Azure Monitor introduces Dynamic Thresholds also for Log Search Rules, revolutionizing how you set up log and monitor search alerts. Say goodbye to manual threshold tuning and hello to intelligent, adaptable monitoring.
Here’s why dynamic thresholds are a game-changer:
Dynamic thresholds empower you to stay proactive, minimize downtime, and keep your systems running smoothly.
Here you can find use cases for dynamic threshold:
Background: Users can now calculate guest VM metrics using the Perf table in Log Analytics, enabling the creation of a single alert rule for all your VMs across different regions using dimensions. Previously, customers could only set up dynamic threshold metric alerts for host CPU usage.
Goal Statement: The primary goal of this use case is to monitor the CPU behavior within virtual machines (VMs) and detect irregular patterns that may indicate performance issues.
Scenario definitions:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"scheduledqueryrules_PerfDemoRule_name": {
"defaultValue": "PerfDemoRule",
"type": "String"
},
"workspaces_PerfDemoWorkspace_externalid": {
"defaultValue": "/subscriptions/XXXX-XXXX-XXXX-XXXX/resourceGroups/XXXX/providers/Microsoft.OperationalInsights/workspaces/PerfDemoWorkspace",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "microsoft.insights/scheduledqueryrules",
"apiVersion": "2024-01-01-preview",
"name": "[parameters('scheduledqueryrules_PerfDemoRule_name')]",
"location": "eastus2",
"properties": {
"displayName": "[parameters('scheduledqueryrules_PerfDemoRule_name')]",
"severity": 3,
"enabled": true,
"evaluationFrequency": "PT5M",
"scopes": [
"[parameters('workspaces_PerfDemoWorkspace_externalid')]"
],
"targetResourceTypes": [
"Microsoft.Compute/virtualMachines"
],
"windowSize": "PT5M",
"criteria": {
"allOf": [
{
"query": "Perf | where CounterName == \"Available MBytes\" and InstanceName == \"_Total\" | project TimeGenerated, CounterValue, Computer,_ResourceId\n",
"timeAggregation": "Average",
"metricMeasureColumn": "CounterValue",
"dimensions": [],
"resourceIdColumn": "_ResourceId",
"operator": "GreaterThan",
"alertSensitivity": "High",
"criterionType": "DynamicThresholdCriterion",
"failingPeriods": {
"numberOfEvaluationPeriods": 1,
"minFailingPeriodsToAlert": 1
}
}
]
},
"autoMitigate": false
}
}
]
}
Goal Statement: The primary goal of this use case is to monitor the network write behavior within virtual machines (VMs) and detect irregular patterns that may indicate performance issues or anomalies.
Scenario Definitions:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"scheduledqueryrules_LogSearch1ActionGroup_name": {
"defaultValue": "LogSearch1ActionGroup",
"type": "String"
},
"components_ACME_Portal_externalid": {
"defaultValue": "/subscriptions/XXXX-XXXX-XXXX-XXXX/resourceGroups/XXXX-XXXX/microsoft.insights/components/ACME-Portal",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "microsoft.insights/scheduledqueryrules",
"apiVersion": "2024-01-01-preview",
"name": "[parameters('scheduledqueryrules_LogSearch1ActionGroup_name')]",
"location": "eastus",
"properties": {
"displayName": "[parameters('scheduledqueryrules_LogSearch1ActionGroup_name')]",
"severity": 3,
"enabled": true,
"evaluationFrequency": "PT5M",
"scopes": [
"[parameters('components_ACME_Portal_externalid')]"
],
"targetResourceTypes": [
"microsoft.insights/components"
],
"windowSize": "PT30M",
"criteria": {
"allOf": [
{
"query": "InsightsMetrics| where Origin == \"vm.azm.ms\"| where Namespace == \"Network\" and Name == \"WriteBytesPerSecond\"| extend NetworkInterface=tostring(todynamic(Tags)[\"vm.azm.ms/networkDeviceId\"])|summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, NetworkInterface,
"timeAggregation": "Average",
"metricMeasureColumn": "AggregatedValue",
"dimensions":[
{
"name": "Computer",
"operator": "Include",
"values": "[[parameters('computersToInclude')]"
},
{
"name": "NetworkInterface",
"operator": "Include",
"values": "[[parameters('networkInterfacesToInclude')]"
}
],
"operator": "GreaterThan",
"alertSensitivity": "High",
"criterionType": "DynamicThresholdCriterion",
"resourceIdColumn": "_ResourceId",
"failingPeriods": {
"numberOfEvaluationPeriods": 1,
"minFailingPeriodsToAlert": 1
}
}
]
},
"autoMitigate": false
}
}
]
}
You can easily change a log search rule (with a static threshold) template to be a dynamic one by making the following changes:
In the world of monitoring and alerting, precision matters. Enter Dynamic Thresholds—a game-changer for Log Search Rules. Here’s why they’re essential:
Dynamic thresholds empower you to be proactive, responsive, and precise.
Notice that this feature is still in private preview (non-documented).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.