azureazure-data-explorerkqlazure-monitoringazure-alerts

Unable to configure azure log alerts on ContainerLog KQL query's aggregated field


I'm trying to set up an Azure alert rule on a kusto query below:

ContainerLog
| parse-where LogEntry with *  '//example.output ' Total:decimal  ' ' Used:decimal ' ' 
| summarize avg_capacity=sum(Used)/sum(Total)*100 by TimeGenerated

The query works but when I tried to configure the alert measurement it does not pop out the calculated column which is [avg_capacity] as in the above query - see screenshot below

enter image description here

I tried some example Kusto queries that are querying against Perf table on Microsoft documentation and it worked fine, not sure what's the problem here,ContainerLog as a source table or 'parse-where' operator or?

Basically, I just want an alert rule on the [avg_capacity] field, any help is appreciated! Cheers!


Solution

  • I have used round() on the summarize value in the sample query posted in question and was able to see avg_capacity column in Measure dropdown under Measurement.

    The issue may be that Measure supports decimal values till some decimal places. In your case if the decimal value is above that limit it will not populate the summarize column into the dropdown. Hence by using round() we can limit the number of decimal places upto 10 using Precision.

    Round():- It returns the rounded value to the mentioned precision. Default Precision is set 0. Please refer to read more about round().

    I have used Precision value as 2. It will give us avg_capacity value till two decimal places.

    Code

    ContainerLog
    | parse-where LogEntry with *  '//example.output ' Total:decimal  ' ' Used:decimal ' ' 
    | summarize avg_capacity = round(sum(Used)/sum(Total)*100,2) by TimeGenerated
    

    Result

    enter image description here