Share via

How to show "Search Result" Property in the monitor alert json

Mithilesh Tiwari 0 Reputation points
2023-08-26T22:05:24.3033333+00:00

Hi Everyone,

I hope all is well with everyone.

I need help, please.

I have monitor alerts configured in my production. The action group is linked to a logic app to send alerts via email.

I created the same setup in the dev environment but in the JSON body, I do not see the "Search Result" Property in the alert.

I'm not sure how the "Search Result" Property is showing in the production.

I did the same setup in dev as in prod but not sure what I'm missing.

Any help/guidance will be highly appreciated.

Thanks,

Mithilesh

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,509 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SwathiDhanwada-MSFT 18,891 Reputation points
    2023-09-15T09:09:27.38+00:00

    Mithilesh Tiwari Welcome to Microsoft Q & A Community Forum.The "Search Result" property in your monitor alert JSON body typically appears when you have a metric alert rule configured to trigger based on a query or condition that uses Azure Monitor Logs (formerly known as Log Analytics) data. This property contains the query results when the alert condition is met. Kindly check if IncludedSearchResults flag is set or not. This property indicates if the payload should contain the results.

    Kindly also note alerts using the common schema have an upper size limit of 256 KB per alert. If the log alerts payload includes search results that cause the alert to exceed the maximum size, the search results aren't embedded in the log alerts payload. You can check if the payload includes the search results with the IncludedSearchResults flag. Use LinkToFilteredSearchResultsAPI or LinkToSearchResultsAPI to access query results with the Log Analytics API if the search results are not included.

    From information provided, I think that your prod alert rule is created using legacy log alerts api and the current one is being created using scheduledQueryRules API. Alert rules created with latest API only supports common schema and doesn't have the IncludedSearchResults property within the schema. You can use dimensions to provide context to fired alerts and use LinkToFilteredSearchResultsAPI or LinkToSearchResultsAPI properties to access query results with the Log Analytics API. If you must embed the results, use a logic app with the provided links to generate a custom payload.

    For more information on this, you can refer to below documents.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.