The documentation for az monitor metrics alert create does not explain the format used for --conditon parameter. Seems to me the value ends up being passed as allOf argument to constructor of MetricAlertSingleResourceMultipleMetricCriteria class as seen in the Azure CLI source for metric_alert.py. However this would mean this is a list of MetricCritieria, but the documentation examples are as follows:
--condition "total transactions > 5 where ResponseType includes Success"
--condition "avg SuccessE2ELatency > 250 where ApiName includes GetBlob or PutBlob"
which doesn't look like a valid format for the list[MetricCritieria]
The detailed format description is given upon calling with the -h flag:
PS> az monitor metrics alert create -h
Command
az monitor metrics alert create : Create a metric-based alert rule.
Arguments
--condition [Required] : The condition which triggers the rule.
Usage: --conditon {avg,min,max,total,count} [NAMESPACE.]METRIC {=,!=,>,>=,<,<=} THRESHOLD
[where DIMENSION {includes,excludes} VALUE [or VALUE ...]
[and DIMENSION {includes,excludes} VALUE [or VALUE ...] ...]]
Dimensions can be queried by adding the 'where' keyword and multiple dimensions can be
queried by combining them with the 'and' keyword.
Values for METRIC, DIMENSION and appropriate THRESHOLD values can be obtained from `az
monitor metrics list-definition` command.
Multiple conditons can be specified by using more than one `--condition` argument.
If you have a custom metrics which contains dot '.' or colon ':' then it is not so easy and I did not find any documentation. Fortunately what I found was a metric condition parser rule where you can read how the condition should look like.
So for example my metric is called Ori.EventHub:DeliveryTime, so the condition switch should look like:
az monitor metrics alert create --condition "avg Azure.ApplicationInsights.'Ori.EventHub:DeliveryTime' > 100" .
Related
The following query fails with 2 ParserFailure errors, both on line 5. At least that's where the query builder shows the red curly line.
The intention of this query is probably obvious to the Azure KQL initiates, but I'll explain nonetheless just to make sure it's clear.
This query should list all NSGs that do not have either one of the rules named "AllowThis" or "AllowThat".
Resources
| where type == "microsoft.network/networksecuritygroups"
| where isnotempty(properties.securityRules)
| where not(properties.securityRules
| where (tolower(tostring(properties.securityRules.ruleName)) =~ "allowthis|allowthat"))
| project NSGName = name
| order by NSGName asc
It would even be nicer if the table shows the actual missing rule(s) for the listed NSGs, but I have no idea where to start with that.
Does anyone have a working version of this type of query? Having to go through a lot of NSGs manually can't be the answer.
I have tried multiple variations of the query, but I couldn't find a single working version.
Below are my findings and observations from the query posted in question.
Lines 1 to 3 looks good and will give you list of NSG resources which has values for "securityRules" field.
For line number 4
| where not(properties.securityRules)
I am not sure what are you trying to achieve in this step. The not() takes bool values as mentioned in the documentation.
For line number 5
| where (tolower(tostring(properties.securityRules.ruleName)) =~ "allowthis|allowthat")
There is no need to use tolower() when you are using =~ as this supports case-insensitive match. Also under "securityRules" in NSG json object there is no field named as "ruleName", however there is a field "name". Please find the document for the same - Link. You can use the same documentation to check for the fields available to query NSG resource data.
When you are trying to write condition for "AllowThis" or "AllowThat" in Azure Resource Graph Explorer you should use the syntax properties.securityRules.name == "allowthis" or properties.securityRules.name == "allowthat"
If you write anything within quotes it will be taken as single string. Hence in your query "allowthis|allowthat" will be considered as a single string.
So I am trying to get the ID of all VMs across all subscriptions and regions, where a specific tag is null. For this I am using the following command
az vm list -d --query '[?!not_null(tags.run)]|[].id'
Please note: I want to get the ids only if the tag doesn't exist
Here notice I need to use single quotes to cover the query as I am using the '!' operator to inverse the not_null() function. If I were to use double quotes bash will throw an event not found error.
So now the problem arises when I also want to add a condition to check the current state of the VM and return id only if it is running and tag doesn't exist.
az vm list -d --query '[?!not_null(tags.run)] | [?powerState=="VM running"].id'
Here I have to wrap VM running in double quotes and this gives me an empty output as the string is not being matched because the query expects single quotes like so -
"[?powerState=='VM running'].id"
Could someone help me with a workaround for this?
Use raw string literals for VM running string. You just have to surround your string with a back tick and a double quote.
az vm list -d --query '[?!not_null(tags.run)]|[?powerState==`"VM running"`].id'
I am trying to "beautify" the data I receive from some windows logs on Graylog. My idea is to change the windows log ID from a number to the actual definition for that ID. For example: I receive a log with ID 4625, I want to show in my widget "An account failed to log on".
To do that, I am using a pipeline and a lookup table, which reads the IDs and the respective definitions in natural language from a .csv that I've uploaded on the server.
This is the rule that I wrote for my pipeline, that doesn't seem to work:
rule "eventid_windows_rule"
when
has_field("winlogbeat_winlog_event_id")
then
let winlogbeat_winlog_italiano = lookup("winlogbeat_winlog_event_id", to_string($message.winlogbeat_winlog_event_id));
set_field("winlogbeat_winlog_italiano", winlogbeat_winlog_italiano);
end
I think my problem is specifically in this rule, because Graylog allows to test the lookup tables, and if I manually write an ID, the lookup table finds the respective description.
I solved the issue myself, this is the correct code for the rule:
rule "eventid_windows_rule"
when
has_field("winlogbeat_winlog_event_id")
then
let winlogbeat_winlog_italiano = lookup("eventid_widget_windows_lookup", $message.winlogbeat_winlog_event_id);
set_field("winlogbeat_winlog_italiano", winlogbeat_winlog_italiano);
end
This rule checks if the log has the field "winlogbeat_winlog_event_id", then it generates the new field "winlogbeat_winlog_italiano", associates the numeric value of "winlogbeat_winlog_event_id" with the description in natural language thanks to the .csv that I've created, then puts the description in the field "winlogbeat_winlog_italiano".
I am trying to "explore" json results from an Azure CLI command using the --query switch (e.g. az functionapp list --query <something>), and to get started I'd like the length of the resulting array.
The Azure CLI help says nothing specific, and points to jmespath.org which does indeed show that a length function exists, however it seems to require an argument. I have no name for the argument, which is the root/outermost array returned by the list command.
It seems from jmespath.org that length(something) is what I want, but I don't know what to put in for the "something" part. What do I put here? Or am I going about this all wrong??
As we know az functionapp list returns a json where the root node is an array. In order to get the length of this array we can use the following syntax:
az functionapp list --query "[] | length(#)"
In Azure powershell, the json format is annoying at times. Need to scroll backwards and de-crypt .
How do i change the default to be --output table for all az commands?
In Azure powershell, type the following inorder-to change the default output to table
az configure
it will prompt you with following question. Select 3
Do you wish to change your settings? (y/N): y
What default output format would you like?
[1] json - JSON formatted output that most closely matches API responses.
[2] jsonc - Colored JSON formatted output that most closely matches API responses.
[3] table - Human-readable output format.
..
Please enter a choice [Default choice(1)]: 3
This is for users who doesn't like the default json format
Since you've given a solution on how to configure default table output for Azure CLI, this question should also have a solution for Azure PowerShell.
The easiest solution I can think of is just piping the output to Format-Table e.g. Get-AzResourceGroup | Format-Table -AutoSize.
You can have a look for more information at Format Azure PowerShell cmdlet output.