How to view Azure Monitor Alerts that triggered more than 30 days back

Question

How can I view the list of Azure Monitor Alerts that were triggered more than 30 days ago? I need to verify if there are any alerts that are still in the ‘Fired’ state because they have not been resolved.

https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-overview#stateful-alerts

For stateful alerts, while the alert itself is deleted after 30 days, the alert condition is stored until the alert is resolved. This is done to prevent triggering another alert and to ensure that notifications can be sent when the alert is resolved."

Answer 1

Hi Justin,

Based on your question we understand that you want to know the Azure Monitor Alerts that triggered more than 30 days back.

Here are some steps you can take to troubleshoot and resolve this issue:

All the alert instances in all your Azure resources generated in the last 30 days. Alerts are stored for 30 days and are deleted after the 30-day retention period.

For stateful alerts, while the alert itself is deleted after 30 days, and isn't viewable on the alerts page, the alert condition is stored until the alert is resolved, to prevent firing another alert, and so that notifications can be sent when the alert is resolved.

In a timeline view, you can see the number of alerts fired in a specific time range. The timeline shows you which resource the alerts were fired on to give you context of the alert in your Azure hierarchy. The alerts are grouped by the time they were fired.

You can filter the alerts by severity, resource, and more. You can also select a specific time range to see the alerts fired in that time range.

Please find the below documentation for your reference:
https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-manage-alert-instances

If you are still facing any issue, please let us know in the comments. We are happy to assist you.

If the information is helpful, please accept the answer by clicking the "Upvote" and "Accept Answer" on the post.

Thank you.

Answer 2

Hello Justin_MSCloud,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

Problem

I understand that you would like to retrieve this historical data and verify the alert statuses effectively. Especially, to view Azure Monitor Alerts that were triggered more than 30 days ago and determine if any of these alerts are still in the 'Fired' state, as they might not have been resolved yet. The Azure Monitor service deletes alerts after 30 days, but the alert conditions are stored until resolved.

Solution

In the Log Analytics query window, you can use a Kusto Query Language (KQL) query to find alerts that were triggered more than 30 days ago and are still in the ‘Fired’ state.

AzureDiagnostics
| where ResourceType == "ALERTS" and TimeGenerated < ago(30d) and AlertState == "Fired"
| project TimeGenerated, AlertName, AlertState, Resource, Severity
| order by TimeGenerated desc

Click on "Run" to execute the query. The results will show a list of alerts that were triggered more than 30 days ago and are still in the ‘Fired’ state.

Here is how to get to the Log Analytics:

Log in to the Azure Portal.

1. In the left-hand menu, click on "Monitor" to open Azure Monitor.
2. Under the "Monitoring" section, click on "Logs" to open Log Analytics.
3. Select the appropriate Log Analytics workspace that is connected to your Azure Monitor.

References

Source: Azure Monitor Logs cheat sheet. Accessed, 6/4/2024.

Source: KQL where operator. Accessed, 6/4/2024.

Source: KQL project operator. Accessed, 6/4/2024.

Accept Answer

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

Best Regards,

Sina Salam