V-Integration/Admin",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-Hyper-V-Shared-VHDX/Operational",
"Error":true,
"Warning":true,
"Information":false
},
{ 
"EventLogName":"Microsoft-Windows-Hyper-V-SynthNic/Admin",
"Error":true,
"Warning":true,
"Information":false
},
{ 
"EventLogName":"Microsoft-Windows-Hyper-V-VMMS/Admin",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-Hyper-V-VMMS/Networking",
"Error":true,
"Warning":true,
"Information":false
},
{ 
"EventLogName":"Microsoft-Windows-Hyper-V-VMMS/Storage",
"Error":true,
"Warning":true,
"Information":false
},
{ 
"EventLogName":"Microsoft-Windows-Hyper-V-Worker-Admin",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-NetworkProfile/Operationa",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-SMBServer/Operational",
"Error":true,
"Warning":true,
"Information":false
},
{ 
"EventLogName":"Microsoft-Windows-TaskScheduler/Operational",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-VHDMP/Operational",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"MSNIPAK",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Operations Manager",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Setup",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"System",
"Error":true,
"Warning":true,
"Information":true
}
],
"PerformanceCounters":[ 
{ 
"ObjectName":"Cluster CSV File System",
"CounterName":"IO Read Bytes/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Cluster CSV File System",
"CounterName":"IO Read Latency",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Cluster CSV File System",
"CounterName":"IO Reads/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Cluster CSV File System",
"CounterName":"IO Write Bytes/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Cluster CSV File System",
"CounterName":"IO Write Latency",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Cluster CSV File System",
"CounterName":"IO Writes/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Hyper-V Dynamic Memory VM",
"CounterName":"Guest Visible Physical Memory",
"InstanceName":"*",
"intervalSeconds":1800
},
{ 
"ObjectName":"Hyper-V Dynamic Memory VM",
"CounterName":"Physical Memory",
"InstanceName":"*",
"intervalSeconds":1800
},
{ 
"ObjectName":"Hyper-V Hypervisor Logical Processor",
"CounterName":"% Total Run Time",
"InstanceName":"*",
"intervalSeconds":60
},
{ 
"ObjectName":"Hyper-V Hypervisor Virtual Processor",
"CounterName":"% Total Run Time",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Hyper-V Virtual Storage Device",
"CounterName":"Read Bytes/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Hyper-V Virtual Storage Device",
"CounterName":"Read Operations/Sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Hyper-V Virtual Storage Device",
"CounterName":"Write Bytes/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Hyper-V Virtual Storage Device",
"CounterName":"Write Operations/Sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"LogicalDisk",
"CounterName":"% Free Space",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"LogicalDisk",
"CounterName":"Avg. Disk sec/Read",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"LogicalDisk",
"CounterName":"Avg. Disk sec/Transfer",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"LogicalDisk",
"CounterName":"Avg. Disk sec/Write",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"LogicalDisk",
"CounterName":"Current Disk Queue Length",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"LogicalDisk",
"CounterName":"Disk Bytes/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"LogicalDisk",
"CounterName":"Disk Read Bytes/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"LogicalDisk",
"CounterName":"Disk Reads/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"LogicalDisk",
"CounterName":"Disk Transfers/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"LogicalDisk",
"CounterName":"Disk Write Bytes/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"LogicalDisk",
"CounterName":"Disk Writes/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"LogicalDisk",
"CounterName":"Free Megabytes",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Memory",
"CounterName":"% Committed Bytes In Use",
"InstanceName":"*",
"intervalSeconds":1800
},
{ 
"ObjectName":"Memory",
"CounterName":"Available MBytes",
"InstanceName":"*",
"intervalSeconds":1800
},
{ 
"ObjectName":"Memory",
"CounterName":"Commit Limit",
"InstanceName":"*",
"intervalSeconds":1800
},
{ 
"ObjectName":"Memory",
"CounterName":"Committed Bytes",
"InstanceName":"*",
"intervalSeconds":1800
},
{ 
"ObjectName":"Network Adapter",
"CounterName":"Bytes Received/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Network Adapter",
"CounterName":"Bytes Sent/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Network Interface",
"CounterName":"Bytes Total/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"NUMA Node Memory",
"CounterName":"Available MBytes",
"InstanceName":"_Total",
"intervalSeconds":1800
},
{ 
"ObjectName":"NUMA Node Memory",
"CounterName":"Total MBytes",
"InstanceName":"_Total",
"intervalSeconds":1800
},
{ 
"ObjectName":"Processor",
"CounterName":"% Processor Time",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Processor",
"CounterName":"% Processor Time",
"InstanceName":"_Total",
"intervalSeconds":60
},
{ 
"ObjectName":"System",
"CounterName":"Processor Queue Length",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"TCPv4",
"CounterName":"Connections Established",
"InstanceName":"*",
"intervalSeconds":300
}
]
}

 

The error which I am getting is as follows: -

 

ARM_alert_error.JPG

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by GouravIN (Brass Contributor)
Scott Allison

‎Feb 04 2019 04:50 AM

‎Feb 04 2019 04:50 AM

Solution

Re: ARM Template for KQL Query Alert

While not exactly what you're looking for, we're automating Alert creation using the alert toolkit here: 

https://github.com/Microsoft/manageability-toolkits 

 

 

View solution in original post

0 Likes
Reply