kqlazure-monitoringazure-alerts
Unable to create valid KQL query for Azure Custom log search as Metric alert type
This is my KQL query
Perf
| where TimeGenerated > ago(60m)
| where (ObjectName == "Processor")
| summarize AggregatedValue = avg(CounterValue) by Computer , _ResourceId
| where AggregatedValue < 100
| project Computer, AggregatedValue
Error : Search Query should contain 'AggregatedValue' and 'bin(TimeGenerated, [roundTo])' for Metric alert type
Note : Above query is working successfully (prints result) in Azure Monitor - Logs as below image1. But same query is throwing Error while running in as below image2.
-------------------------------------------------------------------------------------------------
Solution
The error message seems very descriptive. Tried adding bin(TimeGenerated, [roundTo])
It worked
Perf
| where TimeGenerated > ago(1h)
| where CounterName == "% Processor Time" and InstanceName == "_Total"
| project TimeGenerated, Computer, CounterValue, _ResourceId
| summarize AggregatedValue = avg(CounterValue) by bin(TimeGenerated, 1h), Computer, _ResourceId
Thanks @David דודו Markovitz
- KQL Query works in advanced hunting but fails when made into a detection rule
- Creating KQL query to get Azure VMs not patched since 30days
- Create a function to calculate power of tens with a loop and reuse them in another query
- Azure Resource Graph - Database sizes
- KQL Query to filter duplicate entries and select top 1 from the log data
- Generate Chart by Type and State
- Azure Data Explorer C# querying and ORM
- How to find non distinct/duplicate messages in Azure Application Insights?
- Kusto query for time between records by group in one result list
- Application Insights KQL query - not in sub query
- Logic Apps copy action gives: The managed identity used with this operation no longer exists. To continue, set up an identity or change the connection
- Get all types of resources in a resource group
- insert an array in column of the kql table
- Stuck at PIM Diagnostics via KQL
- In Azure log analytics - where are the delete queries in KQL?
- Get the difference between Successive timestamps KQL
- Grouping on the basis of cumulative sum
- Check two different tables
- Is it possible to group rows programmatically in KQL?
- How could I parse the json array in Kusto?
- How to use table alias in KQL query
- How do I create an Azure workbook that accepts a time range in UTC?
- Azure Resource Graph Explorer :: list all VMs with number of cores
- Restrict all table and function except specific table
- Extract query string from url
- how to convert the rows into columns in Azure Data Explorer (Kusto)
- String function not parsing all characters
- free disk space overview using InsightsMetrics
- Query Azure Resource Graph and get a list of all the application registration that contains "test"
- Time difference between separate rows in same table