18 votesunder review · 3 comments · Log Analytics » Alert Management Solution · Flag idea as inappropriate… · Admin →
Sending a crisp email which doesn't flood your inbox or mobile device - while providing necessary alert details, is a hard act to balance. We have tried to keep the email limited and focused - suitable for non-Power users, with top results included in email and additionally link to query result.
For Power/DevOps users, like yourself, we give the option of using Webhooks and Runbooks from Alerts - to post the data to your own Azure Automation logic, Tool or Communication App like MS Teams or Slack. Using Webhook integration, you can push alert details to say Slack and just click the Search Results link to get results; or turn it to 11, by have Azure Automate run a runbook to analyze the results and auto-remediate.
More info on Webhooks & Runbook support here: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-alerts-actions
Planned/resolved as part of new Azure Alerts update – now available in public preview: https://azure.microsoft.com/en-us/blog/new-alerts-preview-in-azure-monitor/
OMS Portal is scheduled for an update - which would possibly address these issues regarding rendering.
Till then we suggest you try using - the new Alerts (Preview) on Azure Portal. Running on the Azure Portal which uses a newer interface engine and design - it is compatible with all modern browsers including Safari on MacOS. We have recently launched the public preview of Azure Alerts (Preview) and it allows you to create as well as manage in a singular interface all your alerts - including OMS Log Analytics based Alerts and Azure Monitor based Alerts. More details available on Azure blog: https://azure.microsoft.com/en-us/blog/new-alerts-preview-in-azure-monitor/
34 votesunder review · 3 comments · Log Analytics » Alert Management Solution · Flag idea as inappropriate… · Admin →
Time window for Log Analytics based Alerts is restricted to 24 hours; to limit load of queries on log analytics and prevent abuse of the system. For your portal a query over a week for specific message is limited to one or few items; but for others who are not as discrete, the return could be in hundreds or thousands of records which can overwhelm the system for everyone. In the current model and scale of Log Analytics, as a public service for everyone in Azure - we have tried to balance between the needs of some and keeping miscreants at bay.
We have found that 24 hours windows works for most use cases and scenarios with minor modification or adjustment. Even in your scenario, I think we can make alerts work with 24 hr window with some adjustments: by creating an alert for the specific message/record (say) X, every day and if count is more than 1 - it fires an email notification (if needed). Since the message arrives irregularly, the alert will get fired whenever the message is seen and you can track, if it arrived or not for specific days. Also every time the alert is fired, its recorded as part of Audit Log; allowing you to then use Log Analytics to further aggregate, plot and combine this info with other details of from other sources/logs - to pinpoint where things may be going wrong.