Disable an alert when Data ingestion stopped

%3CLINGO-SUB%20id%3D%22lingo-sub-2963857%22%20slang%3D%22en-US%22%3EDisable%20an%20alert%20when%20Data%20ingestion%20stopped%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2963857%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%2C%3C%2FP%3E%3CP%3EAm%20triggering%20alert%20using%20application%20insight%20logs%20whenever%20the%20below%20query%20doesn't%20return%20any%20records%3C%2FP%3E%3CP%3E%3CSTRONG%3EAlert%20%231%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EcustomMetrics%3CBR%20%2F%3E%7C%20where%20timestamp%20%26gt%3B%20ago(5m)%3CBR%20%2F%3E%7C%20where%20name%20%3D%3D%20'HeartbeatState'%3C%2FP%3E%3CP%3E%7C%20where%20cloud_RoleName%20in%20('Demoservice1')%3CBR%20%2F%3E%7C%20summarize%20count()%20by%20bin(timestamp%2C%205m)%2C%20cloud_RoleName%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20alert%20is%20working%20as%20expected%20but%20this%20alert%20also%20fires%20when%20ever%20Daily%20Data%20cap%20reached%20and%20Data%20ingestion%20is%20stopped%20.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAm%20using%20the%20below%20query%20using%20log%20analytics%20workspace%20logs%20to%20trigger%20alert%20when%20Data%20ingestion%20stopped%3C%2FP%3E%3CP%3E%3CSTRONG%3EAlert%232%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E_LogOperation%26nbsp%3B%7C%20where%20Operation%20%3D~%20%22Data%20collection%20stopped%22%20%7C%20where%20Detail%20contains%20%22OverQuota%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20think%20its%20possible%20to%20Suppress%20alert1%20when%20alert%202%20is%20triggered%20.%20I%20couldn't%20combine%20this%20both%20query%20because%20one%20is%20from%20AppInsight%20and%20other%20one%20is%20from%20Loganalytics%20worspace.%3C%2FP%3E%3CP%3EI%20have%20also%20tried%20to%20find%20Daily%20Cap%20reached%20message%20from%20Activity%20log%20but%20am%20not%20sure%20how%20can%20i%20use%20that%20along%20with%20customMetrics%20Query.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20suggestion%20please%20to%20avoid%20getting%20alerts%20once%20Data%20ingestion%20stopped%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2965492%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20an%20alert%20when%20Data%20ingestion%20stopped%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2965492%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1020473%22%20target%3D%22_blank%22%3E%40Racheal2k%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELog%20Search%20Alerts%20supports%20alert%20rules%20combined%20from%20both%20AI%20%2B%20LA%20and%20looks%20like%20it%20should%20solve%20the%20problem.%20What%20was%20the%20issue%20you've%20faced%20with%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi ,

Am triggering alert using application insight logs whenever the below query doesn't return any records

Alert #1 

customMetrics
| where timestamp > ago(5m)
| where name == 'HeartbeatState'

| where cloud_RoleName in ('Demoservice1')
| summarize count() by bin(timestamp, 5m), cloud_RoleName;

 

This alert is working as expected but this alert also fires when ever Daily Data cap reached and Data ingestion is stopped . 

 

Am using the below query using log analytics workspace logs to trigger alert when Data ingestion stopped

Alert#2

_LogOperation | where Operation =~ "Data collection stopped" | where Detail contains "OverQuota"

 

I don't think its possible to Suppress alert1 when alert 2 is triggered . I couldn't combine this both query because one is from AppInsight and other one is from Loganalytics worspace.

I have also tried to find Daily Cap reached message from Activity log but am not sure how can i use that along with customMetrics Query.

 

Any suggestion please to avoid getting alerts once Data ingestion stopped

 

Thanks!

 

1 Reply

Hi @Racheal2k,

 

Log Search Alerts supports alert rules combined from both AI + LA and looks like it should solve the problem. What was the issue you've faced with?