Azure alert - low memory not working

Question

Hi,
I have the below KQL query which works and brings back relevant results i.e. computer name and available memory in Log Analytics.
When using as an alert however - the email alert does not list VM names and seems to give an aggregated total of the individual low memory figure.

Perf  
| where CounterName == "Available MBytes"  
| where CounterValue < 512  
| summarize AggregatedValue = avg(CounterValue) by Computer, _ResourceId, bin(TimeGenerated, 1h)  

The alert is generating a notification "This query doesn't return an Azure resource ID column, so the alert will fire on the entire rule scope"
I dont understand - the query is returning a resource ID column in the results but why does the Alert not show these results?

Answer 1

Hi there,

Log-based alerts now require dimensions if you need to get data per instance (per VM). You can use it as Computer column or _ResourceId if all VMs are registered in Azure with _resourceIds (including Arc-machines)

Anyway, if I may, I would like to suggest another query that could help you get notified with low memory VMs.

let _minValue = 512;  
Perf  
| where TimeGenerated >= ago(1h)  
| where CounterValue <= _minValue  
| where CounterName == "Available MBytes"  
| summarize mtgPerf=max(TimeGenerated), CounterValue=max(CounterValue)  
    by  
    Computer,  
    InstanceName,  
    CounterName,  
    ObjectName  
| join kind=inner (Heartbeat  
    | where OSType == "Windows"  
    | summarize max(TimeGenerated) by Computer)  
    on Computer  
| project  
    Computer,  
    ObjectName,  
    CounterName,  
    InstanceName,  
    TimeGenerated=mtgPerf,  
    round(CounterValue),  
    AlertType_s = "Windows Low Memory",  
    SeverityName_s = "WARNING",  
    AlertDetails_s = strcat("Computer: ", Computer, "%\r\nAlert Threshold: <= ", _minValue, "MB")  

Don't forget to use Dimensions to have 1 alert per 1 instance

Answer 2

Hi @mij2020

A few things to raise here.

1. There is no need to specify the threshold in the query anymore. This should be done in the alert wizard (thanks to @Stanislav Zhelyazkov for pointing that one out to me. I missed that on the change to the new alert model)
2. The column _ResourceId should automatically be detected, but if not, you can specify it. Our documentation has a step by step guide here. https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-create-new-alert-rule?tabs=log

You will be looking for step 8.f under Log Alerts:
(Optional) In the Split by dimensions section, you can use dimensions to monitor the values of multiple instances of a resource with one rule. Splitting by dimensions allows you to create resource-centric alerts at scale for a subscription or resource group. When you split by dimensions, alerts are split into separate alerts by grouping combinations of numerical or string columns to monitor for the same condition on multiple Azure resources. For example, you can monitor CPU usage on multiple instances running your website or app. Each instance is monitored individually. Notifications are sent for each instance.
Splitting on the Azure Resource ID column makes the specified resource the target of the alert.

I hope this helps provide you with the information you need. If it does, please make sure to mark the question as answered so it helps other people in future.

Kind regards

Alistair

Answer 3

Thanks guys for the response - I have amended the query as provided by maserg and my alerts are working much better.
Thanks!