Azure Log Analytics度量度量警报

Question

我有一个日志查询，

example_cl
| top 1 by TimeGenerated desc
| project in_use, unused, total = (in_use + unused)

这给了我一个简单的输出；

in_use  unused  total
  75     45      120

我希望为此查询设置一个度量警报，以便当in_use超过总数的90%时，它将发送电子邮件警报

在尝试发出警报时，我总是收到以下错误

Search Query should contain 'AggregatedValue' and 'bin(TimeGenerated, [roundTo])' for Metric alert type

需要帮助来确定此特定指标警报的正确查询。

Answer 1

通常，当您选择警报逻辑‘基于’参数作为‘指标度量’时，您会得到与AggregatedValue相关的错误。

有关所有公制测量警报规则，请参阅此-> https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-unified-log#metric-measurement-alert-rules微软文档链接。

您必须更新您的查询，如下所示。请注意，下面示例查询中的xxxxxxx是一个组字段记录。要了解在该字段中可能需要使用的内容，请参阅上面提供的Microsoft文档链接。

example_cl
| top 1 by TimeGenerated desc
| project in_use, unused, total = (in_use + unused)
| summarize AggregatedValue= avg(in_use) by xxxxxxx, bin(TimeGenerated, 30s)

希望这能有所帮助！！干杯！！

Answer 2

除了@KrishnaG-MSFT之外，如果你不想使用平均值作为聚合值，你可以使用聚合函数，比如count()，它只是将单个结果作为唯一的值来处理，并呈现结果。

example_cl
| top 1 by TimeGenerated desc
| project in_use, unused, total = (in_use + unused)
| summarize AggregatedValue= count() by xxxxxxx, bin(TimeGenerated, 30s)

更多的例子我是如何重写的

日志警报

Event
| where EventID == 1235
| project Computer,  TimeGenerated,  AlertType_s = "Test Connectrix",  Severity = 4,  
SeverityName_s = "Information",  AffectedCI_s = Computer ,  AlertTitle_s = 
strcat(Computer, ":Test Connectrix"  ) ,  AlertDetails_s = RenderedDescription

在Log Alert上面重新写入度量度量

注意到对返回的行数进行了聚合。

Event
| where EventID == 1235
| project Computer,  TimeGenerated,  AlertType_s = "Test Connectrix",  Severity = 4,  
SeverityName_s = "Information",  AffectedCI_s = Computer ,  AlertTitle_s = 
strcat(Computer, ":Test Connectrix"  ) ,  AlertDetails_s = RenderedDescription
| summarize AggregatedValue = count()  by bin(TimeGenerated, 30m) , Computer 

公制测量样本性能(CPU)表的另一个示例

let _maxValue = 80; 
let _timeWindow = 4h; 
let _AvgCpu = Perf 
| where TimeGenerated >= ago(_timeWindow) 
| where CounterName == "% Processor Time" and InstanceName =~ "_Total"  
| summarize mtgPerf=max(TimeGenerated), CounterValue=round(avg(CounterValue)), 
SampleCount= count(CounterValue) by Computer, InstanceName, CounterName, ObjectName; 
_AvgCpu 
| where CounterValue > _maxValue 
| project      Computer     , ObjectName     , CounterName     , InstanceName     , 
TimeGenerated=mtgPerf     , CounterValue     , AlertType_s = "Sustained High CPU 
Utilization"     , Severity = 4     , SeverityName_s = "WARNING"     , AffectedCI_s = 
strcat(Computer, "/CPUPercent/", InstanceName)     , AlertTitle_s = strcat(Computer, 
": Sustained High CPU Utilization")     , AlertDetails_s = strcat("Computer: ", 
Computer, "Average CPU Utilization: ", CounterValue, "%Sample Period: Last ", 
_timeWindow, "Sample Count: ", SampleCount, "Alert Threshold: > ", _maxValue, "%")
| summarize AggregatedValue = count() by bin(TimeGenerated, 30m), Computer , 
ObjectName , CounterName , InstanceName, CounterValue, AlertType_s, Severity, 
SeverityName_s, AffectedCI_s , AlertTitle_s, AlertDetails_s

希望这能有所帮助。