Issue with Azure Monitor Alerting Heartbeat

Question

Hello Team,

I'm working to create an alert heartbeat for my VMs, my VMs are monitored with VM Insight, and data is written into a log analytic workspace

here is my query :

Heartbeat
| where TimeGenerated > ago(168h)
| summarize LastCall = max(TimeGenerated) by Computer
| where LastCall < ago(5m)

=> Listing all the heartbeat from the past Week
=> Summarzing the output by the last generated heartbeat date
=> Identify the VMs that didn't send a heartbeat in the last 5min

When i run the query into the log analytics, the ouput is correct.
But when, i create the alert rule and put query on it, i receive no alerts, and even on the computer dimension on the alert rule, i cannot see the computers that didn't send the heartbeat over the last 5min eventhough when i execute the query on the log analytics i can see them, any idea please?

Output on the log analytics :

Configuration of the alert :


Dimensions showing 0 computers:

Answer 1

Hello @Mohamed jihad bayali

Your issue here I believe is the maximum time range that the alert can look back.

The alert time range is limited to a maximum of two days. Even if the query contains an ago command with a time range of longer than 2 days, the 2 day maximum time range is applied. For example, even if the query text contains ago(7d), the query only scans up to 2 days of data.

https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-create-new-alert-rule?tabs=log

If you click advanced settings and check the override query time range you will see it is set to 2 days. As 168hrs (7 days) is set in your query, it will default to the maximum allow time range of 2 days. Hence why you do not have any alerts for the devices you have listed above.

I hope this helps provide you with the information you need. If it does, please make sure to mark the question as answered so it helps other people in future.

Kind Regards

Alistair