Sep 18 2017
- last edited on
Apr 07 2022
I am experimenting with creating alerts using the new query language against data uploaded through the data collector API.
I am consistently seeing a 10 minute delay between when an alert query is run and when the alert email is sent. With tight time restrictions in my query, it is definitely a delay in sending the email and not a delay in the availability of records.
Is this expected behavior?
Sep 18 2017 11:16 PMSolution
Sep 19 2017 10:09 AM
It appears to be fixed now. For my latest alerts, it was a more reasonable 20 seconds between the start of the query and receipt of the alert email.
Thank you Stanislav and whoever did the fixing.
Nov 14 2017 12:25 PM
I run into this problem periodically (there are a variety of factors that can delay the data sources). Here's a query to check the latest in Hearbeat, but if you replace the DataSource with another, it'll tell you when it last saw information from that source. I alert based off of the value put out by the Latency value in the query.
| summarize LatestHeartbeat=max(TimeGenerated)
| extend Latency=now()-LatestHeartbeat
I hope that helps!