Azure Log Analytics Metric Measurement Alert

0
votes

I have a log query like,

example_cl
| top 1 by TimeGenerated desc
| project in_use, unused, total = (in_use + unused)

Which gives me a simple output;

in_use  unused  total
  75     45      120

I wish to set a metric alert to this query such that when the in_use cross 90% of total it would send an email alert

On trying to make the alert Im given the following error always

Search Query should contain 'AggregatedValue' and 'bin(TimeGenerated, [roundTo])' for Metric alert type

Need help figuring our the right query for this particular metric alert.

2
azurealertazure-log-analyticskql

2 Answers

0
votes

In general you get such AggregatedValue related error when you select alert logic 'based on' parameter as 'Metric measurement'.

For all the Metric measurement alert rules, please refer this -> https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-unified-log#metric-measurement-alert-rules Microsoft documentation link.

You would have to update your query something like shown below. Note that xxxxxxx in the below sample query is a group field record. To understand what you may have to use in that field, please refer the above provided Microsoft documentation link.

example_cl
| top 1 by TimeGenerated desc
| project in_use, unused, total = (in_use + unused)
| summarize AggregatedValue= avg(in_use) by xxxxxxx, bin(TimeGenerated, 30s)

Hope this helps!! Cheers!!

0
votes

To add to what @KrishnaG-MSFT, If you dont want to use the average as aggregated value you can use aggregate functions like count() that would just treat the individual results as unique values and render the results.

example_cl
| top 1 by TimeGenerated desc
| project in_use, unused, total = (in_use + unused)
| summarize AggregatedValue= count() by xxxxxxx, bin(TimeGenerated, 30s)

Some more examples how i have re written

Log Alert

Event
| where EventID == 1235
| project Computer,  TimeGenerated,  AlertType_s = "Test Connectrix",  Severity = 4,  
SeverityName_s = "Information",  AffectedCI_s = Computer ,  AlertTitle_s = 
strcat(Computer, ":Test Connectrix"  ) ,  AlertDetails_s = RenderedDescription

Re written above Log Alert with the metric measurement

Observe that aggregation done on the number of rows returned.

Event
| where EventID == 1235
| project Computer,  TimeGenerated,  AlertType_s = "Test Connectrix",  Severity = 4,  
SeverityName_s = "Information",  AffectedCI_s = Computer ,  AlertTitle_s = 
strcat(Computer, ":Test Connectrix"  ) ,  AlertDetails_s = RenderedDescription
| summarize AggregatedValue = count()  by bin(TimeGenerated, 30m) , Computer

Another example for Metric measurement sample perf(CPU) table

let _maxValue = 80; 
let _timeWindow = 4h; 
let _AvgCpu = Perf 
| where TimeGenerated >= ago(_timeWindow) 
| where CounterName == "% Processor Time" and InstanceName =~ "_Total"  
| summarize mtgPerf=max(TimeGenerated), CounterValue=round(avg(CounterValue)), 
SampleCount= count(CounterValue) by Computer, InstanceName, CounterName, ObjectName; 
_AvgCpu 
| where CounterValue > _maxValue 
| project      Computer     , ObjectName     , CounterName     , InstanceName     , 
TimeGenerated=mtgPerf     , CounterValue     , AlertType_s = "Sustained High CPU 
Utilization"     , Severity = 4     , SeverityName_s = "WARNING"     , AffectedCI_s = 
strcat(Computer, "/CPUPercent/", InstanceName)     , AlertTitle_s = strcat(Computer, 
": Sustained High CPU Utilization")     , AlertDetails_s = strcat("Computer: ", 
Computer, "Average CPU Utilization: ", CounterValue, "%Sample Period: Last ", 
_timeWindow, "Sample Count: ", SampleCount, "Alert Threshold: > ", _maxValue, "%")
| summarize AggregatedValue = count() by bin(TimeGenerated, 30m), Computer , 
ObjectName , CounterName , InstanceName, CounterValue, AlertType_s, Severity, 
SeverityName_s, AffectedCI_s , AlertTitle_s, AlertDetails_s

Hope this helps.