I have KQL giving me counts of my alert by severity the only issue is when the user closes them (i.e updates the user response) no column in the alerts table is updated
So here is the azure triggered view
but the alerts table has nothing
This strikes me as a fairly normal ask
I am making the following assumption that you have a custom KQL query for Azure Resource Graph Explorer to identify Azure Monitor alerts.
Properties, such as alertState and monitorCondition are not standalone columns, but are nested properties within the dynamically typed "properties" column. As this is querying Azure Resource Graph, the records are updated directly, rather than adding a new log (as it would be in log analytics).
Below is a query that extracts the two relevant properties.
alertsmanagementresources
| extend alertState = tostring(parse_json(properties.essentials.alertState))
| extend monitorCondition = tostring(parse_json(properties.essentials.monitorCondition))
| project name, alertState, monitorCondition
If you need help, please share your query and what information you are looking to query.
Alistair
Related
I have a Use Case i am working on.
An Alert is fired in Azure when some conditions are met:
Condition: Whenever the total task complete events is greater than 0
The alert rule has some basic information.
Subscription
Resource Type
Resource Group
There is a Custom properties section and i want to use this to enrich the alert rule.The information I am hoping to include is in a table called AzureDiagnostics. Field values,conditions i need as follows (i included some custom fields):
OperationName=="TaskCompleteEvent" jobId_s id_s == "analyse" ElapsedTime=datetime_diff('second', executionInfo_endTime_t, executionInfo_startTime_t) ElapsedTime_in_Hours_Minutes_Seconds=ElapsedTime * 1s TimeGenerated
Can someone guide me on the best way to include these as custom properties? Adds value to the alert instead of then going back into azure to find more information. Any help is appreciated
I don't really have enough information to go on to properly answer this however, if you are referring to a default rule that you cannot edit, you can easily create an automation rule to autoclose the alert, you use custom KQL to reference the SecurityAlert table to enrich, such as
SecurityAlert | where DisplayName contains "previousRuleName"
or
If it is already custom KQL you can simply add, whether that's to the same table by removing the already specified column or otherwise, by using the join ( operator
I have a simple Kusto request, something like the following:
customMetrics
| where timestamp > ago(10m)
| where name == "Custom metric number one"
| summarize sum(value)
Obviously, the result of this query is a single number.
I would like to pin this request to a dashboard, so the tile will look like a card having a title/subtitle and the number retrieving as the result of the Kusto request. Firstly, I tried to use "render" operator, but it can draw either a chart or a simple unformatted table. I tried to use "render card", but ApplicationInsights answered that "We currently don't support 'card' visualization type."
Is there any other possibility to create the desired tile with a single number on it?
Why not just pin the table query result:
customMetrics
| where timestamp > ago(10m)
| where name == "Custom metric number one"
| summarize sum(value)
results in
It is probably the closest to a card you can do at the moment
There is another option as well, you can add a Markdown tile, it can point to a url containing Markdown content so you might be able to create something that periodically updates a certain MD file and show that on the dashboard. You can leverage the Application Insights API to get the value you want and have an azure function generate the markdown.
Another option, if you have access to Power Bi, is to create a Power Bi report that you share with external stakeholders/non developers.When going that direction you can use all the rich visuals Power Bi provides in combination with data from Application Insights, including cards. See the docs
Or use grafana? There’s a manager instance in azure albeit still in preview.
How to create a single data tile in azure application insight dashboard ?
by single data i mean the XXX(A number)(which i found querying the application insights).
For say - I queried for unique users in Application Insight logs, and I want to display it as Single Data Tile on the Dashboard. i.e. just the number(XXX) and the heading (Unique Users For XYZ Application)
Workbooks will give you tons of features to create custom tiles showing just the number on the tile. Here's how to do it using Workbooks.
Try the code below, then pin to dashboard:
requests
//add the filter for querying unique users
| extend users=""
| summarize number_of_users = count() by users
| render barchart
The result:
Is it possible to make real-time monitoring report by using Power BI?
I have an experience only with elasticsearch+kibana and I want to make the same dashboard by using Power BI:
There is a data source - RequestDateTime, Sendor, IsSuccess, RequestType, Request, Response. For example:
2016-10-20 12:00:12 | Test 1 | True | SetUserInfo | xml here... | xml here...
2016-10-20 12:00:18 | Test 2 | False | GetUserInfo | xml here... |
This data can be downloaded from Azure SQL database, by using simple sql-query.
I want to make a simple column chart. X-axis should be a timeline, accoring to the RequestDateTime field. Y-axis should be a count of records, that is correspond to filters.
Report should have a filters by sendor, isSuccess, RequestType and RequestDateTime range (for example - last 6 hours).
The report should be able to be refreshed in a real-time mode, according to the new events in the database.
The pipeline I usually do in my work using app.powerbi for real time visualization is :
Create a dataset: In your workspace, select the "create" option, there you can import or connect to data from Files and Databases. You can choose Azure SQL database and follow instructions.
Create a report: In your dataset list, select the icon to create a report (here you define the filters that you want) and save it.
Create a dashboard: Pin the charts to a dashboard. I have found that only dashboard refresh itself when data is added or deleted in the database, thus, you can see the real time in the dashboard.
You may find this video useful.
I have a new Windows Application that I am adding Application Insights to. Adding a new chart gives the ability to Group on specific custom properties using a drop down. This drop down has 65 properties that AI must have added at some point. There were not specifically added.
We have a main AppInsights that takes all events. We've also created a AppInsight for development. The list of custom properties in the drop down is different between these two, even though the source code is the same.
It makes me suspect that there is some process that creates the drop down contents based on the incoming data.
The problem here is that the code has changed, and some properties are no longer available. We want to eliminate these values from the drop down, and add the new ones.
I am perfectly happy just deleting the entire list. Is there a way to do this?
The items that are available in the group by are properties that have ever been received by the back end in data you've sent, and aren't editable.
for custom properties/metrics, there's a limit on how many properties the backend will allow before it stops collecting new named custom properties. Conceptually, think of it as the backend storing an array of 200 elements for each telemetry item you sent, and mapping each custom property name to an index, and that mapping lasts forever. (i believe at the current time that limit is 200 each, but we're working on expanding that)
so if developers did things in your dev portal, even sent one item with custom property "foo", then that property will be there forever, and takes up one of those 200 slots. They can't be deleted or cleared at the moment.
Also, the contents of the group by box is also limited to events that have sent less than some threshold of distinct values, too. (I'm not sure on that exact value, but i believe it < 100 distinct values.) So fields like Id fields, or guids, etc, will eventually stop showing up as group by options, because the group by would create N distinct buckets of 1 item.
It seems like this would be something already mentioned in the App Insights UserVoice site, or documented in the azure documentation for group by but i'm not seeing it.
The only real workaround at this time is to create a new application insights resource in azure, and start submitting data to that new resource instead of your old one. And then you have to be proactive about never submitting custom properties that you're never going to use, or mixing case, as "Property1" and "property1" will be distinct properties...
If this is a big issue for you, i'd suggest submitting it to microsoft connect as a bug, or entering a uservoice suggestion above. I'll pass this on as something that really needs to be documented in the group by thing in the azure docs, too.