Azure Alert - Custom JSON payload with log search alert

Question

Azure Alert - Custom JSON payload with log search alert

Emanuele 31

Hi all,

i configured some azure alert with log analytics query. I found that the payload generated is different from azure metric alert. In Log Search alert I miss Activated and deactivated status and the mail generated is always with the same header(if is activated or deactivated):

the payload generated is like this one:

{"WebhookName":"MyAlert","RequestBody":"{\"schemaId\":\"Microsoft.Insights/LogAlert\",\"data\":{\r\n \"SubscriptionId\": \"12345678\",\r\n \"AlertRuleName\": \"MyRuleName\",\r\n \"SearchQuery\": \"MyQuery",\r\n \"SearchIntervalEndtimeUtc\": \"2021-08-09T16:48:05Z\",\r\n \"AlertThresholdOperator\": \"Greater Than\",\r\n \"AlertThresholdValue\": 1.0,\r\n \"ResultCount\": 0,\r\n \"SearchIntervalInSeconds\": 300,\r\n \"LinkToSearchResults\": \"MyLink",\r\n \"LinkToFilteredSearchResultsUI\": \"MyLink",\r\n \"LinkToSearchResultsAPI\": \"MyLink",\r\n \"LinkToFilteredSearchResultsAPI\": \"MyLink",\r\n \"Description\": \"MyDescription",\r\n \"Severity\": \"1\",\r\n \"ApplicationId\": \"MyId",\r\n \"AlertType\": \"Number of results\"\r\n}}","RequestHeader":{"Connection":"Keep-Alive","Expect":"100-continue","Host":"MyHost","User-Agent":"IcMBroadcaster/1.0","X-CorrelationContext":"MyCorrelation","x-ms-request-id":"MyRequest"}}
respect azure metrics, as written before, i miss this into json the status with Activated or deactivated:

"WebhookName":"MyAlert","RequestBody":"{\"schemaId\":\"AzureMonitorMetricAlert\",\"data\":{\"version\":\"2.0\",\"properties\":null,\"status\":\"Activated\",
i see that into log search alert is possible to insert a custom JSON:

i tried to add:

{"status":"Activated"}
without success.

Is possible to add Activated and Deactivated status?

Thanks

Accepted answer

0 additional answers

Your answer

Answer 1

Stanislav Zhelyazkov 28,186 MVP Volunteer Moderator

Hi,
If I understand correctly, you are using Log Search alert and you are using e-mails notification in action group. You want to add some custom data, so it appears in the e-mail. That is not possible. You can only change the subject of the e-mail with Log Search alert. Adding custom payload is option for action group integrations that rely on webhooks like Webhook, Function, Logic App, etc. It is the payload you send to the webhook that is changed. If you want to have such kind of functionality you should use integration like Logic App where you can process the webhook in a way that you want and use your e-mail system to format and send the e-mail.
Other option could be to use the Kusto query language to add static column and value to your like query. Something like:
| extend status = 'Activated'

I believe partial results from the query are available in the e-mail.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Emanuele 31 Reputation points

2021-08-16T07:58:04.147+00:00

Hi @Stanislav Zhelyazkov ,

yes i'm using log search and action group. My problem is that when alert trigger the automation account that call us.
We take the payload from the alert and the runbook call us if into the payload exist activated(it works with Azure Alert Metrics because status activated exist into payload) and runbook doesn't call us when alert gone in deactivated mode(we need to do this because Azure alert if status go to activated or deactivated, called us).

If i put into whery | extend status = 'Activated' i think it can't work becouse runbook check Activated and will call us is status gone activated or deactivated.

I hope I was more precise now by adding this bit

Share via

Azure Alert - Custom JSON payload with log search alert

0 additional answers

Your answer