I want to configure Log Analytics alert using ARM templates so just following given link:- https://learn.microsoft.com/en-in/azure/azure-monitor/insights/solutions-resources-searches-alerts#sample
But problem is, I am working on a requirement to create CPU, Memory and Disk alert. And for this I need to write 3 different ARM with different KQL. Could you please help me to edit this given template to achieve my requirement to generate all alert using single ARM.
If I will create 3 different template then the major problem is I will have 3 solution under my Log Analytics as this template is creating solution for each alert. So just looking for a way to edit this template in such a way to configure multiple alert using single template.
Below is the template that i want to edit: -
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0",
"parameters": {
"workspaceName": {
"type": "string",
"metadata": {
"Description": "Name of Log Analytics workspace"
}
},
"workspaceregionId": {
"type": "string",
"metadata": {
"Description": "Region of Log Analytics workspace"
}
},
"actiongroup": {
"type": "string",
"metadata": {
"Description": "List of action groups for alert actions separated by semicolon"
}
}
},
"variables": {
"SolutionName": "SolutionTest",
"SolutionVersion": "1.0",
"SolutionPublisher": "SolutionTesters",
"ProductName": "SolutionTest1",
"LogAnalyticsApiVersion": "2017-03-03-preview",
"MySearch": {
"displayName": "Processor over 70%",
"query": 'Perf | where ObjectName=="Processor" and CounterName=="% Processor Time" and CounterValue>70',
"category": "Samples",
"name": "Samples-Count of data"
},
"MyAlert": {
"Name": "[toLower(concat('myalert-',uniqueString(resourceGroup().id, deployment().name)))]",
"DisplayName": "Processor over 70%",
"Description": "Processor alert. Fires when 3 error records found over hour interval.",
"Severity": "critical",
"ThresholdOperator": "gt",
"ThresholdValue": 70,
"Schedule": {
"Name": "[toLower(concat('myschedule-',uniqueString(resourceGroup().id, deployment().name)))]",
"Interval": 15,
"TimeSpan": 60
},
"MetricsTrigger": {
"TriggerCondition": "Consecutive",
"Operator": "gt",
"Value": 3
},
"ThrottleMinutes": 60,
"AzNsNotification": {
"GroupIds": [
"[parameters('actiongroup')]"
],
"CustomEmailSubject": "Sample alert for processor query"
}
}
},
"resources": [
{
"name": "[concat(variables('SolutionName'), '[' ,parameters('workspacename'), ']')]",
"location": "[parameters('workspaceRegionId')]",
"tags": { },
"type": "Microsoft.OperationsManagement/solutions",
"apiVersion": "2015-11-01-preview",
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspacename'), variables('MySearch').Name)]",
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules', parameters('workspacename'), variables('MySearch').Name, variables('MyAlert').Schedule.Name)]",
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions', parameters('workspacename'), variables('MySearch').Name, variables('MyAlert').Schedule.Name, variables('MyAlert').Name)]",
],
"properties": {
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspacename'))]",
"referencedResources": [
],
"containedResources": [
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspacename'), variables('MySearch').Name)]",
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules', parameters('workspacename'), variables('MySearch').Name, variables('MyAlert').Schedule.Name)]",
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions', parameters('workspacename'), variables('MySearch').Name, variables('MyAlert').Schedule.Name, variables('MyAlert').Name)]"
]
},
"plan": {
"name": "[concat(variables('SolutionName'), '[' ,parameters('workspaceName'), ']')]",
"Version": "[variables('SolutionVersion')]",
"product": "[variables('ProductName')]",
"publisher": "[variables('SolutionPublisher')]",
"promotionCode": ""
}
},
{
"name": "[concat(parameters('workspaceName'), '/', variables('MySearch').Name)]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "[variables('LogAnalyticsApiVersion')]",
"dependsOn": [ ],
"tags": { },
"properties": {
"etag": "*",
"query": "[variables('MySearch').query]",
"displayName": "[variables('MySearch').displayName]",
"category": "[variables('MySearch').category]"
}
},
{
"name": "[concat(parameters('workspaceName'), '/', variables('MySearch').Name, '/', variables('MyAlert').Schedule.Name)]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/",
"apiVersion": "[variables('LogAnalyticsApiVersion')]",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'), '/savedSearches/', variables('MySearch').Name)]"
],
"properties": {
"etag": "*",
"interval": "[variables('MyAlert').Schedule.Interval]",
"queryTimeSpan": "[variables('MyAlert').Schedule.TimeSpan]",
"enabled": true
}
},
{
"name": "[concat(parameters('workspaceName'), '/', variables('MySearch').Name, '/', variables('MyAlert').Schedule.Name, '/', variables('MyAlert').Name)]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions",
"apiVersion": "[variables('LogAnalyticsApiVersion')]",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'), '/savedSearches/', variables('MySearch').Name, '/schedules/', variables('MyAlert').Schedule.Name)]"
],
"properties": {
"etag": "*",
"Type": "Alert",
"Name": "[variables('MyAlert').DisplayName]",
"Description": "[variables('MyAlert').Description]",
"Severity": "[variables('MyAlert').Severity]",
"Threshold": {
"Operator": "[variables('MyAlert').ThresholdOperator]",
"Value": "[variables('MyAlert').ThresholdValue]",
"MetricsTrigger": {
"TriggerCondition": "[variables('MyAlert').MetricsTrigger.TriggerCondition]",
"Operator": "[variables('MyAlert').MetricsTrigger.Operator]",
"Value": "[variables('MyAlert').MetricsTrigger.Value]"
}
},
"Throttling": {
"DurationInMinutes": "[variables('MyAlert').ThrottleMinutes]"
},
"AzNsNotification": {
"GroupIds": "[variables('MyAlert').AzNsNotification.GroupIds]",
"CustomEmailSubject": "[variables('MyAlert').AzNsNotification.CustomEmailSubject]"
}
}
}
]
}How could I add Memory, Disk alert in above template.
Help would be appreciated :)
You can do it by using the copy element for resource type. But still you need to create alerts variables. For example if you want to create 3 alerts you will need three variable arrays with different values within them. You need to manage the resources using the IDs dynamically.
Follow this https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-multiple