This can be mitigated by adding "etag": "*" as described in FAQ doc.
The number of results is currently limited to 10 and this is not something we can change in the near future. But the full results can be viewed in the portal following the link in the mail.
You can also use webhook to send to logic-app or runbooks; webhook (can send up-to 1000 rows of data) and the user can use push mail or teams or slack message as needed via (say) Logic App.
See article on how to modify alerts using Logic App, extract computer ID from webhook and pushing an email via Logic App: https://www.stefanroth.net/2018/08/23/azure-monitor-modify-alerts-using-logic-app/
Webhook and their schema is available here: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitor-alerts-unified-log-webhook
Dan hi and thanks for the feedback.
I would advise to open a support ticket to property investigate the issue,
I assume that the scenario you describe started when selection Log Analytics on the on the left navigation, selected multiple subscriptions in the filter and then clicked ‘+’ to create a new workspace. In this case, a new page is opened for workspace creation, with subscription drop pre-populated with the first subscription in the filter, but you can change that selection per your choosing. This behavior is quite common across azure and also used in this experience.
Unfortunately have an issue with cross-resource query use in LA Log Alerts. The team is working to unblock this currently.
Planned/resolved as part of new Azure Alerts update – now available in public preview: https://azure.microsoft.com/en-us/blog/new-alerts-preview-in-azure-monitor/
OMS Portal is scheduled for an update - which would possibly address these issues regarding rendering.
Till then we suggest you try using - the new Alerts (Preview) on Azure Portal. Running on the Azure Portal which uses a newer interface engine and design - it is compatible with all modern browsers including Safari on MacOS. We have recently launched the public preview of Azure Alerts (Preview) and it allows you to create as well as manage in a singular interface all your alerts - including OMS Log Analytics based Alerts and Azure Monitor based Alerts. More details available on Azure blog: https://azure.microsoft.com/en-us/blog/new-alerts-preview-in-azure-monitor/
59 votesunder review · 6 comments · Log Analytics » Alert Management Solution · Flag idea as inappropriate… · Admin →
Time window for Log Analytics based Alerts is restricted to 24 hours; to limit load of queries on log analytics and prevent abuse of the system. For your portal a query over a week for specific message is limited to one or few items; but for others who are not as discrete, the return could be in hundreds or thousands of records which can overwhelm the system for everyone. In the current model and scale of Log Analytics, as a public service for everyone in Azure - we have tried to balance between the needs of some and keeping miscreants at bay.
We have found that 24 hours windows works for most use cases and scenarios with minor modification or adjustment. Even in your scenario, I think we can make alerts work with 24 hr window with some adjustments: by creating an alert for the specific message/record (say) X, every day and if count is more than 1 - it fires an email notification (if needed). Since the message arrives irregularly, the alert will get fired whenever the message is seen and you can track, if it arrived or not for specific days. Also every time the alert is fired, its recorded as part of Audit Log; allowing you to then use Log Analytics to further aggregate, plot and combine this info with other details of from other sources/logs - to pinpoint where things may be going wrong.