kqlazure-alerts
Search Query should contain 'AggregatedValue' and 'bin(TimeGenerated, [roundTo])' for Metric alert type
I want to create an alert on the below scenario:
if (incoming_messages of event hub != outgoing_messages of event hub)
then I should get alerted
For that I created a query in log analytics where the "Comparison" column shows the difference of the incoming and outgoing messages of event hub
But when I am using the below query as "Metric Measurement" for alert creation.....It's giving the below error
Search Query should contain 'AggregatedValue' and 'bin(TimeGenerated, [roundTo])' for Metric alert type
Can somebody please tell me that how to fix this error or is there any other way to set the alerting for the above scenario ??
Here is the query
let Incoming_Messages = AzureMetrics
| where ResourceProvider =="MICROSOFT.EVENTHUB"
| where _ResourceId contains "ResourceID-Hidden"
| where TimeGenerated > ago(1h)
| where MetricName contains "IncomingMessages"
| count | extend CommonCol="Dummy"
| project CommonCol, TotalIncomingMessages = Count;
let Outgoing_Messages = AzureMetrics
| where ResourceProvider =="MICROSOFT.EVENTHUB"
| where _ResourceId contains "ResourceID-Hidden"
| where TimeGenerated > ago(1h)
| where MetricName contains "OutgoingMessages"
| count | extend CommonCol="Dummy"
| project CommonCol, TotalOutgoingMessages = Count;
Incoming_Messages
| join Outgoing_Messages on CommonCol
| extend Comparison = TotalIncomingMessages - TotalOutgoingMessages
| project TotalOutgoingMessages, TotalIncomingMessages, Comparison
Error Screenshot:
Solution
It seems that it would make more sense to use 'Number of results' in your case. Since you want to know is any rows meet the criteria.
Try this query with 'Number of results' (threshold > 0):
let Incoming_Messages = AzureMetrics
| where ResourceProvider =="MICROSOFT.EVENTHUB"
| where _ResourceId contains "ResourceID-Hidden"
| where TimeGenerated > ago(1h)
| where MetricName contains "IncomingMessages"
| count | extend CommonCol="Dummy"
| project CommonCol, TotalIncomingMessages = Count;
let Outgoing_Messages = AzureMetrics
| where ResourceProvider =="MICROSOFT.EVENTHUB"
| where _ResourceId contains "ResourceID-Hidden"
| where TimeGenerated > ago(1h)
| where MetricName contains "OutgoingMessages"
| count | extend CommonCol="Dummy"
| project CommonCol, TotalOutgoingMessages = Count;
Incoming_Messages
| join Outgoing_Messages on CommonCol
| extend Comparison = TotalIncomingMessages - TotalOutgoingMessages
| project TotalOutgoingMessages, TotalIncomingMessages, Comparison
| where Comparison != 0
- How can I close over variables in kdb/Q?
- When is the EACH operator extension necessary in K besides mod/rotate?
- Handling single-character strings - in a function or in its caller? ssr()
- Kdb+ data fomat when writing to a file
- How to convert a symbol to a string in kdb+?
- Sum of each two elements using vector functions
- A dictionary with a single value and multiple keys
- Table transformation, table as list of dicts
- Accumulator gives different result then direct function applying
- Reshape [cols;table]
- FK field over IPC
- Protected execution, 2 cases
- Enums for tables
- Converge (fixed point) syntax difference in q and k
- .Q.trp and bt handling
- NULLs in q and in k.h
- Strange view declaration behaviour
- How to build a parse-tree of projections?
- Could not evaluate manually created equial ~ parse tree
- Select distinct for all columns from keyed table
- Parallel execution: blocking receive, deferred synchronous
- Multiple variable assignment in q
- Select a table from the inside of external select
- Select when one of filter-column may not exists
- What is the meaning of `s attribute on a table?
- On parallel execution - which side reports about an error?
- Validate if a keyed table have unique keys
- Applying dictionary to dictionary
- About xkey implementation
- Parse tree built on values from vars