Azure ARM cannot parse | char

Question

I have faced an issue where ARM template cannot parse the query I'm trying to pass when I try to deploy my custom log alert.

Error:

Can someone show me how to avoid this ? I tried to escape the characters, hardcode it into the template, but that doesn't seem to work.

Here is the template resource I'm using:

{
            "type": "Microsoft.Insights/scheduledQueryRules",
            "name": "Sample log query alert",
            "apiVersion": "2018-04-16",
            "location": "global",
            "properties": {
                "description": "[parameters('alertDescription')]",
                "enabled": "[parameters('isEnabled')]",
                "source": {
                    "query": "requests | project timestamp, operation_Name, success, cloud_RoleName | where timestamp > ago(5m) | where cloud_RoleName =~ 'appName' and operation_Name =~ 'functionName' and success == false",
                    "dataSourceId": "[resourceId('Microsoft.insights/components',parameters('applicationInsightsName'))]",
                    "queryType": "ResultCount"
                },
                "schedule": {
                    "frequencyInMinutes": 1,
                    "timeWindowInMinutes": 5
                },
                "action": {
                    "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction",
                    "severity": "[parameters('alertSeverity')]",
                    "aznsAction": {
                        "actionGroup": [
                          "[resourceId('Microsoft.Insights/actionGroups',parameters('actionGroupName'))]"
                        ]
                    }
                },
                "trigger": {
                    "thresholdOperator": "GreaterThan",
                    "threshold": 0
                }
            }
        }

Here is the query I'm trying to use with:

requests | project timestamp, operation_Name, success, cloud_RoleName | where timestamp > ago(5m) | where cloud_RoleName =~ 'appName' and operation_Name =~ 'functionName' and success == false

Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-log#create-a-log-alert-rule-with-the-azure-portal

https://devblogs.microsoft.com/premier-developer/alerts-based-on-analytics-query-using-custom-log-search/

Ivan Yang Ivan Yang · Accepted Answer · 2020-08-03T06:27:22

For the char |, please make sure it's English char, and just hard code it in the template.

I test it at my side, it works fine. Here is the my template.json:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "scheduledqueryrules_my_test_222_name": {
            "defaultValue": "my test 33300",
            "type": "String"
        },
        "components_yyinsights333_externalid": {
            "defaultValue": "/subscriptions/xxxxx/resourceGroups/xxxxx/providers/microsoft.insights/components/yyinsights333",
            "type": "String"
        },
        "actiongroups_yyactiongroup11_externalid": {
            "defaultValue": "/subscriptions/xxxx/resourceGroups/xxxx/providers/microsoft.insights/actiongroups/yyactiongroup11",
            "type": "String"
        }
    },
    "variables": {},
    "resources": [
        {
            "type": "microsoft.insights/scheduledqueryrules",
            "apiVersion": "2018-04-16",
            "name": "[parameters('scheduledqueryrules_my_test_222_name')]",
            "location": "westus2",
            "properties": {
                "enabled": "true",
                "source": {
                    "query": "requests | project timestamp, operation_Name, success, cloud_RoleName | where timestamp > ago(5m) | where cloud_RoleName =~ 'appName' and operation_Name =~ 'functionName' and success == false",
                    "authorizedResources": [],
                    "dataSourceId": "[parameters('components_yyinsights333_externalid')]",
                    "queryType": "ResultCount"
                },
                "schedule": {
                    "frequencyInMinutes": 5,
                    "timeWindowInMinutes": 5
                },
                "action": {
                    "severity": "3",
                    "aznsAction": {
                        "actionGroup": [
                            "[parameters('actiongroups_yyactiongroup11_externalid')]"
                        ]
                    },
                    "trigger": {
                        "thresholdOperator": "GreaterThan",
                        "threshold": 20
                    },
                    "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction"
                }
            }
        }
    ]
}

and here is the parameters.json:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
      "scheduledqueryrules_my_test_222_name": {
        "value": "my test 33300"
      },
      "components_yyinsights333_externalid": {
        "value": "/subscriptions/xxx/resourceGroups/xxx/providers/microsoft.insights/components/yyinsights333"
      },
      "actiongroups_yyactiongroup11_externalid": {
        "value": "/subscriptions/xxx/resourceGroups/xxx/providers/microsoft.insights/actiongroups/yyactiongroup11"
      }
    }
}

Deploy using powershell:

Please give it a try by copy-paste my .json files, and let me know if you have more issues.

Another solution is that, you can first manually create this alert via UI in azure portal, after it is created, nav to this alert rule -> and copy the template file generated by azure -> then use the correct the json file to deploy your alert. Here is a screenshot of how to check the auto generated template:

Azure ARM cannot parse | char

1 Answers