Avoid double trigger the same alerts.

Question

Avoid double trigger the same alerts.

Nasimjon Tohirov 261

Hello everyone,

I don't know what to do anymore, I tried everything, but it worked. I ask you to help. There is a ContainerLog which comes every 35 seconds. You need to make a warning so that there is some string inside the log. For example,

ContainerLog |where Image has "nginx" and Log has "Log=Warning"

I made an alert custom log search and the alert logic is

Operator: greater than   
Threshold value: 0   
Frequency of evaluation: 1 minute.

Measurement

Measure: Table rows  
Aggregation type: Count  
Aggregation granularity: 1 minute

If you need more info, I can provide.

Thanks,

Regards,
Nasimjon.

AnuragSingh-MSFT 21,546 Reputation points Moderator

2023-01-12T08:25:33.7+00:00

Nasimjon Tohirov, following up to check if the answers/replies by Stanislav below helped you resolve the issue. As he mentions in the comment reply, "dimensions" could be one of the reasons for getting multiple alerts for same data instance. Did you check that?

In case the explanations do not help, please create a support ticket with Azure Support so that it can be investigated 1:1. Please see Azure Support for more details.

Please let us know if you have any questions.

1 answer

Your answer

AnuragSingh-MSFT 21,546 Reputation points Moderator

2023-01-12T08:25:33.7+00:00

Nasimjon Tohirov, following up to check if the answers/replies by Stanislav below helped you resolve the issue. As he mentions in the comment reply, "dimensions" could be one of the reasons for getting multiple alerts for same data instance. Did you check that?

In case the explanations do not help, please create a support ticket with Azure Support so that it can be investigated 1:1. Please see Azure Support for more details.

Please let us know if you have any questions.

Answer 1

Hi, It is not completely clear what issue you have exactly and what your question is. Nevertheless, I will try to guess and answer best on your guess. I will start with the title of your question: "Avoid double trigger the same alerts." You will not get alert triggered for twice for the same data. Each time the alert rule triggers it produces a separate alert instance. Each alert instance is triggered for different set of data (parameters). So even if you see many of the information repeating in the results of the data something will be different like the TimeGenerated value. With the information provided a new alert instance will be generated every time there are results from the query. For example, let's say you have created the alert, and you get 5 alert instances in the next 10 minutes. When you execute the query on your own you will see for example 5 records for the same thing but each one of them generated at 2 minutes difference between each other. This is how the alert rules work. If you need more information on Log Alert v2 you can check my blog post. In the blog post you can also find a link to another blog post explaining Log Alert v1 as well. In general, v1 and v2 work in the same way but v2 adds some important capabilities to enhance the experience of setting alert rule. When you read the blog post take a note on the stateful vs stateless capability (auto mitigate feature). As you are alerting based on events not metrics I would not advise you to use stateful capability as the alert rule will not work correctly. Stateful is suitable for metrics data which has a constant logging of data on certain frequency. Depends on what you want to achieve exactly may be Mute action option could be suitable for you. But keep in mind that the mute action will halt the whole rule for the number of time you specify. So even if you get warnings for another container during that mute period you will not get alert instance.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Nasimjon Tohirov 261 Reputation points

2023-01-11T07:52:38.9833333+00:00

Hi Stan, Thanks for your reply. Sorry for being so bad at explaining the problem. The problem is that the Alarm is triggered and sometimes the previous message in the log comes. For example:

127.0.0.1 - - [10/Oct/2020:15:10:20 -0600] "HEAD / HTTP/1.1" 200 0 127.0.0.1 - - [10/Oct/2020:15:10:21 -0200] "HEAD / HTTP/1.1" 200 0

Next comes the same also (After 60 sec).

127.0.0.1 - - [10/Oct/2020:15:10:20 -0600] "HEAD / HTTP/1.1" 200 0 127.0.0.1 - - [10/Oct/2020:15:10:21 -0200] "HEAD / HTTP/1.1" 200 0

I know that the problem is TimeGenerated, but how can I find this issue?

TimeGenerated between (ago(60s) .. now())

Thanks for helping.

Regards, Nasimjon.
Stanislav Zhelyazkov 28,186 Reputation points MVP Volunteer Moderator

2023-01-11T08:12:10.65+00:00

The way that you are describing is that for the same set of data you getting tow alert instances. I have never seen that behavior and if you really have such you should contact Azure Support. At least that is my impression by posting examples of the same data for two different alert instances. The way I would check if that is the case is first to see if you have dimensions configured for your alert rule. If so when you go to Monitor blade - > Alerts and when you click on each alert instance dimension value should be different. If it is not different the next thing that I would check is Monitor blade - > Alerts and click on each alert. For each alert click on view query results above Filtered search results

This will take you to the results that caused each alert instance to be fired separately. For each query displayed I would add '''| project _ItemId''' at the end of the query and re-run it again. _ItemId is hidden column that is available for each record and specifies unique ID for it. If the _ItemId values are the same for both query results than the alert rule triggers two different instances for the same data. In that case I would contact Azure Support. If they are different the alert instances are triggered for different set of records no matter that all the other columns are the same if unique IDs are different these are different records.

Share via

Avoid double trigger the same alerts.

1 answer

Your answer