, ,

How to Create or edit a log alert rule from Azure Monitor

Posted by

Accessing the alert rule wizard in the Azure portal

There are several ways that you can create a new alert rule.

Create or edit an alert rule from the portal home page

In the portal, select Monitor > Alerts.

Open the + Create menu, and select Alert rule.

How to Create or edit an alert rule from a specific resource

Select Alerts from the left pane, and then select + Create > Alert rule.

How Edit an existing alert rule

  1. Select Alert rules.
  2. Select the alert rule you want to edit, and then select Edit.

How to Configure the scope of the alert rule

  1. On the Select a resource pane, set the scope for your alert rule. You can filter by subscriptionresource type, or resource location.
  2. Select Apply.

How to Configure the alert rule conditions

On the Condition tab, when you select the Signal name field,

On the Logs pane, write a query that returns the log events for which you want to create an alert.

Note : (Optional) If you’re querying an ADX or ARG cluster, Log Analytics can’t automatically identify the column with the event timestamp, so we recommend that you add a time range filter to the query. For example:

    | where MyTS >= ago(5m) and MyTS <= now()


    | where type =~ 'Microsoft.Compute/virtualMachines'
    | project _ResourceId=tolower(id), tags

In the Measurement section, select values for these fields:

MeasureLog alerts can measure two different things, which can be used for different monitoring scenarios:
Table rows: The number of rows returned can be used to work with events such as Windows event logs, Syslog, and application exceptions.
Calculation of a numeric column: Calculations based on any numeric column can be used to include any number of resources. An example is CPU percentage.
Aggregation typeThe calculation performed on multiple records to aggregate them to one numeric value by using the aggregation granularity. Examples are Total, Average, Minimum, or Maximum.
Aggregation granularityThe interval for aggregating multiple records to one numeric value.

In the Alert logic section, select values for these fields:

OperatorThe query results are transformed into a number. In this field, select the operator to use to compare the number against the threshold.
Threshold valueA number value for the threshold.
Frequency of evaluationHow often the query is run. Can be set anywhere from one minute to one day (24 hours).


There are some limitations to using a one minute alert rule frequency. When you set the alert rule frequency to one minute, an internal manipulation is performed to optimize the query. This manipulation can cause the query to fail if it contains unsupported operations. The following are the most common reasons a query are not supported:

  • The query contains the searchunion or take (limit) operations
  • The query contains the ingestion_time() function
  • The query uses the adx pattern
  • The query calls a function that calls other tables

How to Configure the alert rule actions

On the Actions tab, select or create the required action groups

How to Configure the alert rule details

  1. On the Details tab, define the Project details.
    • Select the Subscription.
    • Select the Resource group.
  2. Define the Alert rule details.

How to Configure alert rule tags

On the Tags tab, set any required tags on the alert rule resource.

Review and create the alert rule

  1. On the Review + create tab, the rule is validated, and lets you know about any issues.
  2. When validation passes and you’ve reviewed the settings, select the Create button.

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x