您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

在 Log Analytics 中通过 REST API 创建和管理警报规则Create and manage alert rules in Log Analytics with REST API

重要

按照 公告2019 年6月1日 之后创建的 log analytics 工作区 () 使用当前 scheduledQueryRules API管理警报规则。As announced, log analytics workspace(s) created after June 1, 2019 manage alert rules using the current scheduledQueryRules API. 建议客户切换到较旧工作区中 的当前 API ,利用 Azure Monitor scheduledQueryRules 的 优势Customers are encouraged to switch to the current API in older workspaces to leverage Azure Monitor scheduledQueryRules benefits. 本文介绍如何使用旧版 API 管理警报规则。This article describes management of alert rules using the legacy API.

使用 Log Analytics 警报 REST API 可以在 Log Analytics 中创建和管理警报。The Log Analytics Alert REST API allows you to create and manage alerts in Log Analytics. 本文提供了用于执行不同操作的 API 和几个示例的详细信息。This article provides details of the API and several examples for performing different operations.

Log Analytics 搜索 REST API 为 RESTful,可通过 Azure 资源管理器 REST API 访问。The Log Analytics Search REST API is RESTful and can be accessed via the Azure Resource Manager REST API. 在本文档中,你将看到一些示例,其中使用 ARMClient(一种可简化调用 AZURE 资源管理器 API 的开源命令行工具)从 PowerShell 命令行访问 API。In this document, you will find examples where the API is accessed from a PowerShell command line using ARMClient, an open-source command-line tool that simplifies invoking the Azure Resource Manager API. ARMClient 和 PowerShell 的使用是访问 Log Analytics 搜索 API 的许多选项之一。The use of ARMClient and PowerShell is one of many options to access the Log Analytics Search API. 借助这些工具,可以利用 RESTful Azure 资源管理器 API 对 Log Analytics 工作区进行调用并在其中执行搜索命令。With these tools, you can utilize the RESTful Azure Resource Manager API to make calls to Log Analytics workspaces and perform search commands within them. API 以 JSON 格式输出搜索结果,从而允许通过编程以许多不同的方式来使用搜索结果。The API will output search results to you in JSON format, allowing you to use the search results in many different ways programmatically.

必备条件Prerequisites

目前,仅可以使用 Log Analytics 中已保存的搜索来创建警报。Currently, alerts can only be created with a saved search in Log Analytics. 有关详细信息,请参阅日志搜索 REST APIYou can refer to the Log Search REST API for more information.

计划Schedules

已保存的搜索可以有一个或多个计划。A saved search can have one or more schedules. 计划定义搜索的运行频率以及进行条件识别的时间间隔。The schedule defines how often the search is run and the time interval over which the criteria is identified. 计划具有下表中的属性。Schedules have the properties in the following table.

属性Property 说明Description
时间间隔Interval 搜索的运行频率。How often the search is run. 以分钟为度量单位。Measured in minutes.
QueryTimeSpanQueryTimeSpan 计算条件的时间间隔。The time interval over which the criteria is evaluated. 必须等于或大于间隔。Must be equal to or greater than Interval. 以分钟为度量单位。Measured in minutes.
版本Version 正在使用的 API 版本。The API version being used. 目前应始终设置为 1。Currently, this should always be set to 1.

例如,考虑一个间隔为 15 分钟和时间跨度为 30 分钟的事件查询。For example, consider an event query with an Interval of 15 minutes and a Timespan of 30 minutes. 在这种情况下,将每隔 15 分钟运行一次查询,如果条件在超过 30 分钟的时间内持续解析为 true,则会触发警报。In this case, the query would be run every 15 minutes, and an alert would be triggered if the criteria continued to resolve to true over a 30-minute span.

检索计划Retrieving schedules

使用 Get 方法检索已保存搜索的所有计划。Use the Get method to retrieve all schedules for a saved search.

armclient get /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search  ID}/schedules?api-version=2015-03-20

结合使用 Get 方法和计划 ID 检索已保存搜索的特定计划。Use the Get method with a schedule ID to retrieve a particular schedule for a saved search.

armclient get /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Subscription ID}/schedules/{Schedule ID}?api-version=2015-03-20

下面是一个响应计划的示例。Following is a sample response for a schedule.

{
   "value": [{
      "id": "subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/sampleRG/providers/Microsoft.OperationalInsights/workspaces/MyWorkspace/savedSearches/0f0f4853-17f8-4ed1-9a03-8e888b0d16ec/schedules/a17b53ef-bd70-4ca4-9ead-83b00f2024a8",
      "etag": "W/\"datetime'2016-02-25T20%3A54%3A49.8074679Z'\"",
      "properties": {
         "Interval": 15,
         "QueryTimeSpan": 15,
         "Enabled": true,
      }
   }]
}

创建计划Creating a schedule

结合使用 Put 方法和唯一计划 ID 创建一个新计划。Use the Put method with a unique schedule ID to create a new schedule. 两个计划的 ID 不能相同,即使它们与不同的已保存搜索关联,也是如此。Two schedules cannot have the same ID even if they are associated with different saved searches. 在 Log Analytics 控制台中创建计划时,将为计划 ID 创建一个 GUID。When you create a schedule in the Log Analytics console, a GUID is created for the schedule ID.

备注

所有已保存的搜索、计划和使用 Log Analytics API 创建的操作的名称必须小写。The name for all saved searches, schedules, and actions created with the Log Analytics API must be in lowercase.

$scheduleJson = "{'properties': { 'Interval': 15, 'QueryTimeSpan':15, 'Enabled':'true' } }"
armclient put /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/mynewschedule?api-version=2015-03-20 $scheduleJson

编辑计划Editing a schedule

结合使用 Put 方法和相同已保存搜索的现有计划 ID 来修改该计划;在下面的示例中,该计划被禁用。Use the Put method with an existing schedule ID for the same saved search to modify that schedule; in example below the schedule is disabled. 请求正文必须包含计划的 etagThe body of the request must include the etag of the schedule.

$scheduleJson = "{'etag': 'W/\"datetime'2016-02-25T20%3A54%3A49.8074679Z'\""','properties': { 'Interval': 15, 'QueryTimeSpan':15, 'Enabled':'false' } }"
armclient put /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/mynewschedule?api-version=2015-03-20 $scheduleJson

删除计划Deleting schedules

结合使用 Delete 方法和计划 ID 删除计划。Use the Delete method with a schedule ID to delete a schedule.

armclient delete /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Subscription ID}/schedules/{Schedule ID}?api-version=2015-03-20

操作Actions

一个计划可以有多个操作。A schedule can have multiple actions. 操作可以定义一个或多个要执行的进程,例如发送邮件或启动 Runbook,也可以定义确定搜索结果与某些条件何时匹配的阈值。An action may define one or more processes to perform such as sending a mail or starting a runbook, or it may define a threshold that determines when the results of a search match some criteria. 某些操作将同时定义这两者,以便达到阈值时执行这些进程。Some actions will define both so that the processes are performed when the threshold is met.

所有操作具有下表中的属性。All actions have the properties in the following table. 不同类型的警报具有不同的其他属性,如下所述。Different types of alerts have different additional properties, which are described below.

属性Property 说明Description
Type 操作的类型。Type of the action. 目前可能的值为警报和 Webhook。Currently the possible values are Alert and Webhook.
Name 警报的显示名称。Display name for the alert.
Version 正在使用的 API 版本。The API version being used. 目前应始终设置为 1。Currently, this should always be set to 1.

检索操作Retrieving actions

使用 Get 方法检索计划的所有操作。Use the Get method to retrieve all actions for a schedule.

armclient get /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search  ID}/schedules/{Schedule ID}/actions?api-version=2015-03-20

结合使用 Get 方法和计划 ID 检索计划的特定操作。Use the Get method with the action ID to retrieve a particular action for a schedule.

armclient get /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Subscription ID}/schedules/{Schedule ID}/actions/{Action ID}?api-version=2015-03-20

创建或编辑操作Creating or editing actions

结合使用 Put 方法和计划唯一的操作 ID 可创建新操作。Use the Put method with an action ID that is unique to the schedule to create a new action. 在 Log Analytics 控制台中创建操作时,GUID 作为操作 ID。When you create an action in the Log Analytics console, a GUID is for the action ID.

备注

所有已保存的搜索、计划和使用 Log Analytics API 创建的操作的名称必须小写。The name for all saved searches, schedules, and actions created with the Log Analytics API must be in lowercase.

结合使用 Put 方法和相同已保存搜索的现有操作 ID 来修改该计划。Use the Put method with an existing action ID for the same saved search to modify that schedule. 请求正文必须包含该计划的 etag。The body of the request must include the etag of the schedule.

创建新操作的请求格式因操作类型而异,因此在以下各节中提供了这些示例。The request format for creating a new action varies by action type so these examples are provided in the sections below.

删除操作Deleting actions

结合使用 Delete 方法和操作 ID 可删除操作。Use the Delete method with the action ID to delete an action.

armclient delete /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Subscription ID}/schedules/{Schedule ID}/Actions/{Action ID}?api-version=2015-03-20

警报操作Alert Actions

一个计划应具有一个且只能有一个警报操作。A Schedule should have one and only one Alert action. 警报操作具有下表中的一个或多个部分。Alert actions have one or more of the sections in the following table. 下面对各部分进行了详细描述。Each is described in further detail below.

部分Section 说明Description 使用情况Usage
阈值Threshold 用于确定何时运行操作的条件。Criteria for when the action is run. 每个警报所必需的,无论是在警报扩展到 Azure 之前还是之后。Required for every alert, before or after they are extended to Azure.
严重性Severity 当触发时用来对警报进行分类的标签。Label used to classify alert when triggered. 每个警报所必需的,无论是在警报扩展到 Azure 之前还是之后。Required for every alert, before or after they are extended to Azure.
取消Suppress 用于停止警报通知的选项。Option to stop notifications from alert. 对于每个警报均为可选,无论是在警报扩展到 Azure 之前还是之后。Optional for every alert, before or after they are extended to Azure.
操作组Action Groups 在其中指定所需操作的 Azure 操作组的 ID,例如 - 电子邮件、SMS、语音呼叫、Webhook、自动化 Runbook、ITSM 连接器,等等。IDs of Azure ActionGroup where actions required are specified, like - E-Mails, SMSs, Voice Calls, Webhooks, Automation Runbooks, ITSM Connectors, etc. 警报扩展到 Azure 后所必需的Required once alerts are extended to Azure
自定义操作Customize Actions 修改有关从操作组中选择操作的标准输出Modify the standard output for select actions from ActionGroup 对于每个警报都是可选的,可以在警报扩展到 Azure 后使用。Optional for every alert, can be used after alerts are extended to Azure.

阈值Thresholds

一项警报操作应具有一个且只能有一个阈值。An Alert action should have one and only one threshold. 当已保存搜索的结果匹配与该搜索关联的操作中的阈值时,将运行该操作中的任何其他进程。When the results of a saved search match the threshold in an action associated with that search, then any other processes in that action are run. 操作也可以只包含一个阈值,以便与不包含阈值的其他类型的操作一起使用。An action can also contain only a threshold so that it can be used with actions of other types that don’t contain thresholds.

阈值具有下表中的属性。Thresholds have the properties in the following table.

属性Property 说明Description
Operator 阈值比较运算符。Operator for the threshold comparison.
gt = 大于gt = Greater Than
lt = 小于lt = Less Than
Value 阈值的数值。Value for the threshold.

例如,考虑一个间隔为 15 分钟、时间跨度为 30 分钟并且阈值大于 10 的事件查询。For example, consider an event query with an Interval of 15 minutes, a Timespan of 30 minutes, and a Threshold of greater than 10. 在这种情况下,将每隔 15 分钟运行一次查询,如果返回在 30 分钟时间跨度内创建的 10 个事件,则会触发警报。In this case, the query would be run every 15 minutes, and an alert would be triggered if it returned 10 events that were created over a 30-minute span.

下面是响应仅具备一个阈值的操作的示例。Following is a sample response for an action with only a threshold.

"etag": "W/\"datetime'2016-02-25T20%3A54%3A20.1302566Z'\"",
"properties": {
   "Type": "Alert",
   "Name": "My threshold action",
   "Threshold": {
      "Operator": "gt",
      "Value": 10
   },
   "Version": 1
}

结合使用 Put 方法和唯一操作 ID 可为计划创建新阈值操作。Use the Put method with a unique action ID to create a new threshold action for a schedule.

$thresholdJson = "{'properties': { 'Name': 'My Threshold', 'Version':'1', 'Type':'Alert', 'Threshold': { 'Operator': 'gt', 'Value': 10 } } }"
armclient put /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/{Schedule ID}/actions/mythreshold?api-version=2015-03-20 $thresholdJson

结合使用 Put 方法和现有操作 ID 可修改计划的阈值操作。Use the Put method with an existing action ID to modify a threshold action for a schedule. 请求正文必须包含操作的 etag。The body of the request must include the etag of the action.

$thresholdJson = "{'etag': 'W/\"datetime'2016-02-25T20%3A54%3A20.1302566Z'\"','properties': { 'Name': 'My Threshold', 'Version':'1', 'Type':'Alert', 'Threshold': { 'Operator': 'gt', 'Value': 10 } } }"
armclient put /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/{Schedule ID}/actions/mythreshold?api-version=2015-03-20 $thresholdJson

严重性Severity

Log Analytics 允许你将警报归类到各个类别,以便更轻松地进行管理和会审。Log Analytics allows you to classify your alerts into categories, to allow easier management and triage. 定义的警报严重性是:信息性、警告和严重。The Alert severity defined is: informational, warning, and critical. 它们如下所示映射到 Azure 警报的常规严重性级别:These are mapped to the normalized severity scale of Azure Alerts as:

Log Analytics 严重性级别Log Analytics Severity Level Azure 警报严重性级别Azure Alerts Severity Level
critical Sev 0Sev 0
warning Sev 1Sev 1
informational Sev 2Sev 2

下面是针对仅具有阈值和严重性的操作的一个示例响应。Following is a sample response for an action with only a threshold and severity.

"etag": "W/\"datetime'2016-02-25T20%3A54%3A20.1302566Z'\"",
"properties": {
   "Type": "Alert",
   "Name": "My threshold action",
   "Threshold": {
      "Operator": "gt",
      "Value": 10
   },
   "Severity": "critical",
   "Version": 1
}

可以组合使用 Put 方法与唯一操作 ID 来为计划创建具有严重性的新操作。Use the Put method with a unique action ID to create a new action for a schedule with severity.

$thresholdWithSevJson = "{'properties': { 'Name': 'My Threshold', 'Version':'1','Severity': 'critical', 'Type':'Alert', 'Threshold': { 'Operator': 'gt', 'Value': 10 } } }"
armclient put /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/{Schedule ID}/actions/mythreshold?api-version=2015-03-20 $thresholdWithSevJson

可以组合使用 Put 方法与现有操作 ID 来为计划修改严重性操作。Use the Put method with an existing action ID to modify a severity action for a schedule. 请求正文必须包含操作的 etag。The body of the request must include the etag of the action.

$thresholdWithSevJson = "{'etag': 'W/\"datetime'2016-02-25T20%3A54%3A20.1302566Z'\"','properties': { 'Name': 'My Threshold', 'Version':'1','Severity': 'critical', 'Type':'Alert', 'Threshold': { 'Operator': 'gt', 'Value': 10 } } }"
armclient put /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/{Schedule ID}/actions/mythreshold?api-version=2015-03-20 $thresholdWithSevJson

取消Suppress

每次达到或超过阈值时,都会触发基于 Log Analytics 的查询警报。Log Analytics based query alerts will fire every time threshold is met or exceeded. 根据查询中隐含的逻辑,这可能会导致警报在一系列时间间隔触发,进而导致通知不断发送。Based on the logic implied in the query, this may result in alert getting fired for a series of intervals and hence notifications also being sent constantly. 为了防止这种情况发生,用户可以设置“取消”选项,以指示 Log Analytics 在根据预警规则第二次发送通知之前等待规定的时间。To prevent such scenario, a user can set Suppress option instructing Log Analytics to wait for a stipulated amount of time before notification is fired the second time for the alert rule. 所以,如果“取消”设置为 30 分钟,那么警报在第一次触发时发送配置的通知。So if suppress is set for 30 minutes; then alert will fire the first time and send notifications configured. 不过,在根据预警规则再次发送通知之前,需要先等待 30 分钟。But then wait for 30 minutes, before notification for the alert rule is again used. 在过渡期间,预警规则会继续运行,Log Analytics 在指定时间仅取消通知,无论在此期间内预警规则触发了多少次,也不例外。In the interim period, alert rule will continue to run - only notification is suppressed by Log Analytics for specified time, regardless of how many times the alert rule fired in this period.

Log Analytics 预警规则的“取消”属性是使用 Throttling** 值指定,取消时间段是使用 DurationInMinutes** 值指定。Suppress property of Log Analytics alert rule is specified using the Throttling value and the suppression period using DurationInMinutes value.

下面的示例展示了仅包含“阈值”、“严重性”和“取消”属性的操作响应Following is a sample response for an action with only a threshold, severity, and suppress property

"etag": "W/\"datetime'2016-02-25T20%3A54%3A20.1302566Z'\"",
"properties": {
   "Type": "Alert",
   "Name": "My threshold action",
   "Threshold": {
      "Operator": "gt",
      "Value": 10
   },
   "Throttling": {
   "DurationInMinutes": 30
   },
   "Severity": "critical",
   "Version": 1
}

可以组合使用 Put 方法与唯一操作 ID 来为计划创建具有严重性的新操作。Use the Put method with a unique action ID to create a new action for a schedule with severity.

$AlertSuppressJson = "{'properties': { 'Name': 'My Threshold', 'Version':'1','Severity': 'critical', 'Type':'Alert', 'Throttling': { 'DurationInMinutes': 30 },'Threshold': { 'Operator': 'gt', 'Value': 10 } } }"
armclient put /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/{Schedule ID}/actions/myalert?api-version=2015-03-20 $AlertSuppressJson

可以组合使用 Put 方法与现有操作 ID 来为计划修改严重性操作。Use the Put method with an existing action ID to modify a severity action for a schedule. 请求正文必须包含操作的 etag。The body of the request must include the etag of the action.

$AlertSuppressJson = "{'etag': 'W/\"datetime'2016-02-25T20%3A54%3A20.1302566Z'\"','properties': { 'Name': 'My Threshold', 'Version':'1','Severity': 'critical', 'Type':'Alert', 'Throttling': { 'DurationInMinutes': 30 },'Threshold': { 'Operator': 'gt', 'Value': 10 } } }"
armclient put /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/{Schedule ID}/actions/myalert?api-version=2015-03-20 $AlertSuppressJson

操作组Action Groups

Azure 中的所有警报都使用操作组作为用来处理操作的默认机制。All alerts in Azure, use Action Group as the default mechanism for handling actions. 使用操作组,可以将操作指定一次,然后将操作组关联到 Azure 中的多个警报。With Action Group, you can specify your actions once and then associate the action group to multiple alerts - across Azure. 不需要一再重复声明相同的操作。Without the need, to repeatedly declare the same actions over and over again. 操作组支持多个操作 - 包括电子邮件、SMS、语音呼叫、ITSM 连接、自动化 Runbook、Webhook URI,等等。Action Groups support multiple actions - including email, SMS, Voice Call, ITSM Connection, Automation Runbook, Webhook URI and more.

对于已将其警报扩展到 Azure 中的用户 - 一个计划现在应当将操作组详细信息与阈值一起传递,以便能够创建警报。For users who have extended their alerts into Azure - a schedule should now have Action Group details passed along with threshold, to be able to create an alert. 在创建警报前,需要先在操作组中定义电子邮件详细信息、Webhook URL、Runbook 自动化详细信息以及其他操作;可以在门户中通过 Azure Monitor 创建操作组,也可以使用操作组 APIE-mail details, Webhook URLs, Runbook Automation details, and other Actions, need to be defined in side an Action Group first before creating an alert; one can create Action Group from Azure Monitor in Portal or use Action Group API.

若要添加操作组到警报的关联,请在警报定义中指定操作组的唯一 Azure 资源管理器 ID。To add association of action group to an alert, specify the unique Azure Resource Manager ID of the action group in the alert definition. 下面提供了一个示例展示:A sample illustration is provided below:

"etag": "W/\"datetime'2017-12-13T10%3A52%3A21.1697364Z'\"",
"properties": {
   "Type": "Alert",
   "Name": "test-alert",
   "Description": "I need to put a description here",
   "Threshold": {
      "Operator": "gt",
      "Value": 12
   },
   "AzNsNotification": {
      "GroupIds": [
         "/subscriptions/1234a45-123d-4321-12aa-123b12a5678/resourcegroups/my-resource-group/providers/microsoft.insights/actiongroups/test-actiongroup"
      ]
   },
   "Severity": "critical",
   "Version": 1
}

可以组合使用 Put 方法与唯一操作 ID 来为计划关联已经存在的操作组。Use the Put method with a unique action ID to associate already existing Action Group for a schedule. 下面是用法的一个示例展示。The following is a sample illustration of usage.

$AzNsJson = "{'properties': { 'Name': 'test-alert', 'Version':'1', 'Type':'Alert', 'Threshold': { 'Operator': 'gt', 'Value': 12 },'Severity': 'critical', 'AzNsNotification': {'GroupIds': ['subscriptions/1234a45-123d-4321-12aa-123b12a5678/resourcegroups/my-resource-group/providers/microsoft.insights/actiongroups/test-actiongroup']} } }"
armclient put /subscriptions/{Subscription ID}/resourceGroups/{Resource Group Name}/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/{Schedule ID}/actions/myAzNsaction?api-version=2015-03-20 $AzNsJson

可以组合使用 Put 方法与现有操作 ID 来为 计划修改关联的操作组。Use the Put method with an existing action ID to modify an Action Group associated for a schedule. 请求正文必须包含操作的 etag。The body of the request must include the etag of the action.

$AzNsJson = "{'etag': 'datetime'2017-12-13T10%3A52%3A21.1697364Z'\"', 'properties': { 'Name': 'test-alert', 'Version':'1', 'Type':'Alert', 'Threshold': { 'Operator': 'gt', 'Value': 12 },'Severity': 'critical', 'AzNsNotification': { 'GroupIds': ['subscriptions/1234a45-123d-4321-12aa-123b12a5678/resourcegroups/my-resource-group/providers/microsoft.insights/actiongroups/test-actiongroup'] } } }"
armclient put /subscriptions/{Subscription ID}/resourceGroups/{Resource Group Name}/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/{Schedule ID}/actions/myAzNsaction?api-version=2015-03-20 $AzNsJson

自定义操作Customize Actions

默认情况下,操作遵循用于通知的标准模板和格式。By default actions, follow standard template and format for notifications. 但是,用户可以自定义某些操作,即使它们是由操作组控制的。But user can customize some actions, even if they are controlled by Action Groups. 目前可以自定义电子邮件主题和 Webhook 有效负载。Currently, customization is possible for Email Subject and Webhook Payload.

自定义操作组的电子邮件主题Customize E-Mail Subject for Action Group

默认情况下,警报的电子邮件主题是:<WorkspaceName> 的警报通知 <AlertName>By default, the email subject for alerts is: Alert Notification <AlertName> for <WorkspaceName>. 但这可以自定义,因此你可以指定词语或标签,以便轻松在收件箱中利用筛选规则。But this can be customized, so that you can specific words or tags - to allow you to easily employ filter rules in your Inbox. 自定义的电子邮件标题详细信息需要随操作组详细信息一起发送,如以下示例中所示。The customize email header details need to send along with ActionGroup details, as in sample below.

"etag": "W/\"datetime'2017-12-13T10%3A52%3A21.1697364Z'\"",
"properties": {
   "Type": "Alert",
   "Name": "test-alert",
   "Description": "I need to put a description here",
   "Threshold": {
      "Operator": "gt",
      "Value": 12
   },
   "AzNsNotification": {
      "GroupIds": [
         "/subscriptions/1234a45-123d-4321-12aa-123b12a5678/resourcegroups/my-resource-group/providers/microsoft.insights/actiongroups/test-actiongroup"
      ],
      "CustomEmailSubject": "Azure Alert fired"
   },
   "Severity": "critical",
   "Version": 1
}

可以组合使用 Put 方法与唯一操作 ID 来为计划将已经存在的操作组与自定义项进行关联。Use the Put method with a unique action ID to associate already existing Action Group with customization for a schedule. 下面是用法的一个示例展示。The following is a sample illustration of usage.

$AzNsJson = "{'properties': { 'Name': 'test-alert', 'Version':'1', 'Type':'Alert', 'Threshold': { 'Operator': 'gt', 'Value': 12 },'Severity': 'critical', 'AzNsNotification': {'GroupIds': ['subscriptions/1234a45-123d-4321-12aa-123b12a5678/resourcegroups/my-resource-group/providers/microsoft.insights/actiongroups/test-actiongroup'], 'CustomEmailSubject': 'Azure Alert fired'} } }"
armclient put /subscriptions/{Subscription ID}/resourceGroups/{Resource Group Name}/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/{Schedule ID}/actions/myAzNsaction?api-version=2015-03-20 $AzNsJson

可以组合使用 Put 方法与现有操作 ID 来为 计划修改关联的操作组。Use the Put method with an existing action ID to modify an Action Group associated for a schedule. 请求正文必须包含操作的 etag。The body of the request must include the etag of the action.

$AzNsJson = "{'etag': 'datetime'2017-12-13T10%3A52%3A21.1697364Z'\"', 'properties': { 'Name': 'test-alert', 'Version':'1', 'Type':'Alert', 'Threshold': { 'Operator': 'gt', 'Value': 12 },'Severity': 'critical', 'AzNsNotification': {'GroupIds': ['subscriptions/1234a45-123d-4321-12aa-123b12a5678/resourcegroups/my-resource-group/providers/microsoft.insights/actiongroups/test-actiongroup']}, 'CustomEmailSubject': 'Azure Alert fired' } }"
armclient put /subscriptions/{Subscription ID}/resourceGroups/{Resource Group Name}/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/{Schedule ID}/actions/myAzNsaction?api-version=2015-03-20 $AzNsJson
自定义操作组的 Webhook 有效负载Customize Webhook Payload for Action Group

默认情况下,通过 Log Analytics 的操作组发送的 Webhook 具有固定结构。By default, the webhook sent via Action Group for log analytics has a fixed structure. 但是,可以使用受支持的特定变量来自定义 JSON 有效负载,以满足 Webhook 终结点的要求。But one can customize the JSON payload by using specific variables supported, to meet requirements of the webhook endpoint. 有关详细信息,请参阅日志警报规则的 Webhook 操作For more information, see Webhook action for log alert rules.

自定义的 Webhook 详细信息需要随操作组详细信息一起发送,并且将应用于在操作组内指定的所有 Webhook URI,如以下示例中所示。The customize webhook details need to send along with ActionGroup details and will be applied to all Webhook URI specified inside the action group; as in sample below.

"etag": "W/\"datetime'2017-12-13T10%3A52%3A21.1697364Z'\"",
"properties": {
   "Type": "Alert",
   "Name": "test-alert",
   "Description": "I need to put a description here",
   "Threshold": {
      "Operator": "gt",
      "Value": 12
   },
   "AzNsNotification": {
      "GroupIds": [
         "/subscriptions/1234a45-123d-4321-12aa-123b12a5678/resourcegroups/my-resource-group/providers/microsoft.insights/actiongroups/test-actiongroup"
      ],
   "CustomWebhookPayload": "{\"field1\":\"value1\",\"field2\":\"value2\"}",
   "CustomEmailSubject": "Azure Alert fired"
   },
   "Severity": "critical",
   "Version": 1
},

可以组合使用 Put 方法与唯一操作 ID 来为计划将已经存在的操作组与自定义项进行关联。Use the Put method with a unique action ID to associate already existing Action Group with customization for a schedule. 下面是用法的一个示例展示。The following is a sample illustration of usage.

$AzNsJson = "{'properties': { 'Name': 'test-alert', 'Version':'1', 'Type':'Alert', 'Threshold': { 'Operator': 'gt', 'Value': 12 },'Severity': 'critical', 'AzNsNotification': {'GroupIds': ['subscriptions/1234a45-123d-4321-12aa-123b12a5678/resourcegroups/my-resource-group/providers/microsoft.insights/actiongroups/test-actiongroup'], 'CustomEmailSubject': 'Azure Alert fired','CustomWebhookPayload': '{\"field1\":\"value1\",\"field2\":\"value2\"}'} } }"
armclient put /subscriptions/{Subscription ID}/resourceGroups/{Resource Group Name}/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/{Schedule ID}/actions/myAzNsaction?api-version=2015-03-20 $AzNsJson

可以组合使用 Put 方法与现有操作 ID 来为 计划修改关联的操作组。Use the Put method with an existing action ID to modify an Action Group associated for a schedule. 请求正文必须包含操作的 etag。The body of the request must include the etag of the action.

$AzNsJson = "{'etag': 'datetime'2017-12-13T10%3A52%3A21.1697364Z'\"', 'properties': { 'Name': 'test-alert', 'Version':'1', 'Type':'Alert', 'Threshold': { 'Operator': 'gt', 'Value': 12 },'Severity': 'critical', 'AzNsNotification': {'GroupIds': ['subscriptions/1234a45-123d-4321-12aa-123b12a5678/resourcegroups/my-resource-group/providers/microsoft.insights/actiongroups/test-actiongroup']}, 'CustomEmailSubject': 'Azure Alert fired','CustomWebhookPayload': '{\"field1\":\"value1\",\"field2\":\"value2\"}' } }"
armclient put /subscriptions/{Subscription ID}/resourceGroups/{Resource Group Name}/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/{Schedule ID}/actions/myAzNsaction?api-version=2015-03-20 $AzNsJson

后续步骤Next steps