Manage alert rules created in previous versions

Note

This article describes the process of managing alert rules created in the previous UI or using API version 2018-04-16 or earlier. Alert rules created in the latest UI are viewed and managed in the new UI, as described in Create, view, and manage log alerts using Azure Monitor.

1. In the portal, select the relevant resource.

2. Under Monitoring, select Alerts.

3. From the top command bar, select Alert rules.

4. Select the alert rule that you want to edit.

5. In the Condition section, select the condition.

6. The Configure signal logic pane opens, with historical data for the query appearing as a graph. You can change the time period of the chart to display data from the last six hours to last week. If your query results contain summarized data or specific columns without time column, the chart shows a single value.

   

7. Edit the alert rule conditions using these sections:

   • Search Query. In this section, you can modify your query.

   • Alert logic. Log Alerts can be based on two types of Measures:

     1. Number of results - Count of records returned by the query.
     2. Metric measurement - Aggregate value calculated using summarize grouped by the expressions chosen and the bin() selection. For example:

        // Reported errors
        union Event, Syslog // Event table stores Windows event records, Syslog stores Linux records
        | where EventLevelName == "Error" // EventLevelName is used in the Event (Windows) records
        or SeverityLevel== "err" // SeverityLevel is used in Syslog (Linux) records
        | summarize AggregatedValue = count() by Computer, bin(TimeGenerated, 15m)
        

     For metric measurements alert logic, you can specify how to split the alerts by dimensions using the Aggregate on option. The row grouping expression must be unique and sorted.

     Note

     Since the bin() can result in uneven time intervals, the alert service will automatically convert the bin() function to a binat() function with appropriate time at runtime, to ensure results with a fixed point.

     Note

     Split by alert dimensions is only available for the current scheduledQueryRules API. If you use the legacy Log Analytics Alert API, you will need to switch. Learn more about switching. Resource centric alerting at scale is only supported in the API version 2021-08-01 and above.

     

   • Period. Choose the time range over which to assess the specified condition, using Period option.

8. When you are finished editing the conditions, select Done.

9. Using the preview data, set the Operator, Threshold Value, and Frequency.

10. Set the number of violations to trigger an alert by using Total or Consecutive Breaches.

11. Select Done.

12. You can edit the rule Description, and Severity. These details are used in all alert actions. Additionally, you can choose to not activate the alert rule on creation by selecting Enable rule upon creation.

13. Use the Suppress Alerts option if you want to suppress rule actions for a specified time after an alert is fired. The rule will still run and create alerts but actions won't be triggered to prevent noise. Mute actions value must be greater than the frequency of alert to be effective.

    

14. Specify if the alert rule should trigger one or more Action Groups when alert condition is met.

    Note

    Refer to the Azure subscription service limits for limits on the actions that can be performed.

    Note

    Log alert rules are currently stateless and do not resolve.

15. (Optional) Customize actions in log alert rules:

    • Custom Email Subject: Overrides the e-mail subject of email actions. You can't modify the body of the mail and this field isn't for email addresses.
    • Include custom Json payload: Overrides the webhook JSON used by Action Groups assuming the action group contains a webhook action. Learn more about webhook action for Log Alerts.

16. When you have finished editing all of the alert rule options, select Save.

Manage log alerts using PowerShell

Note

This article uses the Azure Az PowerShell module, which is the recommended PowerShell module for interacting with Azure. To get started with the Az PowerShell module, see Install Azure PowerShell. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

Note

PowerShell is not currently supported in API version 2021-08-01.

Use the PowerShell cmdlets listed below to manage rules with the Scheduled Query Rules API.

• New-AzScheduledQueryRule : PowerShell cmdlet to create a new log alert rule.
• Set-AzScheduledQueryRule : PowerShell cmdlet to update an existing log alert rule.
• New-AzScheduledQueryRuleSource : PowerShell cmdlet to create or update object specifying source parameters for a log alert. Used as input by New-AzScheduledQueryRule and Set-AzScheduledQueryRule cmdlet.
• New-AzScheduledQueryRuleSchedule: PowerShell cmdlet to create or update object specifying schedule parameters for a log alert. Used as input by New-AzScheduledQueryRule and Set-AzScheduledQueryRule cmdlet.
• New-AzScheduledQueryRuleAlertingAction : PowerShell cmdlet to create or update object specifying action parameters for a log alert. Used as input by New-AzScheduledQueryRule and Set-AzScheduledQueryRule cmdlet.
• New-AzScheduledQueryRuleAznsActionGroup : PowerShell cmdlet to create or update object specifying action groups parameters for a log alert. Used as input by New-AzScheduledQueryRuleAlertingAction cmdlet.
• New-AzScheduledQueryRuleTriggerCondition : PowerShell cmdlet to create or update object specifying trigger condition parameters for log alert. Used as input by New-AzScheduledQueryRuleAlertingAction cmdlet.
• New-AzScheduledQueryRuleLogMetricTrigger : PowerShell cmdlet to create or update object specifying metric trigger condition parameters for a 'metric measurement' log alert. Used as input by New-AzScheduledQueryRuleTriggerCondition cmdlet.
• Get-AzScheduledQueryRule : PowerShell cmdlet to list existing log alert rules or a specific log alert rule
• Update-AzScheduledQueryRule : PowerShell cmdlet to enable or disable log alert rule
• Remove-AzScheduledQueryRule: PowerShell cmdlet to delete an existing log alert rule

Note

ScheduledQueryRules PowerShell cmdlets can only manage rules created in this version of the Scheduled Query Rules API. Log alert rules created using legacy Log Analytics Alert API can only be managed using PowerShell only after switching to Scheduled Query Rules API.

Here are example steps for creating a log alert rule using PowerShell:

$source = New-AzScheduledQueryRuleSource -Query 'Heartbeat | summarize AggregatedValue = count() by bin(TimeGenerated, 5m), _ResourceId' -DataSourceId "/subscriptions/a123d7efg-123c-1234-5678-a12bc3defgh4/resourceGroups/contosoRG/providers/microsoft.OperationalInsights/workspaces/servicews"
$schedule = New-AzScheduledQueryRuleSchedule -FrequencyInMinutes 15 -TimeWindowInMinutes 30
$metricTrigger = New-AzScheduledQueryRuleLogMetricTrigger -ThresholdOperator "GreaterThan" -Threshold 2 -MetricTriggerType "Consecutive" -MetricColumn "_ResourceId"
$triggerCondition = New-AzScheduledQueryRuleTriggerCondition -ThresholdOperator "LessThan" -Threshold 5 -MetricTrigger $metricTrigger
$aznsActionGroup = New-AzScheduledQueryRuleAznsActionGroup -ActionGroup "/subscriptions/a123d7efg-123c-1234-5678-a12bc3defgh4/resourceGroups/contosoRG/providers/microsoft.insights/actiongroups/sampleAG" -EmailSubject "Custom email subject" -CustomWebhookPayload "{ `"alert`":`"#alertrulename`", `"IncludeSearchResults`":true }"
$alertingAction = New-AzScheduledQueryRuleAlertingAction -AznsAction $aznsActionGroup -Severity "3" -Trigger $triggerCondition
New-AzScheduledQueryRule -ResourceGroupName "contosoRG" -Location "Region Name for your Application Insights App or Log Analytics Workspace" -Action $alertingAction -Enabled $true -Description "Alert description" -Schedule $schedule -Source $source -Name "Alert Name"

Here are example steps for creating a log alert rule using the PowerShell with cross-resource queries:

$authorized = @ ("/subscriptions/a123d7efg-123c-1234-5678-a12bc3defgh4/resourceGroups/contosoRG/providers/microsoft.OperationalInsights/workspaces/servicewsCrossExample", "/subscriptions/a123d7efg-123c-1234-5678-a12bc3defgh4/resourceGroups/contosoRG/providers/microsoft.insights/components/serviceAppInsights")
$source = New-AzScheduledQueryRuleSource -Query 'Heartbeat | summarize AggregatedValue = count() by bin(TimeGenerated, 5m), _ResourceId' -DataSourceId "/subscriptions/a123d7efg-123c-1234-5678-a12bc3defgh4/resourceGroups/contosoRG/providers/microsoft.OperationalInsights/workspaces/servicews" -AuthorizedResource $authorized
$schedule = New-AzScheduledQueryRuleSchedule -FrequencyInMinutes 15 -TimeWindowInMinutes 30
$metricTrigger = New-AzScheduledQueryRuleLogMetricTrigger -ThresholdOperator "GreaterThan" -Threshold 2 -MetricTriggerType "Consecutive" -MetricColumn "_ResourceId"
$triggerCondition = New-AzScheduledQueryRuleTriggerCondition -ThresholdOperator "LessThan" -Threshold 5 -MetricTrigger $metricTrigger
$aznsActionGroup = New-AzScheduledQueryRuleAznsActionGroup -ActionGroup "/subscriptions/a123d7efg-123c-1234-5678-a12bc3defgh4/resourceGroups/contosoRG/providers/microsoft.insights/actiongroups/sampleAG" -EmailSubject "Custom email subject" -CustomWebhookPayload "{ `"alert`":`"#alertrulename`", `"IncludeSearchResults`":true }"
$alertingAction = New-AzScheduledQueryRuleAlertingAction -AznsAction $aznsActionGroup -Severity "3" -Trigger $triggerCondition
New-AzScheduledQueryRule -ResourceGroupName "contosoRG" -Location "Region Name for your Application Insights App or Log Analytics Workspace" -Action $alertingAction -Enabled $true -Description "Alert description" -Schedule $schedule -Source $source -Name "Alert Name" 

You can also create the log alert using a template and parameters files using PowerShell:

Connect-AzAccount
Select-AzSubscription -SubscriptionName <yourSubscriptionName>
New-AzResourceGroupDeployment -Name AlertDeployment -ResourceGroupName ResourceGroupofTargetResource `
  -TemplateFile mylogalerttemplate.json -TemplateParameterFile mylogalerttemplate.parameters.json

Next steps

• Learn about log alerts.
• Create log alerts using Azure Resource Manager Templates.
• Understand webhook actions for log alerts.
• Learn more about log queries.