Automatically clear Log alerts

Bombbe 1,621 Reputation points
2022-02-23T08:13:35.897+00:00

Hi,
we are using Log Alerts V2 and Log Analytics (Monitoring Service) alerts e.g following query to generate log alerts.

Heartbeat  
| where TimeGenerated > ago(12h)  
| summarize LastCall = max(TimeGenerated) by Computer, _ResourceId  
| where LastCall < ago(2h)  

177095-image.png

We have issues that alert never goes to "Resolved" states and we thus never received email when alert is cleared even thought in reality alert is basically resolved. Are there any work around to resolves this 'problem'?

176990-image.png

This is also enabled for the alert

177070-image.png

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,182 questions
0 comments No comments
{count} votes

Accepted answer
  1. Stanislav Zhelyazkov 23,421 Reputation points MVP
    2022-02-23T08:35:47.62+00:00

    Hi,
    Try with the query below. Set aggregation granularity to 12 hours. For Measure choose HeartBeatMissing and for aggregation type Average. Add Computer and _ResourceId as dimensions. Operator is greater than 0.

     Heartbeat  
     | summarize LastCall = max(TimeGenerated) by Computer, _ResourceId  
    | extend HeartBeatMissing = iff(LastCall < ago(2h), 1, 0)  
    

    If you want to use the automitigate feature you will have to generate results and if alert is generated or not will depend on the threshold. If the threshold is no longer met but the _ResourceId is still in the results of the query automitigate will know to resolve the alert. Also if you want to have this by Computer and _ResourceId those columns needs to be in dimensions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.