Hi,
The query will depends whether you are using Log Alert V1 or Log Alert v2. No matter if you are using v1 or v2 you should avoid these things in the query:
- Do not specify time window in query, this is specified in alert rule properties - | where TimeGenerated > = ago (12h) // choose time to observe
- Do not specify threshold in query, this is specified in alert properties - let _minValue = 10; and | where Val <= _minValue
- Avoid specifying sorting in alert rule query, this is not needed for the alert rule and makes the query more time consuming - | sort by avg_Val asc
- It is better to aggregate on fields like _ResourceId or ResourceId columns as Compute might not be unique - | summarize avg (val) by bin(TimeGenerated, 10m), Computer, tostring(t["vm.azm.ms/mountID"])
Specifically, if you use Log Alert v1
- this | summarize avg (val) by bin(TimeGenerated, 10m), Computer, tostring(t["vm.azm.ms/mountID"]) needs to become | summarize AggregatedValue = avg(val) by bin(TimeGenerated, 10m), Computer, tostring(t["vm.azm.ms/mountID"]) . The AggregatedValue value for each returned record will then be used as comparison for the threshold defined in alert rule properties.
- It is best that slice bin 10m ( bin(TimeGenerated, 10m),) matches the time window defined in the alert rule.
I would suggest to look at two blog posts I have for v1 and v2 Log Alerts on how to do them. There I have similar examples with free space for disks, but the data is from Perf table and for Windows.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.