locked
Azure LGW Alert creation RRS feed

  • Question

  • Hi,

    I want to generate some alerts ( Mem usage,service stop/start) using log analytic workspace and Azure monitor. 

    In workspace I defined timegenerated > ago(30m) and I see similar parameter in azure monitor screen where in it says " Evaluation based on" . 

    Are these same? what happens if I chose different values in both the these places? 

    my log query

    Event
    | where Computer in (cmpgrp)
    | where TimeGenerated >ago(1h)
    | where EventLog  == "System" and EventID ==7036 and Source == "Service Control Manager"

    | parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>'*

    | where Windows_Service_Name =="Windows Update" 

    | sort by TimeGenerated desc
    | project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated

    

    Wednesday, May 20, 2020 10:49 AM

All replies

  • Hi Mohammad Thahif,

    AFAIK, short answer is No, they are not same.

    I believe the mentioned "timegenerated > ago(30m)" is similar to "TimeGenerated >ago(1h)" in the provided log query but just having different time period in both the places. If that's the case then as it is in where condition so it's meant as you are trying to review Events from the last 30 minutes (or 1 hour if I consider the provided log query).

    The output in this case is generally summarized based on least possible time (i.e., each second wise / 5 seconds once / 10 seconds once, etc.) In other words, if output data is available in Log Analytics repository then you could ideally see that output as it is.

    In my case, when I tested the provided log query the output is as shown below where you can see the TimeGenerated row has different timings based on the data available in Log Analytics repository.


    or

    The Frequency and Aggregation Period which you see while creating alert rule is explained here i.e.,

    Frequency specifies how often the query should be run. Can be any value between 5 minutes and 24 hours. Should be equal to or less than the time period. If the value is greater than the time period, then you risk records being missed.

    Time Period specifies the time range for the query. The query returns only records that were created within this range of the current time. Time period restricts the data fetched for log query to prevent abuse and circumvents any time command (like ago) used in log query.

    For more information with examples, refer above mentioned Azure document.

    Another related topic that you might get query on is:
    If you want to summarize the query output based on your convenient time period (and its effect on alert rule Frequency and Period) i.e., for example you want to see query output summarized for every 30s something like shown below then you would have to use "| summarize AggregatedValue= any(xxxxxxxxxx) by Computer, bin(TimeGenerated, 30s)". This is just as example, for more information please read about summarize operator. Also you may go through this discussion where I tried to explain TimePeriod and Frequency in detail.

    Sunday, May 31, 2020 5:17 AM
  • Thanks Krishna for the detailed explanation. 

    My question was more around these 2 parameters in 2 different places. 

    timegenerated > ago(30m) in log query and evaluation based on (Aggregation granularity based on)option in signal selection window? 

    Are both same? from your above explanation, it appears to be same. Please confirm.

    Regards

    Thahif

    Thursday, June 4, 2020 3:09 PM