Azure KQL 日志查询

我正在使用下面的查询

Syslog
| where Computer has "testhost"
| where ProcessName == "ServiceStatus"
| where SyslogMessage has "iptables.service: active"
| count

使用 cli 设置 azure 警报，我收到以下错误

  (BadRequest) Number of evaluation periods must be 1 for queries that do not project the 'TimeGenerated' column of type 'datetime' Activity ID: e7a38f1c-43b2-47c9-9f6a-xxxxx.
  Code: BadRequest
  Message: Number of evaluation periods must be 1 for queries that do not project the 'TimeGenerated' column of type 'datetime' Activity ID: e7a38f1c-43b2-47c9-9f6a-xxxxxx.

如果我添加以下查询，它就可以工作

syslog
| where Computer has "testhost"
| where ProcessName == "ServiceStatus"
| where SyslogMessage has "iptables.service: active"
| summarize count() by TimeGenerated, _ResourceId

如果我使用工作查询，它不会显示结果，因此不会触发警报

   No results found from the last 24 hours  

我想显示计数输出为 0 来触发警报，如何修复查询？

az cli 命令参考

az monitor scheduled-query create --action $your-action-group --name iptables --resource-group your-rg --scope your-scope --description 'Health check for the service iptables is down in host' --condition 'count '\''Placeholder_1'\'' = 0 resource id _ResourceId at least 1 violations out of 5 aggregated points' --condition-query 'Placeholder_1=Syslog
    | where Computer has "testhost"
    | where ProcessName == "ServiceStatus"
    | where SyslogMessage has "iptables.service: active"
    | summarize count() by TimeGenerated, _ResourceId' --evaluation-frequency 1m --severity 1 --window-size 1m