Why can't I create an azure alert rule with a specific KQL query
I was tasked to create an alert rule for a specific VM using custom log search and with query from the client's parameter sheet:
Event
| where EventLog == "System"
| where EventLevelName == "Critical"
| where Computer == "testVM1"
| where TimeGenerated > ago(1m)
with 1 minute aggregation granularity and 1 minute frequency evaluation based from the client's parameter sheet. As expected, upon creation it threw an error:
Error: Failed to create alert rule test. One-minute frequency is not supported for this query. Either switch to five-minute frequency or adapt the query.
I also found out that there are certain limitations in creating alert rules with 1 minute frequency. I just can't understand how and why is the query not acceptable? can someone explain it to me step by step?
Creating an azure alert rule with a specific KQL query
I had created the alert rule for a specific VM using custom log search. With the 1-minute aggregation granularity and 1 minute frequency of evaluation. I had work around in my environment the KQL query works fine
Event
| where EventLog == "System"
| where EventLevelName == "Critical"
| where Computer =="<Your VM Name>"
| where TimeGenerated > ago(1m)
| summarize EventCount = count()
Output:
Sometimes Azure Monitor will not immediately trigger the alerts due to log data ingestion latency, Azure Monitor will take a minimum 5-minute evaluation frequency for log-based alerts to avoid unreliable or delayed alerts.
Reference:
- How do I persist logs from a Dockerized .NET Core app in Azure DevOps and save them as artifacts?
- Azure won't show roleDefinition for directory roles
- How do we change the TLS version of Azure IoT Hub which is already created and deployed?
- Microsoft Graph API ADB2C signInActivity update lag
- How does Azure App Service manage port binding with docker container? Does it recognize Expose?
- Has there been a recent change to Invoke-Sqlcmd that break it, and if so what's the fix?
- Is using AddAzureClients and a clientFactory for Azure ServiceBus DI preferred over a singleton implementation?
- Redeploy .NET Aspire project after resource cleanup
- SocketException permission denied when trying to bind port 80 or 443 to Kestrel in Azure Container Instance with .NET 8
- Azure Functions with docker: How change port?
- Azure - How to update the password profile of a user in Azure AD B2C using the Microsoft Graph API?
- Unable to filter the service principals by appOwnerOrganizationId property
- How can I upload an image to Azure from an Azure Function with a BlobTrigger
- How can I see which mechanism granted the user the ability to activate roles via Azure Privileged Identity Management (PIM)
- How to resolve an "Invalid operands found for operator -eq" error in Microsoft Entra ID PowerShell code
- You don’t appear to have an active Azure subscription when creating new Kubernetes service connection in Azure DevOps
- Azure Application Insights JavaScript SDK loader script security
- How to fix 'Unable to Obtain Authentication Token' in Active Directory Authentication to Azure Analysis Server
- Python script to join 2 csv files with an existing excel file in Azure blob storage
- Can one use DPO (direct preference optimization) of GPT via CLI or Python on Azure?
- azure function via terraform: how to connect to service bus
- Azure WebJob is failing after some period of time on Linux plan
- Retry policy on blob leasing
- Azure auth for Outlook Graph API
- Copying storage data from one Azure account to another
- Windows Azure SDK for Node.js SQL Azure Provider
- Pipeline for stored procedure dedicated sql pool
- Webpack @azure/storage-blob node-fetch AbortSignal issue
- What is the Azure equivalent of GCP's Cloud Run?
- How stop execution of a stored procedure if the client closes the connection in SQL Azure database?