question

TuukkaTiainen-8657 avatar image
0 Votes"
TuukkaTiainen-8657 asked stan answered

Log Analytics cross workspace queries work but alerts from them will not

Hi.

I have 2 workspaces. One of them is WaaSUpdateInsights and the second one consist of my custom logs from Intune Graph API.

The queries combining these two seem to work just fine. They do return the right number of rows and everything. The problem appears when I try to use these queries as Alerts. The alerts are based on the number of results. The alerts will never trigger.

Can someone help me?

83516-image.png
83469-image.png


azure-monitor
image.png (23.5 KiB)
image.png (19.1 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@TuukkaTiainen-8657 Thanks for posting in our Q&A. For this issue, it is more related to Azure monitor. Given this situation, I will change the intune tag to Azure monitor tag. Thanks.

0 Votes 0 ·

1 Answer

stan avatar image
0 Votes"
stan answered

I think this is only possible when configured via ARM template. Example is available here with two workspaces. The alert is linked to only one of the workspace but it is authorized to reach to another workspace and the query contains the workspace ID of the second workspace:

https://github.com/slavizh/ARMTemplates/blob/master/alerts/log-analytics-metric-measurement-3.json

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.