Accessing the alert rule wizard in the Azure portal
There are several ways that you can create a new alert rule.
Create or edit an alert rule from the portal home page
In the portal, select Monitor > Alerts.
Open the + Create menu, and select Alert rule.
How to Create or edit an alert rule from a specific resource
Select Alerts from the left pane, and then select + Create > Alert rule.
How Edit an existing alert rule
- Select Alert rules.
- Select the alert rule you want to edit, and then select Edit.
How to Configure the scope of the alert rule
- On the Select a resource pane, set the scope for your alert rule. You can filter by subscription, resource type, or resource location.
- Select Apply.
How to Configure the alert rule conditions
On the Condition tab, when you select the Signal name field,
On the Logs pane, write a query that returns the log events for which you want to create an alert.
Note : (Optional) If you’re querying an ADX or ARG cluster, Log Analytics can’t automatically identify the column with the event timestamp, so we recommend that you add a time range filter to the query. For example:
adx('https://help.kusto.windows.net/Samples').table
| where MyTS >= ago(5m) and MyTS <= now()
or
arg("").Resources
| where type =~ 'Microsoft.Compute/virtualMachines'
| project _ResourceId=tolower(id), tags
In the Measurement section, select values for these fields:
Field | Description |
---|---|
Measure | Log alerts can measure two different things, which can be used for different monitoring scenarios: Table rows: The number of rows returned can be used to work with events such as Windows event logs, Syslog, and application exceptions. Calculation of a numeric column: Calculations based on any numeric column can be used to include any number of resources. An example is CPU percentage. |
Aggregation type | The calculation performed on multiple records to aggregate them to one numeric value by using the aggregation granularity. Examples are Total, Average, Minimum, or Maximum. |
Aggregation granularity | The interval for aggregating multiple records to one numeric value. |
In the Alert logic section, select values for these fields:
Field | Description |
---|---|
Operator | The query results are transformed into a number. In this field, select the operator to use to compare the number against the threshold. |
Threshold value | A number value for the threshold. |
Frequency of evaluation | How often the query is run. Can be set anywhere from one minute to one day (24 hours). |
Note
There are some limitations to using a one minute alert rule frequency. When you set the alert rule frequency to one minute, an internal manipulation is performed to optimize the query. This manipulation can cause the query to fail if it contains unsupported operations. The following are the most common reasons a query are not supported:
- The query contains the search, union or take (limit) operations
- The query contains the ingestion_time() function
- The query uses the adx pattern
- The query calls a function that calls other tables
How to Configure the alert rule actions
On the Actions tab, select or create the required action groups
How to Configure the alert rule details
- On the Details tab, define the Project details.
- Select the Subscription.
- Select the Resource group.
- Define the Alert rule details.
How to Configure alert rule tags
On the Tags tab, set any required tags on the alert rule resource.
Review and create the alert rule
- On the Review + create tab, the rule is validated, and lets you know about any issues.
- When validation passes and you’ve reviewed the settings, select the Create button.