Forum Discussion
How to export Azure Alert Rules (Log Analytics)
Hi Stanislav,
Apologies if i misunderstood your information as i am not Expert in OMS but.....
I do have some Alerts (in log analytics) configured for which we do not have any "saved search".
As far as i know, earlier, it was like.....create a search -> save it -> create a rule and use that saved search.
But now..... i do not need to save search......i could directly create a Rule.
Please let me know if I am missing anything or if my understanding is incorrect.
FYI: I tried collecting the details of all saved searches using below command and it worked as expected.
(Get-AzureRmOperationalInsightsSavedSearch -ResourceGroupName "<Resource_Group_Name>" -WorkspaceName "<Workspace_Name>").Value.Properties | where category -eq "Alert"
Regards, Ravi
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-api-alerts
Via AzureRM cmdlets you can get only saved searches resources but not schedules and actions that is why these people are using scripts that query directly the Log Analytics api. As I've said you will need to get the all the resources to construct the full properties of an alerts. Remember my note that these resources are nested within each other. I am currently away from my computer so I do not have access to my env.
Hi Stanislav,
I read the link you have shared but that is again on around "Saved Search".
As mentioned earlier, i have some Alert Rules Configured but there is no "Saved Search" for them. So, i cannot go via this route.
I logged a case with MS Support. they said that it is not necessary that every Alert rule will have a "Saved Search". MS support is still checking their resource on how to collect Rules details using PowerShell/REST API.
do let me know if you have any other pointer for the same.
regards, Ravi
Hi Ravi,
All the Log Analytics Search based alerts have search query (saved search) under which they run. If you do not have such I see 3 possible reasons:
- Either there is some completely new API for Log Analytics search based alerts that I am not aware. I really doubt that this is the possibility but you never know.
- You are not actually creating Log Analytics search based alerts. May be some of the other types of alerts that have different APIs.
- You are not able to find the saved searches for some reason.
I can say also that MS support could be wrong if they haven't understood well the request or if they are taking general stuff. Yes the statement: it is not necessary that every Alert rule will have a "Saved Search" is true because there are multiple alert types and every alert type has different API.
To see that I am not making this up below you can see the first call to the API that the Azure Portal does when it is creating Log Analytics Search based alert. As you can see the first call is to create saved search. The other two calls (not in the screenshots) are schedule inside the saved search resource and action inside the schedule resource.