Scheduled Query Rules - Create Or Update

Creates or updates an log search rule.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/microsoft.insights/scheduledQueryRules/{ruleName}?api-version=2018-04-16

URI Parameters

Name In Required Type Description
subscriptionId
path True
  • string

The Azure subscription Id.

resourceGroupName
path True
  • string

The name of the resource group.

ruleName
path True
  • string

The name of the rule.

api-version
query True
  • string

Client Api Version.

Request Body

Name Required Type Description
location True
  • string

Resource location

properties.action True Action:

Action needs to be taken on rule execution.

properties.description
  • string

The description of the Log Search rule.

properties.enabled

The flag which indicates whether the Log Search rule is enabled. Value should be true or false

properties.schedule

Schedule (Frequency, Time Window) for rule. Required for action type - AlertingAction

properties.source True

Data Source against which rule will Query Data

tags
  • object

Resource tags

Responses

Name Type Description
200 OK

Successful request to update an Log Search rule

201 Created

Created alert rule

Other Status Codes

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Create or Update rule - AlertingAction
Create or Update rule - AlertingAction with Cross-Resource
Create or Update rule - LogToMetricAction

Create or Update rule - AlertingAction

Sample Request

PUT https://management.azure.com/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourcegroups/Rac46PostSwapRG/providers/microsoft.insights/scheduledQueryRules/logalertfoo?api-version=2018-04-16
{
  "location": "eastus",
  "tags": {},
  "properties": {
    "description": "log alert description",
    "enabled": "true",
    "lastUpdatedTime": "2017-06-23T21:23:52.0221265Z",
    "provisioningState": "Succeeded",
    "source": {
      "query": "Heartbeat | summarize AggregatedValue = count() by bin(TimeGenerated, 5m)",
      "dataSourceId": "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/Microsoft.OperationalInsights/workspaces/sampleWorkspace",
      "queryType": "ResultCount"
    },
    "schedule": {
      "frequencyInMinutes": 15,
      "timeWindowInMinutes": 15
    },
    "action": {
      "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction",
      "severity": "1",
      "aznsAction": {
        "actionGroup": [],
        "emailSubject": "Email Header",
        "customWebhookPayload": "{}"
      },
      "trigger": {
        "thresholdOperator": "GreaterThan",
        "threshold": 3,
        "metricTrigger": {
          "thresholdOperator": "GreaterThan",
          "threshold": 5,
          "metricTriggerType": "Consecutive",
          "metricColumn": "Computer"
        }
      }
    }
  }
}

Sample Response

{
  "id": "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/microsoft.insights/scheduledQueryRules/logalertfoo",
  "name": "logalertfoo",
  "type": "Microsoft.Insights/scheduledQueryRules",
  "location": "eastus",
  "tags": {},
  "properties": {
    "description": "log alert description",
    "enabled": "true",
    "lastUpdatedTime": "2017-06-23T21:23:52.0221265Z",
    "provisioningState": "Succeeded",
    "source": {
      "query": "Heartbeat | summarize AggregatedValue = count() by bin(TimeGenerated, 5m)",
      "dataSourceId": "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/Microsoft.OperationalInsights/workspaces/sampleWorkspace",
      "queryType": "ResultCount"
    },
    "schedule": {
      "frequencyInMinutes": 15,
      "timeWindowInMinutes": 15
    },
    "action": {
      "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction",
      "severity": "1",
      "aznsAction": {
        "actionGroup": [],
        "emailSubject": "Email Header",
        "customWebhookPayload": "{}"
      },
      "trigger": {
        "thresholdOperator": "GreaterThan",
        "threshold": 3,
        "metricTrigger": {
          "thresholdOperator": "GreaterThan",
          "threshold": 5,
          "metricTriggerType": "Consecutive",
          "metricColumn": "Computer"
        }
      }
    }
  }
}
{
  "id": "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/microsoft.insights/scheduledQueryRules/logalertfoo",
  "name": "logalertfoo",
  "type": "Microsoft.Insights/scheduledQueryRules",
  "location": "eastus",
  "tags": {},
  "properties": {
    "description": "log alert description",
    "enabled": "true",
    "lastUpdatedTime": "2017-06-23T21:23:52.0221265Z",
    "provisioningState": "Succeeded",
    "source": {
      "query": "Heartbeat",
      "queryType": "ResultCount",
      "dataSourceId": "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/Microsoft.OperationalInsights/workspaces/sampleWorkspace"
    },
    "schedule": {
      "frequencyInMinutes": 15,
      "timeWindowInMinutes": 15
    },
    "action": {
      "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction",
      "severity": "1",
      "trigger": {
        "thresholdOperator": "GreaterThan",
        "threshold": 3
      },
      "aznsAction": {
        "actionGroup": [],
        "emailSubject": "Email Header",
        "customWebhookPayload": "{}"
      }
    }
  }
}

Create or Update rule - AlertingAction with Cross-Resource

Sample Request

PUT https://management.azure.com/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourcegroups/Rac46PostSwapRG/providers/microsoft.insights/scheduledQueryRules/SampleCrossResourceAlert?api-version=2018-04-16
{
  "location": "eastus",
  "tags": {},
  "properties": {
    "description": "Sample Cross Resource alert",
    "enabled": "true",
    "source": {
      "query": "union requests, workspace(\"sampleWorkspace\").Update",
      "authorizedResources": [
        "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/Microsoft.OperationalInsights/workspaces/sampleWorkspace",
        "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/microsoft.insights/components/sampleAI"
      ],
      "dataSourceId": "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/microsoft.insights/components/sampleAI",
      "queryType": "ResultCount"
    },
    "schedule": {
      "frequencyInMinutes": 60,
      "timeWindowInMinutes": 60
    },
    "action": {
      "severity": "3",
      "aznsAction": {
        "actionGroup": [
          "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/microsoft.insights/actiongroups/test-ag"
        ],
        "emailSubject": "Cross Resource Mail!!"
      },
      "trigger": {
        "thresholdOperator": "GreaterThan",
        "threshold": 5000
      },
      "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction"
    }
  }
}

Sample Response

{
  "id": "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/microsoft.insights/scheduledQueryRules/SampleCrossResourceAlert",
  "name": "SampleCrossResourceAlert",
  "type": "Microsoft.Insights/scheduledQueryRules",
  "location": "eastus",
  "tags": {},
  "properties": {
    "description": "Sample Cross Resource alert",
    "enabled": "true",
    "lastUpdatedTime": "2018-09-04T06:27:58.3892575Z",
    "provisioningState": "Succeeded",
    "source": {
      "query": "union requests, workspace(\"sampleWorkspace\").Update",
      "authorizedResources": [
        "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/Microsoft.OperationalInsights/workspaces/sampleWorkspace",
        "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/microsoft.insights/components/sampleAI"
      ],
      "dataSourceId": "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/microsoft.insights/components/sampleAI",
      "queryType": "ResultCount"
    },
    "schedule": {
      "frequencyInMinutes": 60,
      "timeWindowInMinutes": 60
    },
    "action": {
      "severity": "3",
      "aznsAction": {
        "actionGroup": [
          "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/microsoft.insights/actiongroups/test-ag"
        ],
        "emailSubject": "Cross Resource Mail!!"
      },
      "trigger": {
        "thresholdOperator": "GreaterThan",
        "threshold": 5000
      },
      "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction"
    }
  }
}
{
  "id": "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/microsoft.insights/scheduledQueryRules/SampleCrossResourceAlert",
  "name": "SampleCrossResourceAlert",
  "type": "Microsoft.Insights/scheduledQueryRules",
  "location": "eastus",
  "tags": {},
  "properties": {
    "description": "Sample Cross Resource alert",
    "enabled": "true",
    "lastUpdatedTime": "2018-09-04T06:27:58.3892575Z",
    "provisioningState": "Succeeded",
    "source": {
      "query": "union requests, workspace(\"sampleWorkspace\").Update",
      "authorizedResources": [
        "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/Microsoft.OperationalInsights/workspaces/sampleWorkspace",
        "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/microsoft.insights/components/sampleAI"
      ],
      "dataSourceId": "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/microsoft.insights/components/sampleAI",
      "queryType": "ResultCount"
    },
    "schedule": {
      "frequencyInMinutes": 60,
      "timeWindowInMinutes": 60
    },
    "action": {
      "severity": "3",
      "aznsAction": {
        "actionGroup": [
          "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/microsoft.insights/actiongroups/test-ag"
        ],
        "emailSubject": "Cross Resource Mail!!"
      },
      "trigger": {
        "thresholdOperator": "GreaterThan",
        "threshold": 5000
      },
      "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction"
    }
  }
}

Create or Update rule - LogToMetricAction

Sample Request

PUT https://management.azure.com/subscriptions/af52d502-a447-4bc6-8cb7-4780fbb00490/resourcegroups/alertsweu/providers/microsoft.insights/scheduledQueryRules/logtometricfoo?api-version=2018-04-16
{
  "location": "West Europe",
  "tags": {},
  "properties": {
    "description": "log to metric description",
    "enabled": "true",
    "source": {
      "dataSourceId": "/subscriptions/af52d502-a447-4bc6-8cb7-4780fbb00490/resourceGroups/alertsweu/providers/Microsoft.OperationalInsights/workspaces/alertsweu"
    },
    "action": {
      "criteria": [
        {
          "metricName": "Average_% Idle Time",
          "dimensions": []
        }
      ],
      "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.LogToMetricAction"
    }
  }
}

Sample Response

{
  "id": "/subscriptions/af52d502-a447-4bc6-8cb7-4780fbb00490/resourceGroups/alertsweu/providers/microsoft.insights/scheduledqueryrules/logtometricfoo",
  "name": "logtometricfoo",
  "type": "microsoft.insights/scheduledqueryrules",
  "location": "westeurope",
  "tags": {},
  "properties": {
    "description": "log to metric description",
    "displayName": "logtometricfoo",
    "enabled": "true",
    "lastUpdatedTime": "2018-09-04T06:31:56.3737792Z",
    "provisioningState": "Succeeded",
    "source": {
      "query": null,
      "dataSourceId": "/subscriptions/af52d502-a447-4bc6-8cb7-4780fbb00490/resourceGroups/alertsweu/providers/Microsoft.OperationalInsights/workspaces/alertsweu"
    },
    "schedule": null,
    "action": {
      "criteria": [
        {
          "metricName": "Average_% Idle Time",
          "dimensions": []
        }
      ],
      "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.LogToMetricAction"
    }
  }
}
{
  "id": "/subscriptions/af52d502-a447-4bc6-8cb7-4780fbb00490/resourceGroups/alertsweu/providers/microsoft.insights/scheduledqueryrules/logtometricfoo",
  "name": "logtometricfoo",
  "type": "microsoft.insights/scheduledqueryrules",
  "location": "westeurope",
  "tags": {},
  "properties": {
    "description": "log to metric description",
    "enabled": "true",
    "lastUpdatedTime": "2018-09-04T06:27:58.3892575Z",
    "provisioningState": "Succeeded",
    "source": {
      "query": null,
      "dataSourceId": "/subscriptions/af52d502-a447-4bc6-8cb7-4780fbb00490/resourceGroups/alertsweu/providers/Microsoft.OperationalInsights/workspaces/alertsweu"
    },
    "schedule": null,
    "action": {
      "criteria": [
        {
          "metricName": "Average_% Idle Time",
          "dimensions": []
        }
      ],
      "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.LogToMetricAction"
    }
  }
}

Definitions

AlertingAction

Specify action need to be taken when rule type is Alert

AlertSeverity

Severity Level of Alert

AzNsActionGroup

Azure action group

ConditionalOperator

Result Condition Evaluation criteria. Supported Values - 'GreaterThan' or 'LessThan' or 'Equal'.

Criteria

Specifies the criteria for converting log to metric.

Dimension

Specifies the criteria for converting log to metric.

enabled

The flag which indicates whether the Log Search rule is enabled. Value should be true or false

ErrorResponse

Describes the format of Error response.

LogMetricTrigger

A log metrics trigger descriptor.

LogSearchRuleResource

The Log Search Rule resource.

LogToMetricAction

Specify action need to be taken when rule type is converting log to metric

metricTriggerType

Metric Trigger Type - 'Consecutive' or 'Total'

operator

Operator for dimension values

provisioningState

Provisioning state of the scheduled query rule

QueryType

Set value to 'ResultAccount'

Schedule

Defines how often to run the search and the time interval.

Source

Specifies the log search query.

TriggerCondition

The condition that results in the Log Search rule.

AlertingAction

Specify action need to be taken when rule type is Alert

Name Type Description
aznsAction

Azure action group reference.

odata.type string:
  • Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction

Specifies the action. Supported values - AlertingAction, LogToMetricAction

severity

Severity of the alert

throttlingInMin
  • integer

time (in minutes) for which Alerts should be throttled or suppressed.

trigger

The trigger condition that results in the alert rule being.

AlertSeverity

Severity Level of Alert

Name Type Description
0
  • string
1
  • string
2
  • string
3
  • string
4
  • string

AzNsActionGroup

Azure action group

Name Type Description
actionGroup
  • string[]

Azure Action Group reference.

customWebhookPayload
  • string

Custom payload to be sent for all webhook URI in Azure action group

emailSubject
  • string

Custom subject override for all email ids in Azure action group

ConditionalOperator

Result Condition Evaluation criteria. Supported Values - 'GreaterThan' or 'LessThan' or 'Equal'.

Name Type Description
Equal
  • string
GreaterThan
  • string
LessThan
  • string

Criteria

Specifies the criteria for converting log to metric.

Name Type Description
dimensions

List of Dimensions for creating metric

metricName
  • string

Name of the metric

Dimension

Specifies the criteria for converting log to metric.

Name Type Description
name
  • string

Name of the dimension

operator

Operator for dimension values

values
  • string[]

List of dimension values

enabled

The flag which indicates whether the Log Search rule is enabled. Value should be true or false

Name Type Description
false
  • string
true
  • string

ErrorResponse

Describes the format of Error response.

Name Type Description
code
  • string

Error code

message
  • string

Error message indicating why the operation failed.

LogMetricTrigger

A log metrics trigger descriptor.

Name Type Description
metricColumn
  • string

Evaluation of metric on a particular column

metricTriggerType

Metric Trigger Type - 'Consecutive' or 'Total'

threshold
  • number

The threshold of the metric trigger.

thresholdOperator

Evaluation operation for Metric -'GreaterThan' or 'LessThan' or 'Equal'.

LogSearchRuleResource

The Log Search Rule resource.

Name Type Description
id
  • string

Azure resource Id

location
  • string

Resource location

name
  • string

Azure resource name

properties.action Action:

Action needs to be taken on rule execution.

properties.description
  • string

The description of the Log Search rule.

properties.enabled

The flag which indicates whether the Log Search rule is enabled. Value should be true or false

properties.lastUpdatedTime
  • string

Last time the rule was updated in IS08601 format.

properties.provisioningState

Provisioning state of the scheduled query rule

properties.schedule

Schedule (Frequency, Time Window) for rule. Required for action type - AlertingAction

properties.source

Data Source against which rule will Query Data

tags
  • object

Resource tags

type
  • string

Azure resource type

LogToMetricAction

Specify action need to be taken when rule type is converting log to metric

Name Type Description
criteria

Criteria of Metric

odata.type string:
  • Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.LogToMetricAction

Specifies the action. Supported values - AlertingAction, LogToMetricAction

metricTriggerType

Metric Trigger Type - 'Consecutive' or 'Total'

Name Type Description
Consecutive
  • string
Total
  • string

operator

Operator for dimension values

Name Type Description
Include
  • string

provisioningState

Provisioning state of the scheduled query rule

Name Type Description
Canceled
  • string
Deploying
  • string
Failed
  • string
Succeeded
  • string

QueryType

Set value to 'ResultAccount'

Name Type Description
ResultCount
  • string

Schedule

Defines how often to run the search and the time interval.

Name Type Description
frequencyInMinutes
  • integer

frequency (in minutes) at which rule condition should be evaluated.

timeWindowInMinutes
  • integer

Time window for which data needs to be fetched for query (should be greater than or equal to frequencyInMinutes).

Source

Specifies the log search query.

Name Type Description
authorizedResources
  • string[]

List of Resource referred into query

dataSourceId
  • string

The resource uri over which log search query is to be run.

query
  • string

Log search query. Required for action type - AlertingAction

queryType

Set value to 'ResultCount' .

TriggerCondition

The condition that results in the Log Search rule.

Name Type Description
metricTrigger

Trigger condition for metric query rule

threshold
  • number

Result or count threshold based on which rule should be triggered.

thresholdOperator

Evaluation operation for rule - 'GreaterThan' or 'LessThan.