Support the creation of dynamic threshold alerts for Custom Log Queries from the portal
At the moment only Metrics support dynamic thresholds. I have been waiting for this for months! You can do this with DataDog or NewRelic long time ago..
Isaac Rosado commented
This would be nice to have as a feature.
Do note that custom log queries have the full capabilities of Kusto (https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/machine-learning-and-tsa), you can do things like detecting outliers and remove them to minimize noise.
Here is an example to ignore outliers under a certain threshold that I use to effectively have a dynamic threshold:
let end = bin(now(), 5m) - 5m;
let start = end - 1h;
let ctukey_threshold = real(1.5);
| where TimeGenerated >= start and TimeGenerated < end
| extend name = FieldName_s
| project TimeGenerated, name, value=MetricName_d
on TimeGenerated step 15m by name
| extend score=series_outliers(series)
| extend exception=series_add(series_less(score, lower_threshold), series_greater(score, upper_threshold))
| mv-apply exception to typeof(real) on (summarize exception=sum(exception))
Andrew VO commented
Please support the creation/modification/deletion of Log Search dynamic threshold alert rules using both REST API and Az cmdlets. It was brought to our attention this would only be supported via portal and ARM.
Most of our VM's are on prem, and we are trying to retire SCOM. As such, we rely heavily on alerts using Log Analytics data. We use ARM to create resources, but not for maintenance, as our environments are fluid. We rely on Powershell scripts (either using Az cmdlets or Invoke-RESTMethod) for all of our automation, administration, and ad hoc support.