Create alert based on custom logs by using azure command line tool

Question

I have tried creating metrics alert based on custom log query by using az command line tool. What I have managed to so far is to;

saving custom log query
creating action group for sending alert information

What I have not managed to do is to create alert by using az monitor metrics alert create command so that it is based on number of results the saved loq query returns. Is it possible to create metric alert based on custom log query by using az command line tool?

Silveri · Answer 1 · 2021-07-31T10:27:10.483

If you know the command, the help messages are generally quite useful and detailed:

az monitor scheduled-query create --help

Here's one example based on a query that worked for me. It assumes you've already created a resource group, workspace and action group:

RESOURCE_GROUP="ResourceGroupName"
WORKSPACE_NAME="LogAnalyticsWorkspaceName"
ACTION_GROUP_NAME="ActionGroupName"

QUERY='AzureDiagnostics
| where Message contains "Connection successful"
| where TimeGenerated > ago(5m)
| order by TimeGenerated desc'

WORKSPACE_ID=$(az monitor log-analytics workspace show \
    --resource-group $RESOURCE_GROUP \
    --workspace-name $WORKSPACE_NAME \
    --query id --out tsv)

az monitor scheduled-query create \
    --name "TestScheduledQuery" \
    --resource-group $RESOURCE_GROUP \
    --scopes $WORKSPACE_ID \
    --description "Test rule" \
    --action $ACTION_GROUP_NAME \
    --evaluation-frequency 5m \
    --mute-actions-duration PT30M \
    --severity 3 \
    --condition "count 'QRY1' > 0" \
    --condition-query QRY1="$QUERY"

This example will:

run every 5 minutes (--evaluation-frequency)
look for new diagnostics fitting the constraints that were generated in the last 5 minutes (QUERY)
if the match count is greater than zero (--condition):
- it'll activate an alert (send a mail, etc. depending on the Action Group in --action)
- and once an alert has fired it will be muted for 30 minutes so that repeated alerts won't spam anyone (--mute-actions-duration)

Most of these settings are the defaults anyway, I've just defined them for clarity.

score 0 · Answer 2 · answered Dec 17 '20 at 07:16

Custom log search alerts are of type microsoft.insights/scheduledqueryrules. So you may use the az monitor scheduled-query set of commands to manage your Scheduled Query rules (resources).

To create a scheduled query, use the az monitor scheduled-query create command:

az monitor scheduled-query create --condition
                                  --name
                                  --resource-group
                                  --scopes
                                  [--action]
                                  [--description]
                                  [--disabled {false, true}]
                                  [--evaluation-frequency]
                                  [--location]
                                  [--mad]
                                  [--severity]
                                  [--tags]
                                  [--target-resource-type]
                                  [--window-size]

Check the Azure CLI command reference to know the available parameters and their definitions.

Some other ways of creating Log alerts are described in this document: Create, view, and manage log alerts using Azure Monitor

Create alert based on custom logs by using azure command line tool

2 Answers2