Log Search Alert V2 – Customizable Email Subject does not resolve dynamic columns from Single Event (Preview)

Question

Log Search Alert V2 – Customizable Email Subject does not resolve dynamic columns from Single Event (Preview)

Capiteq Support 0

Hello,

I am trying to use the Customizable Email Subjects for Log Search Alerts V2 feature as announced here: https://techcommunity.microsoft.com/blog/azureobservabilityblog/announcing-the-launch-of-customizable-email-subjects-for-log-search-alerts-v2-in/4411910

According to the documentation, it should be possible to reference columns from a Log Analytics query in the email subject when using Single event (preview).

However, I am unable to get any dynamic value from the query output to be resolved in the email subject.

Query Used (Single event – preview)

AddonAzureBackupJobs
| where BackupManagementType == "IaaSVM"
| where JobOperation == "Backup"
| where JobStatus in ("Completed", "Failed")
| extend Status = case(JobStatus == "Completed", "SUCCESS",
                       JobStatus == "Failed", "FAILED",
                       "UNKNOWN")
| extend Resource = split(BackupItemUniqueId, ";")[-1]
| project TimeGenerated, Resource, Status

Sample Output

TimeGenerated                Resource     Status
2/4/2026 11:20:51 PM         damsgfs03    SUCCESS

Expected Email Subject

[AZURE][BACKUP][CLIENT=DAM][RESOURCE=damsgfs03][RESULTAT=SUCCESS]

What I Tried

I attempted multiple formats documented or commonly used for alertContext parsing:

${data.alertContext.SearchQueryResults[0][1]}
${data.alertContext.SearchQueryResults[0]["Resource"]}
${data.alertContext.SearchQueryResults.tables[0].rows[0][0]}
${data.alertContext.SearchQueryResults.tables[0].rows[0]["Resource"]}
${data.alertContext.SearchQueryResults.tables[0].rows}

Example subject:

[AZURE][BACKUP][CLIENT=DAM]
SimpleIndex: [RESOURCE=${data.alertContext.SearchQueryResults[0][1]}][STATUS=${data.alertContext.SearchQueryResults[0][2]}]
SimpleKey: [RESOURCE=${data.alertContext.SearchQueryResults[0]["Resource"]}][STATUS=${data.alertContext.SearchQueryResults[0]["Status"]}]
TableIndex: [RESOURCE=${data.alertContext.SearchQueryResults.tables[0].rows[0][0]}][STATUS=${data.alertContext.SearchQueryResults.tables[0].rows[0][1]}]
TableKey: [RESOURCE=${data.alertContext.SearchQueryResults.tables[0].rows[0]["Resource"]}][STATUS=${data.alertContext.SearchQueryResults.tables[0].rows[0]["Status"]}]

Actual Result

All tokens are received literally in the email subject (not interpreted):

[RESOURCE=${data.alertContext.SearchQueryResults[0][1}]

etc.

No dynamic value is resolved.

Additional Notes

Alert type: Log Search Alert V2

Query type: Single event (preview)

Common Alert Schema enabled

Action Group: Email

No Logic App or webhook in between

Suchitra Suregaunkar 8,070 Reputation points Microsoft External Staff Moderator

2026-02-05T04:24:03.05+00:00
Hello Capiteq Support

Thank you for Posting your query on Microsoft Q&A platform.

Dynamic column values from a Log Analytics query are not currently supported in the email subject of Log Search Alerts v2, even when:

Single event (preview) is selected

Common Alert Schema is enabled

Customizable Email Subject is configured

All ${data.alertContext...} expressions are treated as literal text in the email subject. This is expected behavior as of today.

Customizable email subject does not support template parsing

The Customizable Email Subject feature allows static text only. It does not evaluate:

JavaScript‑style ${} expressions

Alert context / query result fields

SearchQueryResults objects

This is why your subject arrives exactly as entered:

[RESOURCE=${data.alertContext.SearchQueryResults[0][1]}]

No token substitution occurs.

Query results are available only in the email body

Even with:

Log Search Alert v2

Single event (preview)

Common Alert Schema enabled

The Log Analytics query output is only guaranteed to populate:

Email body

Webhook payloads

Logic App / Automation consumers

➡ The email subject is rendered before alertContext evaluation, so it never resolves query columns.

Query results are available only in the email body.

Even with:

Log Search Alert v2

Single event (preview)

Common Alert Schema enabled

The Log Analytics query output is only guaranteed to populate:

Email body

Webhook payloads

Logic App / Automation consumers

The email subject is rendered before alertContext evaluation, so it never resolves query columns.

The announcement describes customizable email subjects, but does not claim support for:

Query column substitution

alertContext evaluation in subject

https://techcommunity.microsoft.com/blog/azureobservabilityblog/announcing-the-launch-of-customizable-email-subjects-for-log-search-alerts-v2-in/4411910

All examples of SearchQueryResults usage appear in:

Email body

Logic Apps

Webhooks

As a resolution try below supported Workarounds:

Option 1: Put dynamic values in the email body (supported)

Your query fields like:

Resource

Status

Will resolve correctly in the body, for example:

Resource: {{SearchQueryResults[0].Resource}} Status: {{SearchQueryResults[0].Status}}

Option 2 — Use Logic App or Webhook (fully dynamic)

If dynamic subject lines are required:

Send alert to Logic App / Webhook

Read alertContext.SearchQueryResults

Construct subject dynamically

Send email via O365 / SMTP

➡ This is the only supported way today to get:

[RESOURCE=damsgfs03][RESULT=SUCCESS]

in the subject line.

These will not work in the email subject for Log Search Alerts v2:

${data.alertContext...}

{{SearchQueryResults...}}

Table index or key references

Any JavaScript‑style or ARM‑style token

If a dynamic subject line is required, Microsoft officially supports:

Sending the alert to a Logic App or webhook

Extracting alertContext.SearchQueryResults

Sending a custom email with a dynamic subject

Reference: https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-common-schema

https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-logic-apps?tabs=send-email

Kindly let us know if the solution provided helped for you.

If you need any further assistance, please feel free to reach out.

Thanks,

Suchitra.
Suchitra Suregaunkar 8,070 Reputation points Microsoft External Staff Moderator

2026-02-10T08:13:21.1766667+00:00

Hello Capiteq Support

Please let us know if the suggested resolution helped/ addressed your concern. If it did, we’d appreciate your feedback on the proposed resolution as it helps others with similar issues.

If the resolution did not help, feel free to share more details about the challenge you’re still facing. Any additional information such as your current issue or specific errors will help us perform a deeper analysis and provide more targeted guidance.

We’re happy to continue assisting and work with you toward the right solution.

Thanks,

Suchitra.

1 answer

Your answer

Suchitra Suregaunkar 8,070 Reputation points Microsoft External Staff Moderator

2026-02-10T08:13:21.1766667+00:00

Hello Capiteq Support

Please let us know if the suggested resolution helped/ addressed your concern. If it did, we’d appreciate your feedback on the proposed resolution as it helps others with similar issues.

If the resolution did not help, feel free to share more details about the challenge you’re still facing. Any additional information such as your current issue or specific errors will help us perform a deeper analysis and provide more targeted guidance.

We’re happy to continue assisting and work with you toward the right solution.

Thanks,

Suchitra.

Answer 1

It seems you are experiencing issues with resolving dynamic values in the email subject for Log Search Alerts V2. Based on the context provided, here are a few points to consider:

Common Alert Schema: Ensure that the Common Alert Schema is correctly configured, as it can affect how dynamic values are parsed and included in the email subject. You mentioned that it is enabled, which is good.
Dynamic Value Format: The format for extracting dynamic values from the alert payload should follow the common alert schema. For instance, you should use the correct path to the schema fields. The format for extracting a dynamic value is typically ${data.essentials.<field>}. Ensure that you are using the correct field names as per the schema.
Testing with Different Tokens: Since you are receiving the tokens literally, it may be worth testing with simpler tokens or checking if the alert is indeed firing with the expected data. Sometimes, the issue could be with the alert not returning the expected results.
Documentation Review: Review the documentation for any updates or specific examples related to the Single Event (preview) feature, as there may be nuances in how dynamic values are handled in this particular context.

If the issue persists, consider reaching out to Microsoft support or checking community forums for similar experiences, as they may provide additional insights or solutions.

References:

Share via

Log Search Alert V2 – Customizable Email Subject does not resolve dynamic columns from Single Event (Preview)

Query Used (Single event – preview)

Sample Output

Expected Email Subject

What I Tried

Actual Result

Additional Notes

1 answer

Your answer