Azure Alert - Custom JSON payload with log search alert

%3CLINGO-SUB%20id%3D%22lingo-sub-2632877%22%20slang%3D%22en-US%22%3EAzure%20Alert%20-%20Custom%20JSON%20payload%20with%20log%20search%20alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2632877%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20configured%20some%20azure%20alert%20with%20log%20analytics%20query.%20I%20found%20that%20the%20payload%20generated%20is%20different%20from%20azure%20metric%20alert.%20In%20Log%20Search%20alert%20I%20miss%20Activated%20and%20deactivated%20status%20and%20the%20mail%20generated%20is%20always%20with%20the%20same%20header(if%20is%20activated%20or%20deactivated)%3A%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22gvs9A.png%22%20style%3D%22width%3A%20816px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F302193iB29B3C82872C1411%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22gvs9A.png%22%20alt%3D%22gvs9A.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethe%20payload%20generated%20is%20like%20this%20one%3A%3C%2FP%3E%3CPRE%3E%7B%3CSPAN%20class%3D%22hljs-string%22%3E%22WebhookName%22%3C%2FSPAN%3E%3A%3CSPAN%20class%3D%22hljs-string%22%3E%22MyAlert%22%3C%2FSPAN%3E%2C%3CSPAN%20class%3D%22hljs-string%22%3E%22RequestBody%22%3C%2FSPAN%3E%3A%3CSPAN%20class%3D%22hljs-string%22%3E%22%7B%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3EschemaId%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%3A%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3EMicrosoft.Insights%2FLogAlert%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%2C%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3Edata%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%3A%7B%3CSPAN%20class%3D%22hljs-subst%22%3E%5Cr%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-subst%22%3E%5Cn%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3ESubscriptionId%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%3A%20%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E12345678%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%2C%3CSPAN%20class%3D%22hljs-subst%22%3E%5Cr%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-subst%22%3E%5Cn%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3EAlertRuleName%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%3A%20%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3EMyRuleName%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%2C%3CSPAN%20class%3D%22hljs-subst%22%3E%5Cr%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-subst%22%3E%5Cn%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3ESearchQuery%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%3A%20%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3EMyQuery%22%3C%2FSPAN%3E%2C%5Cr%5Cn%20%5C%3CSPAN%20class%3D%22hljs-string%22%3E%22SearchIntervalEndtimeUtc%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%3A%20%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E2021-08-09T16%3A48%3A05Z%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%2C%3CSPAN%20class%3D%22hljs-subst%22%3E%5Cr%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-subst%22%3E%5Cn%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3EAlertThresholdOperator%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%3A%20%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3EGreater%20Than%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%2C%3CSPAN%20class%3D%22hljs-subst%22%3E%5Cr%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-subst%22%3E%5Cn%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3EAlertThresholdValue%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%3A%201.0%2C%3CSPAN%20class%3D%22hljs-subst%22%3E%5Cr%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-subst%22%3E%5Cn%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3EResultCount%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%3A%200%2C%3CSPAN%20class%3D%22hljs-subst%22%3E%5Cr%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-subst%22%3E%5Cn%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3ESearchIntervalInSeconds%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%3A%20300%2C%3CSPAN%20class%3D%22hljs-subst%22%3E%5Cr%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-subst%22%3E%5Cn%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3ELinkToSearchResults%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%3A%20%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3EMyLink%22%3C%2FSPAN%3E%2C%5Cr%5Cn%20%5C%3CSPAN%20class%3D%22hljs-string%22%3E%22LinkToFilteredSearchResultsUI%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%3A%20%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3EMyLink%22%3C%2FSPAN%3E%2C%5Cr%5Cn%20%5C%3CSPAN%20class%3D%22hljs-string%22%3E%22LinkToSearchResultsAPI%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%3A%20%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3EMyLink%22%3C%2FSPAN%3E%2C%5Cr%5Cn%20%5C%3CSPAN%20class%3D%22hljs-string%22%3E%22LinkToFilteredSearchResultsAPI%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%3A%20%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3EMyLink%22%3C%2FSPAN%3E%2C%5Cr%5Cn%20%5C%3CSPAN%20class%3D%22hljs-string%22%3E%22Description%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%3A%20%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3EMyDescription%22%3C%2FSPAN%3E%2C%5Cr%5Cn%20%5C%3CSPAN%20class%3D%22hljs-string%22%3E%22Severity%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%3A%20%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E1%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%2C%3CSPAN%20class%3D%22hljs-subst%22%3E%5Cr%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-subst%22%3E%5Cn%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3EApplicationId%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%3A%20%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3EMyId%22%3C%2FSPAN%3E%2C%5Cr%5Cn%20%5C%3CSPAN%20class%3D%22hljs-string%22%3E%22AlertType%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%3A%20%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3ENumber%20of%20results%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-subst%22%3E%5Cr%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-subst%22%3E%5Cn%3C%2FSPAN%3E%7D%7D%22%3C%2FSPAN%3E%2C%3CSPAN%20class%3D%22hljs-string%22%3E%22RequestHeader%22%3C%2FSPAN%3E%3A%7B%3CSPAN%20class%3D%22hljs-string%22%3E%22Connection%22%3C%2FSPAN%3E%3A%3CSPAN%20class%3D%22hljs-string%22%3E%22Keep-Alive%22%3C%2FSPAN%3E%2C%3CSPAN%20class%3D%22hljs-string%22%3E%22Expect%22%3C%2FSPAN%3E%3A%3CSPAN%20class%3D%22hljs-string%22%3E%22100-continue%22%3C%2FSPAN%3E%2C%3CSPAN%20class%3D%22hljs-string%22%3E%22Host%22%3C%2FSPAN%3E%3A%3CSPAN%20class%3D%22hljs-string%22%3E%22MyHost%22%3C%2FSPAN%3E%2C%3CSPAN%20class%3D%22hljs-string%22%3E%22User-Agent%22%3C%2FSPAN%3E%3A%3CSPAN%20class%3D%22hljs-string%22%3E%22IcMBroadcaster%2F1.0%22%3C%2FSPAN%3E%2C%3CSPAN%20class%3D%22hljs-string%22%3E%22X-CorrelationContext%22%3C%2FSPAN%3E%3A%3CSPAN%20class%3D%22hljs-string%22%3E%22MyCorrelation%22%3C%2FSPAN%3E%2C%3CSPAN%20class%3D%22hljs-string%22%3E%22x-ms-request-id%22%3C%2FSPAN%3E%3A%3CSPAN%20class%3D%22hljs-string%22%3E%22MyRequest%22%3C%2FSPAN%3E%7D%7D%3C%2FPRE%3E%3CP%3Erespect%20azure%20metrics%2C%20as%20written%20before%2C%20i%20miss%20this%20into%20json%20the%20status%20with%20Activated%20or%20deactivated%3A%3C%2FP%3E%3CPRE%3E%3CSPAN%20class%3D%22hljs-string%22%3E%22WebhookName%22%3C%2FSPAN%3E%3A%3CSPAN%20class%3D%22hljs-string%22%3E%22MyAlert%22%3C%2FSPAN%3E%2C%3CSPAN%20class%3D%22hljs-string%22%3E%22RequestBody%22%3C%2FSPAN%3E%3A%3CSPAN%20class%3D%22hljs-string%22%3E%22%7B%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3EschemaId%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%3A%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3EAzureMonitorMetricAlert%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%2C%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3Edata%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%3A%7B%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3Eversion%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%3A%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E2.0%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%2C%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3Eproperties%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%3Anull%2C%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3Estatus%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%3A%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3EActivated%3CSPAN%20class%3D%22hljs-subst%22%3E%5C%22%3C%2FSPAN%3E%2C%3C%2FSPAN%3E%3C%2FPRE%3E%3CP%3Ei%20see%20that%20into%20log%20search%20alert%20is%20possible%20to%20insert%20a%20custom%20JSON%3A%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PcQtq.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F302194i55829A8BFE1A44CF%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PcQtq.png%22%20alt%3D%22PcQtq.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20tried%20to%20add%3A%3C%2FP%3E%3CPRE%3E%3CSPAN%20class%3D%22hljs-punctuation%22%3E%7B%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-attr%22%3E%22status%22%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-punctuation%22%3E%3A%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-string%22%3E%22Activated%22%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-punctuation%22%3E%7D%3C%2FSPAN%3E%0A%3C%2FPRE%3E%3CP%3Ewithout%20success.%3C%2FP%3E%3CP%3EIs%20possible%20to%20add%20Activated%20and%20Deactivated%20status%3F%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2691438%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Alert%20-%20Custom%20JSON%20payload%20with%20log%20search%20alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2691438%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3EFor%20metric%20alerts%2C%20you%20get%20active%20or%20deactivate%20alerts%2C%20as%20there%20is%20a%20very%20clear%20threshold%20and%20they%20are%20stateful.%20For%20log%20and%20event-based%20alerts%2C%20it%20works%20a%20bit%20differently.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EStateful%20alerts%20fire%20once%20per%20incident%20and%20resolve.%20The%20alert%20rule%20resolves%20when%20the%20alert%20condition%20isn't%20met%20for%2030%20minutes%20for%20a%20specific%20evaluation%20period%20(to%20account%20for%20log%20ingestion%20delay)%2C%20and%20for%20three%20consecutive%20evaluations%20to%20reduce%20noise%20if%20there%20is%20flapping%20conditions.%20For%20example%2C%20with%20a%20frequency%20of%205%20minutes%2C%20the%20alert%20resolve%20after%2040%20minutes%20or%20with%20a%20frequency%20of%201%20minute%2C%20the%20alert%20resolve%20after%2032%20minutes.%20The%20resolved%20notification%20is%20sent%20out%20via%20web-hooks%20or%20email%2C%20the%20status%20of%20the%20alert%20instance%20(called%20monitor%20state)%20in%20Azure%20portal%20is%20also%20set%20to%20resolved.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EStateful%20alerts%20feature%20is%20currently%20in%20preview%20in%20the%20Azure%20public%20cloud.%20You%20can%20set%20this%20using%26nbsp%3B%3CSTRONG%3EAutomatically%20resolve%20alerts%3C%2FSTRONG%3E%26nbsp%3Bin%20the%20alert%20details%20section.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3ESource%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Falerts%2Falerts-unified-log%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ELog%20alerts%20in%20Azure%20Monitor%20-%20Azure%20Monitor%20%7C%20Microsoft%20Docs%3C%2FA%3E%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi all,

 

i configured some azure alert with log analytics query. I found that the payload generated is different from azure metric alert. In Log Search alert I miss Activated and deactivated status and the mail generated is always with the same header(if is activated or deactivated):

 
 

gvs9A.png

 

the payload generated is like this one:

{"WebhookName":"MyAlert","RequestBody":"{\"schemaId\":\"Microsoft.Insights/LogAlert\",\"data\":{\r\n \"SubscriptionId\": \"12345678\",\r\n \"AlertRuleName\": \"MyRuleName\",\r\n \"SearchQuery\": \"MyQuery",\r\n \"SearchIntervalEndtimeUtc\": \"2021-08-09T16:48:05Z\",\r\n \"AlertThresholdOperator\": \"Greater Than\",\r\n \"AlertThresholdValue\": 1.0,\r\n \"ResultCount\": 0,\r\n \"SearchIntervalInSeconds\": 300,\r\n \"LinkToSearchResults\": \"MyLink",\r\n \"LinkToFilteredSearchResultsUI\": \"MyLink",\r\n \"LinkToSearchResultsAPI\": \"MyLink",\r\n \"LinkToFilteredSearchResultsAPI\": \"MyLink",\r\n \"Description\": \"MyDescription",\r\n \"Severity\": \"1\",\r\n \"ApplicationId\": \"MyId",\r\n \"AlertType\": \"Number of results\"\r\n}}","RequestHeader":{"Connection":"Keep-Alive","Expect":"100-continue","Host":"MyHost","User-Agent":"IcMBroadcaster/1.0","X-CorrelationContext":"MyCorrelation","x-ms-request-id":"MyRequest"}}

respect azure metrics, as written before, i miss this into json the status with Activated or deactivated:

"WebhookName":"MyAlert","RequestBody":"{\"schemaId\":\"AzureMonitorMetricAlert\",\"data\":{\"version\":\"2.0\",\"properties\":null,\"status\":\"Activated\",

i see that into log search alert is possible to insert a custom JSON:

 

PcQtq.png

 

i tried to add:

{"status":"Activated"}

without success.

Is possible to add Activated and Deactivated status?

Thanks

2 Replies

Hi,
For metric alerts, you get active or deactivate alerts, as there is a very clear threshold and they are stateful. For log and event-based alerts, it works a bit differently.

 

Stateful alerts fire once per incident and resolve. The alert rule resolves when the alert condition isn't met for 30 minutes for a specific evaluation period (to account for log ingestion delay), and for three consecutive evaluations to reduce noise if there is flapping conditions. For example, with a frequency of 5 minutes, the alert resolve after 40 minutes or with a frequency of 1 minute, the alert resolve after 32 minutes. The resolved notification is sent out via web-hooks or email, the status of the alert instance (called monitor state) in Azure portal is also set to resolved.

Stateful alerts feature is currently in preview in the Azure public cloud. You can set this using Automatically resolve alerts in the alert details section.

Source: Log alerts in Azure Monitor - Azure Monitor | Microsoft Docs 

 

 

@Anders Bengtsson 

 

yes correct that the alert goes in active or deactivate. I already enabled "automatically resolve alerts".

 

The problem is that into log search alert i miss activated or deactivated status into payload and i would like to add it becouse we need to check the status when a script into automation call on duty technician. Without status script call twice when log search alert fire and when log search alert resolve.

 

I did a workaround but i would like to add it into payload.