Azure Monitor for Linux VM logical disk (mount point)

PulakeshM 26 Reputation points
2022-08-09T12:09:16.547+00:00

Hi Everyone,

I'm looking for a solution to monitor and alert Azure Linux VMs spacific Mount Point (filesystem) space utilisation. If someone can guide me what paremeter I need to change/update in below query to complete my requirement.

I tried with below query in Log analytics Workspace found in internet. It did give me output as expected, however when I configure it in Azure Monitor Alerts, it did not trigger any alerts. I'm not sure if I'm doing mistake in Azure Monitoring alerts or in Log analytic query.

In the below query currently it is looking for all the filesystem (mountpoint). I want to specify few of them and alert me when it reach trashold value.

// Logical disk space % below threshold //set the minValue according to your needs
let _minValue = 10;
InsightsMetrics
| where TimeGenerated > = ago (12h) // choose time to observe
| where Origin == "vm.azm.ms"
| where Namespace == "LogicalDisk" and Name == "FreeSpacePercentage"
| where Val <= _minValue
| extend t=parse_json(Tags)
| summarize avg (val) by bin(TimeGenerated, 10m), Computer, tostring(t["vm.azm.ms/mountID"])
| sort by avg_Val asc

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,798 questions
Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,114 questions
0 comments
Accepted answer
  1. Stanislav Zhelyazkov 21,021 Reputation points MVP
    2022-08-09T12:42:04.557+00:00

    Hi,
    The query will depends whether you are using Log Alert V1 or Log Alert v2. No matter if you are using v1 or v2 you should avoid these things in the query:

    • Do not specify time window in query, this is specified in alert rule properties - | where TimeGenerated > = ago (12h) // choose time to observe
    • Do not specify threshold in query, this is specified in alert properties - let _minValue = 10; and | where Val <= _minValue
    • Avoid specifying sorting in alert rule query, this is not needed for the alert rule and makes the query more time consuming - | sort by avg_Val asc
    • It is better to aggregate on fields like _ResourceId or ResourceId columns as Compute might not be unique - | summarize avg (val) by bin(TimeGenerated, 10m), Computer, tostring(t["vm.azm.ms/mountID"])

    Specifically, if you use Log Alert v1

    • this | summarize avg (val) by bin(TimeGenerated, 10m), Computer, tostring(t["vm.azm.ms/mountID"]) needs to become | summarize AggregatedValue = avg(val) by bin(TimeGenerated, 10m), Computer, tostring(t["vm.azm.ms/mountID"]) . The AggregatedValue value for each returned record will then be used as comparison for the threshold defined in alert rule properties.
    • It is best that slice bin 10m ( bin(TimeGenerated, 10m),) matches the time window defined in the alert rule.

    I would suggest to look at two blog posts I have for v1 and v2 Log Alerts on how to do them. There I have similar examples with free space for disks, but the data is from Perf table and for Windows.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest