Azure 警报 - ScheduledQueryRule - 仅在查询中设置时间范围

问题描述 投票:0回答:1

我目前正在 Log Analytics 中制定警报规则,该规则应该回顾 90 天,计算统计数据(如平均值),然后将统计数据与今天的值进行比较。如果当前值超过统计数据,则应触发警报规则。

类似这样的东西(伪代码):

let jobDurationTbl = latencyTbl
    | where name_s contains "latency_metrics" and TimeGenerated >= (now() - 90d)

let statisticsTbl = jobDurationTbl
    | summarize count(), upperConfidenceLimit = avg(jobDuration_ms) + 2 * stdev(jobDuration_ms) by serviceName_s

let alertTbl = latencyTbl
    | join kind=leftouter (jobDurationTbl) on serviceName_s
    | project
        serviceName_s,
        _ResourceId,
        TimeGenerated
    | join kind=leftouter (statisticsTbl) on serviceName_s
    | where jobDuration_ms > upperConfidenceLimit
    | where TimeGenerated == today;

请注意,由于其长度和复杂性,我无法在此处发布整个查询。我们的想法是,我们有一个表

jobDurationTbl
,其中包含每个服务的作业长度(以毫秒为单位)(
jobDuration_ms
)。然后我们创建一个 
alertTbl
,只有当 
jobDuration_ms
超过根据 
upperConfidenceLimit
 计算出的
statisticsTbl

时才返回行

我的问题是,90 天的回顾不断被以下行中的 

windowSize
覆盖:
TimeGenerated >= (now() - 90d)
。目前尚不清楚 Log Analytics 的作用,但我认为它用 
(now() - 90d)
替换了整个 
windowSize
。我尝试了不同的语法,例如:

YourTable
| where TimeGenerated >= ago(90d)

但是时间范围仍然被 

windowSize
覆盖。有人知道在这种情况下应该如何配置 Microsoft.Insights ScheduledQueryRule 吗?我想仅在查询中指定窗口功能,而不受任何参数的干扰。评估周期应该是每天一次。

azure alert kql azure-log-analytics azure-bicep
1个回答
0
投票

解决您的问题后,以下是使用 

Microsoft.Insights/scheduledQueryRules
以及 KQL 查询的结果。

使用 

Microsoft.Insights/scheduledQueryRules
bicep 资源提供程序,您可以使用以下代码创建计划查询规则。

param alert string = 'myjalert'
param location string 
param Description string = 'This is a metric alert'
param Severity int = 3
param isEnabled bool = true
param autoMitigate bool = true
param resourceId string = '/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Compute/virtualMachines/xxx'
param query string = 'Perf | where ObjectName == \"Processor\" and CounterName == \"% Processor Time\"'
param metricMeasureColumn string = 'AggregatedValue'
param operator string = 'GreaterThan'
param threshold int = 0
param numberOfEvaluationPeriods int = 1
param minFailingPeriodsToAlert int = 1
param timeAggregation string = 'Average'
param windowSize string = 'PT5M'
param actionGroupId string = '/subscriptions/xx/resourceGroups/xxx/providers/microsoft.insights/actiongroups/xx'

resource alert 'Microsoft.Insights/scheduledQueryRules@2021-08-01' = {
  name: alert
  location: location
  tags: {}
  properties: {
    description: Description
    severity: Severity
    enabled: isEnabled
    scopes: [
      resourceId
    ]
    evaluationFrequency: evaluationFrequency
    windowSize: windowSize
    criteria: {
      allOf: [
        {
          query: query
          metricMeasureColumn: metricMeasureColumn
          dimensions: []
          operator: operator
          threshold: threshold
          timeAggregation: timeAggregation
          failingPeriods: {
            numberOfEvaluationPeriods: numberOfEvaluationPeriods
            minFailingPeriodsToAlert: minFailingPeriodsToAlert
          }
        }
      ]
    }
    autoMitigate: autoMitigate
    actions: {
      actionGroups: [
         actionGroupId
      ]
      customProperties: {
        key1: 'xx'
        key2: 'xx'
      }
    }
  }
}

enter image description here

请参阅此处了解更多相关的 MS Doc 示例 Bicep 模板

使用 

KQL
 聚合函数修改您的 
avg() 查询以满足预期要求,如图所示。


YourTable 
| where TimeGenerated >= ago(90d) 
| summarize value = avg(<Metric>) by bin(TimeGenerated, 1d) 
| project TimeGenerated, value


    

      

      
    

  

  

    
最新问题


  





  

    © www.soinside.com 2019 - 2024. All rights reserved.