I am currently working on an Alert Rule in Log Analytics which is supposed to look back for 90 days, calculate a confidencelimit over that time and then compare today’s value with the limit. If today’s value exceeds the statistic, then the alert rule should fire.
Something like so (pseudo code):
let jobDurationTbl = latencyTbl
| where name_s contains "latency_metrics" and TimeGenerated >= (now() - 90d)
let statisticsTbl = jobDurationTbl
| summarize count(), upperConfidenceLimit = avg(jobDuration_ms) + 2 * stdev(jobDuration_ms) by serviceName_s
let alertTbl = latencyTbl
| join kind=leftouter (jobDurationTbl) on serviceName_s
| project
serviceName_s,
_ResourceId,
TimeGenerated
| join kind=leftouter (statisticsTbl) on serviceName_s
| where jobDuration_ms > upperConfidenceLimit
| where TimeGenerated == today;
Please note that I can not post the whole query here due to its length and complexity. The idea is that we have a table jobDurationTbl
which contains the length of jobs in ms (jobDuration_ms
) for each service. Then we create an alertTbl
which should only return rows if the jobDuration_ms
exceeds the upperConfidenceLimit
calculated from the statisticsTbl
My problem is that the 90 days look back keeps getting overridden by the windowSize
in the following line: TimeGenerated >= (now() - 90d)
. It is not clear what Log Analytics does, but I think it replaces the whole (now() - 90d)
with the windowSize
. I tried different syntaxes like:
YourTable
| where TimeGenerated >= ago(90d)
But still the time range gets overriden by the windowSize
. Does someone know how the Microsoft.Insights scheduledQueryRule should be configured in such a case? I want to specify the windowing functionality solely in the query without the interference of any parameters. The evaluation period should be simply once a day.
2
Answers
Ok, I found a solution in the end. Thank you @Jahnavi you gave the missing clue with the binning logic. The final query with sample data looks as follows:
If today were the 1/5/2024, we would get the right result provided we have parameterized the alert correctly. The right result is the last row of the datatable. For reference, if we want to check every 15 minutes if there was an error in the last 1h, we would configure the alert as follows (bicep):
We would get an alert for every row returned by the query.
After a workaround on your issue, below are the results using
Microsoft.Insights/scheduledQueryRules
as well as KQL query.Using
Microsoft.Insights/scheduledQueryRules
bicep resource provider, you can use below code to create a scheduled query rule.Refer here for more relevant MS Doc sample Bicep templates.
Or
Modify your
KQL
query by usingavg()
aggregated function to meet the expected requirement as shown.