Aug 10 2021
09:42 AM
- last edited on
Apr 08 2022
10:52 AM
by
TechCommunityAP
Aug 10 2021
09:42 AM
- last edited on
Apr 08 2022
10:52 AM
by
TechCommunityAP
Hi all,
i configured some azure alert with log analytics query. I found that the payload generated is different from azure metric alert. In Log Search alert I miss Activated and deactivated status and the mail generated is always with the same header(if is activated or deactivated):
the payload generated is like this one:
{"WebhookName":"MyAlert","RequestBody":"{\"schemaId\":\"Microsoft.Insights/LogAlert\",\"data\":{\r\n \"SubscriptionId\": \"12345678\",\r\n \"AlertRuleName\": \"MyRuleName\",\r\n \"SearchQuery\": \"MyQuery",\r\n \"SearchIntervalEndtimeUtc\": \"2021-08-09T16:48:05Z\",\r\n \"AlertThresholdOperator\": \"Greater Than\",\r\n \"AlertThresholdValue\": 1.0,\r\n \"ResultCount\": 0,\r\n \"SearchIntervalInSeconds\": 300,\r\n \"LinkToSearchResults\": \"MyLink",\r\n \"LinkToFilteredSearchResultsUI\": \"MyLink",\r\n \"LinkToSearchResultsAPI\": \"MyLink",\r\n \"LinkToFilteredSearchResultsAPI\": \"MyLink",\r\n \"Description\": \"MyDescription",\r\n \"Severity\": \"1\",\r\n \"ApplicationId\": \"MyId",\r\n \"AlertType\": \"Number of results\"\r\n}}","RequestHeader":{"Connection":"Keep-Alive","Expect":"100-continue","Host":"MyHost","User-Agent":"IcMBroadcaster/1.0","X-CorrelationContext":"MyCorrelation","x-ms-request-id":"MyRequest"}}
respect azure metrics, as written before, i miss this into json the status with Activated or deactivated:
"WebhookName":"MyAlert","RequestBody":"{\"schemaId\":\"AzureMonitorMetricAlert\",\"data\":{\"version\":\"2.0\",\"properties\":null,\"status\":\"Activated\",
i see that into log search alert is possible to insert a custom JSON:
i tried to add:
{"status":"Activated"}
without success.
Is possible to add Activated and Deactivated status?
Thanks
Aug 27 2021 01:50 AM
Hi,
For metric alerts, you get active or deactivate alerts, as there is a very clear threshold and they are stateful. For log and event-based alerts, it works a bit differently.
Stateful alerts fire once per incident and resolve. The alert rule resolves when the alert condition isn't met for 30 minutes for a specific evaluation period (to account for log ingestion delay), and for three consecutive evaluations to reduce noise if there is flapping conditions. For example, with a frequency of 5 minutes, the alert resolve after 40 minutes or with a frequency of 1 minute, the alert resolve after 32 minutes. The resolved notification is sent out via web-hooks or email, the status of the alert instance (called monitor state) in Azure portal is also set to resolved.
Stateful alerts feature is currently in preview in the Azure public cloud. You can set this using Automatically resolve alerts in the alert details section.
Source: Log alerts in Azure Monitor - Azure Monitor | Microsoft Docs
Sep 02 2021 03:11 AM
yes correct that the alert goes in active or deactivate. I already enabled "automatically resolve alerts".
The problem is that into log search alert i miss activated or deactivated status into payload and i would like to add it becouse we need to check the status when a script into automation call on duty technician. Without status script call twice when log search alert fire and when log search alert resolve.
I did a workaround but i would like to add it into payload.