How can I get an alert for no monitor agent heartbeat in 15 minutes to work in Azure?

Question

I have this KQL query:

Heartbeat
| summarize TimeGenerated=max(TimeGenerated) by Computer, _ResourceId
| extend Duration = datetime_diff('minute',now(),TimeGenerated)
| summarize MinutesSinceLastHeartbeat = min(Duration) by Computer, bin(TimeGenerated,5m), _ResourceId
| where MinutesSinceLastHeartbeat > 15

Now, I have one computer that I disconnected, so a row is generated anytime the query is ran.

But the alert never fires. I test the action group and it works. I run the query inside the rule config, and I see the row there. Can someone explain what I'm doing wrong here or if I should be handling this query differently?

Answer 1

Thanks for posting your question in the Microsoft Q&A forum.

There are a few potential reasons why your alert might not be firing despite seeing the row when you run the query manually.

• Ensure that the alert rule is properly configured with the correct threshold and frequency. check if the alert condition is set to "Number of results" greater than 0.
• The alert evaluation might be using a different time range than what you're using when running the query manually.
• Ensure you're using a "Log Analytics" alert rule type, which is designed for custom log queries.
• To potentially improve the alert's reliability, you could modify the query to focus on the most recent data:

    Heartbeat
    | summarize TimeGenerated=max(TimeGenerated) by Computer, _ResourceId
    | extend Duration = datetime_diff('minute', now(), TimeGenerated)
    | where Duration > 7
    | project Computer, _ResourceId, MinutesSinceLastHeartbeat = Duration
  

• Enable diagnostic settings for your Alert Rules to send logs to a Log Analytics workspace.

---

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful