Forum Discussion

roopesh_shetty's avatar
roopesh_shetty
Copper Contributor
May 22, 2019

repeated alerts

Hi Guys, Using below query I have enabled the alert for Processor Utilization with threshold of 80% targeting multiple windows servers on my workspace in Azure monitoring log space analytics. Perf | ...
Azure Log Analytics
azure monitor
CliveWatson's avatar
CliveWatson
Former Employee
May 23, 2019

roopesh_shetty

 

I think the challenge is the 5min window, the alert only sees the data within the past 5mins and has no concept of what happened before, hence it will fire the alert again.   I'm happy to be corrected here but you'll probably need to add a longer window or use something like dynamic thresholds https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-dynamic-thresholds#what-do-the-advanced-settings-in-dynamic-thresholds-mean

 

My other thought, was some logic to check the Alerts, still a work in progress (I just got 10 randon records, but we need to match the computer names with past alerts) but might help?

 

Perf
| where TimeGenerated > ago(5m)
| where ObjectName == "Processor" and CounterName == "% Processor Time"
| summarize AggregatedValue = avg(CounterValue) by bin(TimeGenerated, 1m), Computer
| join (
    AlertHistory
    | limit 10
) on $left.Computer == $right.SourceDisplayName
roopesh_shetty's avatar
roopesh_shetty
Copper Contributor
May 24, 2019

Hi,

 

I tried to run this query provided by you, but getting the error as ;

'take' operator: Failed to resolve table or column expression named 'AlertHistory' Support id: 6b982987-9b2b-4b24-b555-9b6ee8787e87

 

Query :

Perf
| where TimeGenerated > ago(5m)
| where ObjectName == "Processor" and CounterName == "% Processor Time"
| summarize AggregatedValue = avg(CounterValue) by bin(TimeGenerated, 1m), Computer
| join (
AlertHistory
| limit 10
) on $left.Computer == $right.SourceDisplayName

 

What could be wrong on this query.

    • roopesh_shetty's avatar
      roopesh_shetty
      Copper Contributor
      May 24, 2019

      CliveWatson 

       

       

      Hi CLive,

       

      this query output is always blank. Where we need to specify the threshold as 80% on this query?

       

      Perf
      | where TimeGenerated > ago(5m)
      | where ObjectName == "Processor" and CounterName == "% Processor Time"
      | summarize AggregatedValue = avg(CounterValue) by bin(TimeGenerated, 1m), Computer
      | join (
      Alert
      | limit 10
      ) on $left.Computer == $right.SourceDisplayName

       

      • CliveWatson's avatar
        CliveWatson
        Former Employee
        May 24, 2019
        Hi, I was just giving you (and others) some KQL suggestions, hence a basic query, this isn't a fully working solution - it will need extra logic, and I don't even know if it will work...

Resources