PUBLIC PREVIEW: Announcing public preview of dynamic thresholds for log search alerts

We’re excited to announce the public preview of dynamic thresholds for log search alerts in Azure Monitor! This capability builds on dynamic thresholds for metric alerts capability and brings the same intelligence to log-based monitoring.

Dynamic threshold for log alerts preview chart displayed when setting up a new alert rule

What are dynamic thresholds?

Dynamic thresholds help remove the guesswork from setting alert conditions. Instead of manually defining static thresholds, Azure Monitor uses advanced machine learning to:

• Learn historical behavior of your log query results
• Detect hourly, daily, and weekly seasonal patterns
• Calculate the most appropriate thresholds for each alert rule
• Adapt automatically as data patterns change

Why it matters

• Simplified configuration: No need to fine-tune thresholds manually
• Adaptive monitoring: Alerts adjust automatically to changing trends
• At-scale intelligence: For multi-dimensional monitoring, thresholds are calculated per dimension combination

Example use cases

AKS Pod restart spike anomaly detection

• Scenario: Monitor Kubernetes Pod logs for spikes in pod restarts across clusters.
• Why dynamic thresholds help:
• AKS workloads often scale dynamically; static thresholds can’t account for autoscaling patterns.
• Dynamic thresholds adapt to normal fluctuations in node/pod counts and alert only on true anomalies.
• Example query:

KubePodInventory | summarize restartCount = sum(PodRestartCount) by bin(TimeGenerated, 10m), ClusterName, Namespace, Name

• Dynamic threshold settings:
• Measure: restartCount (the aggregated column from the query).
• Split by dimensions (optional):
  
  
• Namespace (for workload-level baselines).
• Name (for per-pod granularity if needed).

Resource Inventory Drift Detection (Azure Resource Graph)

• Scenario: Detect sudden spikes in resource creation or deletion across subscriptions or management groups utilizing Log search alerts integration with Azure Resource Graph that may indicate runaway deployments.
• Why dynamic thresholds help:
• Large organizations often have thousands of resources with varying deployment patterns.
• Static thresholds can’t account for seasonal changes (e.g., monthly deployments, scaling events).
• Dynamic thresholds adapt per subscription or resource type, reducing false positives.
• Example query:

arg("").Resources | summarize resourceCount = count() by type, subscriptionId

• Dynamic threshold settings:
• Measure: resourceCount (the aggregated column from the query).
• Split by dimensions (optional):
  
  
• type (for specific resource type changes).
• subscriptionId (for per-subscription granularity).

Getting Started 

Learn more about Log Search Alerts with Dynamic Thresholds and how to set up alert rules in Azure Monitor.