我正在使用下面的查询
Syslog
| where Computer has "testhost"
| where ProcessName == "ServiceStatus"
| where SyslogMessage has "iptables.service: active"
| count
使用 cli 设置 azure 警报,我收到以下错误
(BadRequest) Number of evaluation periods must be 1 for queries that do not project the 'TimeGenerated' column of type 'datetime' Activity ID: e7a38f1c-43b2-47c9-9f6a-xxxxx.
Code: BadRequest
Message: Number of evaluation periods must be 1 for queries that do not project the 'TimeGenerated' column of type 'datetime' Activity ID: e7a38f1c-43b2-47c9-9f6a-xxxxxx.
如果我添加以下查询,它就可以工作
syslog
| where Computer has "testhost"
| where ProcessName == "ServiceStatus"
| where SyslogMessage has "iptables.service: active"
| summarize count() by TimeGenerated, _ResourceId
如果我使用工作查询,它不会显示结果,因此不会触发警报
No results found from the last 24 hours
我想显示计数输出为 0 来触发警报,如何修复查询?
az cli 命令参考
az monitor scheduled-query create --action $your-action-group --name iptables --resource-group your-rg --scope your-scope --description 'Health check for the service iptables is down in host' --condition 'count '\''Placeholder_1'\'' = 0 resource id _ResourceId at least 1 violations out of 5 aggregated points' --condition-query 'Placeholder_1=Syslog
| where Computer has "testhost"
| where ProcessName == "ServiceStatus"
| where SyslogMessage has "iptables.service: active"
| summarize count() by TimeGenerated, _ResourceId' --evaluation-frequency 1m --severity 1 --window-size 1m
对于不投影“datetime”类型的“TimeGenerated”列的查询,评估周期数必须为 1:
检查错误后,我发现问题出在查询中的
TimeGenereated
字段。您需要为TimeGenerated
列添加如下所示的条件,以定期执行查询。
Syslog
| where Computer has "testhost"
| where ProcessName == "ServiceStatus"
| where SyslogMessage has "iptables.service: active"
| where TimeGenerated > ago(1d)
| summarize count() by TimeGenerated, _ResourceId
或者,您也可以使用
extend
运算符在查询中包含 timegenerated
条件。
extend TimeGenerated = ago(12h)
相应地修改查询后,尝试运行以下 CLI 命令来创建操作组计划警报。
az monitor scheduled-query create --action mynew --name iptables --resource-group xxxx --scope $scope --description 'Health check for the service iptables is down in host' --condition "count 'Placeholder_1' > 360 resource id _ResourceId at least 1 violations out of 5 aggregated points" --condition-query Placeholder_1="Syslog | where Computer has "testhost" | where ProcessName == "ServiceStatus" | where SyslogMessage has "iptables.service: active" | where TimeGenerated > ago(1d) | summarize count() by TimeGenerated, _ResourceId"
az monitor scheduled-query create