Azure Monitor log analytics implementation to get notified on threshold breach.

Hi @Antony Britto ,

To write the kusto queries and test them out, you may goto AzurePortal -> <Your Log Analytics Workspace> -> 'Logs' tile -> Write the query in query window and click on 'run' and verify the result.

To get started with the kusto queries in Azure Monitor, refer this Azure document.

To configure alerts for the monitoring and to set queries, you may follow one of the below mentioned two ways:

1. Go to Azure Portal -> <Your Log Analytics workspace> -> 'Logs' tile -> Test the query in query window -> Click on '+New alert rule' -> Click on your condition name -> Configure 'alert logic' and 'Evaluated based on' sections -> Click 'Done' -> Configure 'Actions' and 'Alert rule details' sections -> Click 'create alert rule'.
2. Go to Azure Portal -> <Your Log Analytics workspace> -> 'Alerts' tile -> Click on '+New alert rule' -> Click 'select resource' to select the scope for this alert to consider -> Set Log analytics workspace as the scope and click 'Done' -> Click 'add condition' -> Click on 'custom log search' signal name -> write down your query in 'search query' section -> Configure 'alert logic' and 'Evaluated based on' sections -> Click 'Done' -> Configure 'Actions' and 'Alert rule details' sections -> Click 'create alert rule'.

You may also refer this Azure document for overview of the alerts and also check references provided in the 'recommended content' section of the same Azure document which explains about how to create, view and manage various alerts.

To monitor disk space on Linux servers we have 2 counters i.e., used space and free space. So, we can use any one of them to get alerted for total low disk space. Below are the sample kusto queries for the same.

 Perf  
 | where ( ObjectName == "Logical Disk" )  
 | where ( CounterName == "% Used Space" )  
 | where ( InstanceName == "_Total" )  
 | summarize AggregatedValue= avg(CounterValue) by Computer, bin(TimeGenerated, 30s)  

 Perf  
 | where ( ObjectName == "Logical Disk" )  
 | where ( CounterName == "% Free Space" )  
 | where ( InstanceName == "_Total" )  
 | summarize AggregatedValue= avg(CounterValue) by Computer, bin(TimeGenerated, 30s)  

Similarly, if you wanted to have a query for getting the used space or free space on disk mounted on root only but not total instance then your queries would look like:

Perf  
| where ( ObjectName == "Logical Disk" )  
| where ( CounterName == "% Used Space" )  
| where ( InstanceName == "/" )  
| summarize AggregatedValue= avg(CounterValue) by Computer, bin(TimeGenerated, 30s)  

Perf  
| where ( ObjectName == "Logical Disk" )  
| where ( CounterName == "% Free Space" )  
| where ( InstanceName == "/" )  
| summarize AggregatedValue= avg(CounterValue) by Computer, bin(TimeGenerated, 30s)  

Similarly, query for total CPU usage is:

Perf  
| where ( ObjectName == "Processor" )  
| where ( CounterName == "% Processor Time" )  
| where ( InstanceName == "_Total" )   
| summarize AggregatedValue= avg(CounterValue) by Computer, bin(TimeGenerated, 30s)  

Similarly, queries for used memory and used swap memory are:

Perf  
| where ( ObjectName == "Memory" )  
| where ( CounterName == "% Used Memory" )  
| where ( InstanceName == "Memory" )  
| summarize AggregatedValue= avg(CounterValue) by Computer, bin(TimeGenerated, 30s)   

Perf  
| where ( ObjectName == "Memory" )  
| where ( CounterName == "% Used Swap Space" )  
| where ( InstanceName == "Memory" )  
| summarize AggregatedValue= avg(CounterValue) by Computer, bin(TimeGenerated, 30s)   

Note that if you want to monitor any particular set of servers then you would need to add another where condition by providing those server names in the queries. Also, refer this Azure Monitor Community GitHub Repo for kusto queries and alerts related to not only VM's but to many Azure services.