How to create custom alerts with log analytics query by using ARM templates

0
votes

I am working on to create the alerts in azure for various azure resources using ARM templates. But I want to create custom alerts for Azure Data Factory by using below log analytics query:

"alertLogQuery": "ADFPipelineRun\r\n| where ResourceId has 'df-xxx-xxx-xxxx'\r\n| where TimeGenerated > ago(15m)\r\n| where Status has 'Queued'\r\n| where PipelineName in ('pl_xxx_Business_xxx_Check' , 'pl_xxx_xxxx_Date_Check')\r\n| summarize by PipelineName, TimeGenerated\n",

Template file:

{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
    "isEnabled": {
        "type": "bool",
        "defaultValue": true,
        "metadata": {
            "description": "Specifies whether the alert is enabled"
        }
    },
    "rgNameOfActionGroup": {
        "type": "string",
        "metadata": {
            "description": "The resource group name of the action group"
        }
    },
    "actionGroupName": {
        "type": "string",
        "metadata": {
            "description": "The name of the action group"
        }
    },
    "rgNameOfLogAnalyticsWorkspace": {
        "type": "string",
        "metadata": {
            "description": "The resource group name of the log analytics workspace"
        }
    },
    "logAnalyticsWorkspaceName": {
        "type": "string",
        "metadata": {
            "description": "The name of the log analytics workspace"
        }
    },
    "alertTypes": {
        "type": "array",
        "metadata": {
            "description": "An array that contains objects with properties for the metric alerts."
        }
    }
},
"variables": {
    "actionGroupResourceId": "[concat('/subscriptions/',subscription().subscriptionId, '/resourceGroups/', parameters('rgNameOfActionGroup'), '/providers/Microsoft.insights/actionGroups/', parameters('actionGroupName'))]",
    "workspaceResourceId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', parameters('rgNameOfLogAnalyticsWorkspace'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsWorkspaceName'))]",
    "copy": [
        {
            "name": "alertTypes",
            "count": "[length(parameters('alertTypes'))]",
            "input": "[parameters('alertTypes')[copyIndex('alertTypes')].alertName]"
        }
    ],
    "alertSource": {
        "Type": "ResultCount"
    },
    "alertEvaluation": {
        "Frequency": 15,
        "Time": 15
    },
    "alertActions": {
        "SuppressTimeinMin": 20
    }
},
"resources": [
    {
        "copy": {
            "name": "alertTypes",
            "count": "[length(parameters('alertTypes'))]"
        },
        "name": "[parameters('alertTypes')[copyIndex('alertTypes')].alertName]",
        "type": "Microsoft.Insights/scheduledQueryRules",
        "apiVersion": "2018-04-16",
        "location": "global",
        "tags": {},
        "properties": {
            "description": "[parameters('alertTypes')[copyIndex('alertTypes')].alertDescription]",
            "enabled": "[parameters('isEnabled')]",
            "source": {
                "query": "[parameters('alertTypes')[copyIndex('alertTypes')].alertLogQuery]",
                "dataSourceId": "[variables('workspaceResourceId')]",
                "queryType": "[variables('alertSource').Type]"
            },
            "schedule": {
                "frequencyInMinutes": "[variables('alertEvaluation').Frequency]",
                "timeWindowInMinutes": "[variables('alertEvaluation').Time]"
            },
            "action": {
                "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction",
                "severity": "[parameters('alertTypes')[copyIndex('alertTypes')].alertSeverity]",
                "throttlingInMin": "[variables('alertActions').SuppressTimeinMin]",
                "aznsAction": {
                    "actionGroup": "[array(variables('actionGroupResourceId'))]",
                    "emailSubject": "[parameters('alertTypes')[copyIndex('alertTypes')].alertName]"
                },
                "trigger": {
                    "thresholdOperator": "[parameters('alertTypes')[copyIndex('alertTypes')].operator]",
                    "threshold": "[parameters('alertTypes')[copyIndex('alertTypes')].thresholdValue]",
                    "metricTrigger": {
                        "thresholdOperator": "[parameters('alertTypes')[copyIndex('alertTypes')].operator]",
                        "threshold": "[parameters('alertTypes')[copyIndex('alertTypes')].thresholdValue]",
                        "metricColumn": "Classification",
                        "metricTriggerType": "Consecutive"
                    }
                }
            }
        }
    }
],
"outputs": {
    "alertNames": {
        "type": "array",
        "value": "[variables('alertTypes')]"
    }
}
  }

I'm getting the below error:

Template validation failed: The template resource 'df-xx-xx-xxx-Queued Demo ADF pipelines alert/report' for type 'Microsoft.WindowsAzure.ResourceStack.Frontdoor.Common.Entities.TemplateGenericProperty`1[System.String]' at line '71' and column '60' has incorrect segment lengths. A nested resource type must have identical number of segments as its resource name. A root resource type must have segment length one greater than its resource name.

So, can anyone suggest me how to fix the above issue.

1
azureazure-data-factory-2azure-log-analyticsazure-alerts
Take a look at this link.Ivan Yang

1 Answers

0
votes

Please refer to this link. In the variables -> alertSource section, you can add your custom alert rule there:

"alertSource":{
            "Query":"write your query here",
            "SourceId": "xxxxx",
            "Type":"xxxx"
        },

Note that you need to escape some characters like "" in your query if it has.