SOLVED

Easy way to exclude a resource from a Log analytics query alert?

%3CLINGO-SUB%20id%3D%22lingo-sub-1499269%22%20slang%3D%22en-US%22%3EEasy%20way%20to%20exclude%20a%20resource%20from%20a%20Log%20analytics%20query%20alert%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1499269%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20I%20have%20a%20query%20setup%20that%20checks%20high%20CPU%20from%20all%20VMs%20reporting%20to%20that%20log%20analytics%20workspace%20and%20i%20want%20to%20suppress%20one%20or%20two%20VMs%20for%20a%20while%20since%20i'm%20doing%20some%20operations%20to%20them.%20I%20know%20i%20can%20edit%20the%20query%20but%20would%20be%20nice%20if%20i%20could%20suppress%20or%20edit%20on%20the%20go%20to%20exclude%20a%20few%20resources.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1499269%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAlerts%20%26amp%3B%20Actions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELog%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Evm%20insights%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1499293%22%20slang%3D%22en-US%22%3ERe%3A%20Easy%20way%20to%20exclude%20a%20resource%20from%20a%20Log%20analytics%20query%20alert%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1499293%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F424832%22%20target%3D%22_blank%22%3E%40Juval%3C%2FA%3E%26nbsp%3Byou%20can%20do%20action%20rules.%20or%20you%20can%20use%20dimensions%20in%20the%20alert%20to%20only%20select%20resources%20you%20want.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1499286%22%20slang%3D%22en-US%22%3ERe%3A%20Easy%20way%20to%20exclude%20a%20resource%20from%20a%20Log%20analytics%20query%20alert%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1499286%22%20slang%3D%22en-US%22%3EAction%20Rules%20allow%20this%20using%20the%20payload%20option.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Falerts-action-rules%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Falerts-action-rules%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1499365%22%20slang%3D%22en-US%22%3ERe%3A%20Easy%20way%20to%20exclude%20a%20resource%20from%20a%20Log%20analytics%20query%20alert%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1499365%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F557589%22%20target%3D%22_blank%22%3E%40pvyver%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EHi%2C%20ok%20so%20instead%20of%20messing%20with%20the%20original%20alert%20and%20adding%20basically%20a%20exemption%20list%20i%20could%20do%20a%20value%20or%20a%20list%20in%20the%20payload%20filter%20and%20suppress%20it%20that%20way.%20I%20like%20this%20cause%20this%20way%20i%20can%20see%20if%20i%20forgot%20it%20on%20or%20if%20i%20just%20need%20it%20to%20be%20suppressed%20for%20half%20a%20day.%20Awesome!%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1499368%22%20slang%3D%22en-US%22%3ERe%3A%20Easy%20way%20to%20exclude%20a%20resource%20from%20a%20Log%20analytics%20query%20alert%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1499368%22%20slang%3D%22en-US%22%3EHi!%20But%20i%20guess%20in%20that%20scenario%20i%20would%20need%20a%20new%20Action%20rules%3F%20I'm%20thinking%20if%20i%20already%20have%20alerts%20defined%20through%20a%20log%20analytics%20workspace%20and%20then%20i'm%20having%20a%20few%20misbehaving%20resources%20i%20would%20like%20to%20suppress%20the%20alerts%20from%20just%20those%20resources.%20If%20i%20understood%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F557589%22%20target%3D%22_blank%22%3E%40pvyver%3C%2FA%3E%20right%2C%20i%20could%20just%20suppress%20those%20and%20see%20those%20values%20later%20what%20i%20did%20and%20even%20schedule%20it.%20I%20believe%20this%20is%20what%20i%20need.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1499596%22%20slang%3D%22en-US%22%3ERe%3A%20Easy%20way%20to%20exclude%20a%20resource%20from%20a%20Log%20analytics%20query%20alert%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1499596%22%20slang%3D%22en-US%22%3EYes%2C%20add%20a%20new%20Action%20Rule%2C%20scope%20to%20the%20workspace%20and%20specify%20the%20computer%20name%20in%20the%20payload.%3CBR%20%2F%3ESpecify%20the%20schedule%2C%20and%20you%20are%20good%20to%20go.%3C%2FLINGO-BODY%3E
Occasional Contributor

If I have a query setup that checks high CPU from all VMs reporting to that log analytics workspace and i want to suppress one or two VMs for a while since i'm doing some operations to them. I know i can edit the query but would be nice if i could suppress or edit on the go to exclude a few resources.

5 Replies
best response confirmed by Juval (Occasional Contributor)
Solution

@Juval you can do action rules. or you can use dimensions in the alert to only select resources you want.

@pvyver 
Hi, ok so instead of messing with the original alert and adding basically a exemption list i could do a value or a list in the payload filter and suppress it that way. I like this cause this way i can see if i forgot it on or if i just need it to be suppressed for half a day. Awesome! Thanks!

Hi! But i guess in that scenario i would need a new Action rules? I'm thinking if i already have alerts defined through a log analytics workspace and then i'm having a few misbehaving resources i would like to suppress the alerts from just those resources. If i understood @pvyver right, i could just suppress those and see those values later what i did and even schedule it. I believe this is what i need.
Yes, add a new Action Rule, scope to the workspace and specify the computer name in the payload.
Specify the schedule, and you are good to go.