I am trying to set up a new custom condition for Azure monitor alert rule, but when I enter my kql query it doesn't show the expected data. When I run the same query in Logs it outputs 9 rows that fulfil my condition, but for some reason, no data are shown in the Monitor Alerts.
I can see that the problem is in the last condition | where Anomaly has "1" as I get data when I delete this condition - but I need to have it included in the query (or at least a similar version of it). Any suggestions? (I have tried also contains and == but it gives the same problem)
ADFPipelineRun
| where TimeGenerated >= ago(30d)
| where PipelineName startswith "Dataflow"
| extend customerName = extractjson("$.customerName", Parameters, typeof(string))
| extend customerBranchName = extractjson("$.customerBranchName", Parameters, typeof(string))
| extend databaseName = extractjson("$.databaseName", Parameters, typeof(string))
| join (ADFActivityRun
| where ActivityType == "Copy" and Status == "Succeeded"
| extend RowsCopied = extractjson("$.rowsCopied", Output, typeof(int)))
on CorrelationId
| summarize AggregatedValue=any(RowsCopied) by customerName, customerBranchName, databaseName, PipelineName, bin(TimeGenerated,1d)
| order by TimeGenerated
| summarize EventCount=make_list(AggregatedValue),TimeGenerated=make_list(TimeGenerated) by customerName, customerBranchName, databaseName, PipelineName
| extend (anomalies, score, baseline)=series_decompose_anomalies(EventCount, 5, 0, "avg")
| extend Anomaly = array_slice(anomalies,0,0)
| where Anomaly has "1"
Thanks for any good ideas and help :)
The problem, in the end, was in the Azure Monitor Alert function. The custom alert has a predefined time range over which it evaluates the query and it cannot be manually extended.
In the predefined period given by Azure, there were no records found (it was too short to evaluate whether anomalies occur..)
I solved it by creating a power bi report that uses M query above and I used an alert function offered by the power bi service.