Scheduled Query Rules - Create Or Update

Creates or updates an log search rule.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Insights/scheduledQueryRules/{ruleName}?api-version=2018-04-16

URI Parameters

Name In Required Type Description
resourceGroupName
path True

string

The name of the resource group. The name is case insensitive.

ruleName
path True

string

The name of the rule.

subscriptionId
path True

string

The ID of the target subscription.

api-version
query True

string

The API version to use for this operation.

Request Body

Name Required Type Description
location True

string

Resource location

properties.action True Action:

Action needs to be taken on rule execution.

properties.source True

Source

Data Source against which rule will Query Data

properties.autoMitigate

boolean

The flag that indicates whether the alert should be automatically resolved or not. The default is false.

properties.description

string

The description of the Log Search rule.

properties.displayName

string

The display name of the alert rule

properties.enabled

enabled

The flag which indicates whether the Log Search rule is enabled. Value should be true or false

properties.schedule

Schedule

Schedule (Frequency, Time Window) for rule. Required for action type - AlertingAction

tags

object

Resource tags

Responses

Name Type Description
200 OK

LogSearchRuleResource

Successful request to update an Log Search rule

201 Created

LogSearchRuleResource

Created alert rule

Other Status Codes

ErrorContract

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Create or Update rule - AlertingAction
Create or Update rule - AlertingAction with Cross-Resource
Create or Update rule - LogToMetricAction

Create or Update rule - AlertingAction

Sample request

PUT https://management.azure.com/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourcegroups/Rac46PostSwapRG/providers/Microsoft.Insights/scheduledQueryRules/logalertfoo?api-version=2018-04-16

{
  "location": "eastus",
  "tags": {},
  "properties": {
    "description": "log alert description",
    "enabled": "true",
    "source": {
      "query": "Heartbeat | summarize AggregatedValue = count() by bin(TimeGenerated, 5m)",
      "dataSourceId": "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/Microsoft.OperationalInsights/workspaces/sampleWorkspace",
      "queryType": "ResultCount"
    },
    "schedule": {
      "frequencyInMinutes": 15,
      "timeWindowInMinutes": 15
    },
    "action": {
      "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction",
      "severity": "1",
      "aznsAction": {
        "actionGroup": [],
        "emailSubject": "Email Header",
        "customWebhookPayload": "{}"
      },
      "trigger": {
        "thresholdOperator": "GreaterThan",
        "threshold": 3,
        "metricTrigger": {
          "thresholdOperator": "GreaterThan",
          "threshold": 5,
          "metricTriggerType": "Consecutive",
          "metricColumn": "Computer"
        }
      }
    }
  }
}

Sample response

{
  "id": "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/microsoft.insights/scheduledQueryRules/logalertfoo",
  "name": "logalertfoo",
  "type": "Microsoft.Insights/scheduledQueryRules",
  "location": "eastus",
  "tags": {},
  "properties": {
    "description": "log alert description",
    "enabled": "true",
    "lastUpdatedTime": "2017-06-23T21:23:52.0221265Z",
    "provisioningState": "Succeeded",
    "source": {
      "query": "Heartbeat | summarize AggregatedValue = count() by bin(TimeGenerated, 5m)",
      "dataSourceId": "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/Microsoft.OperationalInsights/workspaces/sampleWorkspace",
      "queryType": "ResultCount"
    },
    "schedule": {
      "frequencyInMinutes": 15,
      "timeWindowInMinutes": 15
    },
    "action": {
      "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction",
      "severity": "1",
      "aznsAction": {
        "actionGroup": [],
        "emailSubject": "Email Header",
        "customWebhookPayload": "{}"
      },
      "trigger": {
        "thresholdOperator": "GreaterThan",
        "threshold": 3,
        "metricTrigger": {
          "thresholdOperator": "GreaterThan",
          "threshold": 5,
          "metricTriggerType": "Consecutive",
          "metricColumn": "Computer"
        }
      }
    }
  }
}
{
  "id": "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/microsoft.insights/scheduledQueryRules/logalertfoo",
  "name": "logalertfoo",
  "type": "Microsoft.Insights/scheduledQueryRules",
  "location": "eastus",
  "tags": {},
  "properties": {
    "description": "log alert description",
    "enabled": "true",
    "lastUpdatedTime": "2017-06-23T21:23:52.0221265Z",
    "provisioningState": "Succeeded",
    "source": {
      "query": "Heartbeat",
      "queryType": "ResultCount",
      "dataSourceId": "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/Microsoft.OperationalInsights/workspaces/sampleWorkspace"
    },
    "schedule": {
      "frequencyInMinutes": 15,
      "timeWindowInMinutes": 15
    },
    "action": {
      "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction",
      "severity": "1",
      "trigger": {
        "thresholdOperator": "GreaterThan",
        "threshold": 3
      },
      "aznsAction": {
        "actionGroup": [],
        "emailSubject": "Email Header",
        "customWebhookPayload": "{}"
      }
    }
  }
}

Create or Update rule - AlertingAction with Cross-Resource

Sample request

PUT https://management.azure.com/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourcegroups/Rac46PostSwapRG/providers/Microsoft.Insights/scheduledQueryRules/SampleCrossResourceAlert?api-version=2018-04-16

{
  "location": "eastus",
  "tags": {},
  "properties": {
    "description": "Sample Cross Resource alert",
    "enabled": "true",
    "source": {
      "query": "union requests, workspace(\"sampleWorkspace\").Update",
      "authorizedResources": [
        "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/Microsoft.OperationalInsights/workspaces/sampleWorkspace",
        "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/microsoft.insights/components/sampleAI"
      ],
      "dataSourceId": "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/microsoft.insights/components/sampleAI",
      "queryType": "ResultCount"
    },
    "schedule": {
      "frequencyInMinutes": 60,
      "timeWindowInMinutes": 60
    },
    "action": {
      "severity": "3",
      "aznsAction": {
        "actionGroup": [
          "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/microsoft.insights/actiongroups/test-ag"
        ],
        "emailSubject": "Cross Resource Mail!!"
      },
      "trigger": {
        "thresholdOperator": "GreaterThan",
        "threshold": 5000
      },
      "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction"
    }
  }
}

Sample response

{
  "id": "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/microsoft.insights/scheduledQueryRules/SampleCrossResourceAlert",
  "name": "SampleCrossResourceAlert",
  "type": "Microsoft.Insights/scheduledQueryRules",
  "location": "eastus",
  "tags": {},
  "properties": {
    "description": "Sample Cross Resource alert",
    "enabled": "true",
    "lastUpdatedTime": "2018-09-04T06:27:58.3892575Z",
    "provisioningState": "Succeeded",
    "source": {
      "query": "union requests, workspace(\"sampleWorkspace\").Update",
      "authorizedResources": [
        "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/Microsoft.OperationalInsights/workspaces/sampleWorkspace",
        "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/microsoft.insights/components/sampleAI"
      ],
      "dataSourceId": "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/microsoft.insights/components/sampleAI",
      "queryType": "ResultCount"
    },
    "schedule": {
      "frequencyInMinutes": 60,
      "timeWindowInMinutes": 60
    },
    "action": {
      "severity": "3",
      "aznsAction": {
        "actionGroup": [
          "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/microsoft.insights/actiongroups/test-ag"
        ],
        "emailSubject": "Cross Resource Mail!!"
      },
      "trigger": {
        "thresholdOperator": "GreaterThan",
        "threshold": 5000
      },
      "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction"
    }
  }
}
{
  "id": "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/microsoft.insights/scheduledQueryRules/SampleCrossResourceAlert",
  "name": "SampleCrossResourceAlert",
  "type": "Microsoft.Insights/scheduledQueryRules",
  "location": "eastus",
  "tags": {},
  "properties": {
    "description": "Sample Cross Resource alert",
    "enabled": "true",
    "lastUpdatedTime": "2018-09-04T06:27:58.3892575Z",
    "provisioningState": "Succeeded",
    "source": {
      "query": "union requests, workspace(\"sampleWorkspace\").Update",
      "authorizedResources": [
        "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/Microsoft.OperationalInsights/workspaces/sampleWorkspace",
        "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/microsoft.insights/components/sampleAI"
      ],
      "dataSourceId": "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/microsoft.insights/components/sampleAI",
      "queryType": "ResultCount"
    },
    "schedule": {
      "frequencyInMinutes": 60,
      "timeWindowInMinutes": 60
    },
    "action": {
      "severity": "3",
      "aznsAction": {
        "actionGroup": [
          "/subscriptions/b67f7fec-69fc-4974-9099-a26bd6ffeda3/resourceGroups/Rac46PostSwapRG/providers/microsoft.insights/actiongroups/test-ag"
        ],
        "emailSubject": "Cross Resource Mail!!"
      },
      "trigger": {
        "thresholdOperator": "GreaterThan",
        "threshold": 5000
      },
      "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction"
    }
  }
}

Create or Update rule - LogToMetricAction

Sample request

PUT https://management.azure.com/subscriptions/af52d502-a447-4bc6-8cb7-4780fbb00490/resourcegroups/alertsweu/providers/Microsoft.Insights/scheduledQueryRules/logtometricfoo?api-version=2018-04-16

{
  "location": "West Europe",
  "tags": {},
  "properties": {
    "description": "log to metric description",
    "enabled": "true",
    "source": {
      "dataSourceId": "/subscriptions/af52d502-a447-4bc6-8cb7-4780fbb00490/resourceGroups/alertsweu/providers/Microsoft.OperationalInsights/workspaces/alertsweu"
    },
    "action": {
      "criteria": [
        {
          "metricName": "Average_% Idle Time",
          "dimensions": []
        }
      ],
      "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.LogToMetricAction"
    }
  }
}

Sample response

{
  "id": "/subscriptions/af52d502-a447-4bc6-8cb7-4780fbb00490/resourceGroups/alertsweu/providers/microsoft.insights/scheduledqueryrules/logtometricfoo",
  "name": "logtometricfoo",
  "type": "microsoft.insights/scheduledqueryrules",
  "location": "westeurope",
  "tags": {},
  "properties": {
    "description": "log to metric description",
    "displayName": "logtometricfoo",
    "enabled": "true",
    "lastUpdatedTime": "2018-09-04T06:31:56.3737792Z",
    "provisioningState": "Succeeded",
    "source": {
      "query": null,
      "dataSourceId": "/subscriptions/af52d502-a447-4bc6-8cb7-4780fbb00490/resourceGroups/alertsweu/providers/Microsoft.OperationalInsights/workspaces/alertsweu"
    },
    "schedule": null,
    "action": {
      "criteria": [
        {
          "metricName": "Average_% Idle Time",
          "dimensions": []
        }
      ],
      "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.LogToMetricAction"
    }
  }
}
{
  "id": "/subscriptions/af52d502-a447-4bc6-8cb7-4780fbb00490/resourceGroups/alertsweu/providers/microsoft.insights/scheduledqueryrules/logtometricfoo",
  "name": "logtometricfoo",
  "type": "microsoft.insights/scheduledqueryrules",
  "location": "westeurope",
  "tags": {},
  "properties": {
    "description": "log to metric description",
    "enabled": "true",
    "lastUpdatedTime": "2018-09-04T06:27:58.3892575Z",
    "provisioningState": "Succeeded",
    "source": {
      "query": null,
      "dataSourceId": "/subscriptions/af52d502-a447-4bc6-8cb7-4780fbb00490/resourceGroups/alertsweu/providers/Microsoft.OperationalInsights/workspaces/alertsweu"
    },
    "schedule": null,
    "action": {
      "criteria": [
        {
          "metricName": "Average_% Idle Time",
          "dimensions": []
        }
      ],
      "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.LogToMetricAction"
    }
  }
}

Definitions

Name Description
AlertingAction

Specify action need to be taken when rule type is Alert

AlertSeverity

Severity Level of Alert

AzNsActionGroup

Azure action group

ConditionalOperator

Result Condition Evaluation criteria.

Criteria

Specifies the criteria for converting log to metric.

Dimension

Specifies the criteria for converting log to metric.

enabled

The flag which indicates whether the Log Search rule is enabled. Value should be true or false

ErrorContract

Describes the format of Error response.

ErrorResponse

Describes the format of Error response.

LogMetricTrigger

A log metrics trigger descriptor.

LogSearchRuleResource

The Log Search Rule resource.

LogToMetricAction

Specify action need to be taken when rule type is converting log to metric

metricTriggerType

Metric Trigger Type - 'Consecutive' or 'Total'

operator

Operator for dimension values

provisioningState

Provisioning state of the scheduled query rule

QueryType

Set value to 'ResultAccount'

Schedule

Defines how often to run the search and the time interval.

Source

Specifies the log search query.

TriggerCondition

The condition that results in the Log Search rule.

AlertingAction

Specify action need to be taken when rule type is Alert

Name Type Description
aznsAction

AzNsActionGroup

Azure action group reference.

odata.type string:

Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction

Specifies the action. Supported values - AlertingAction, LogToMetricAction

severity

AlertSeverity

Severity of the alert

throttlingInMin

integer

time (in minutes) for which Alerts should be throttled or suppressed.

trigger

TriggerCondition

The trigger condition that results in the alert rule being.

AlertSeverity

Severity Level of Alert

Name Type Description
0

string

1

string

2

string

3

string

4

string

AzNsActionGroup

Azure action group

Name Type Description
actionGroup

string[]

Azure Action Group reference.

customWebhookPayload

string

Custom payload to be sent for all webhook URI in Azure action group

emailSubject

string

Custom subject override for all email ids in Azure action group

ConditionalOperator

Result Condition Evaluation criteria.

Name Type Description
Equal

string

GreaterThan

string

GreaterThanOrEqual

string

LessThan

string

LessThanOrEqual

string

Criteria

Specifies the criteria for converting log to metric.

Name Type Description
dimensions

Dimension[]

List of Dimensions for creating metric

metricName

string

Name of the metric

Dimension

Specifies the criteria for converting log to metric.

Name Type Description
name

string

Name of the dimension

operator

operator

Operator for dimension values

values

string[]

List of dimension values

enabled

The flag which indicates whether the Log Search rule is enabled. Value should be true or false

Name Type Description
false

string

true

string

ErrorContract

Describes the format of Error response.

Name Type Description
error

ErrorResponse

The error details.

ErrorResponse

Describes the format of Error response.

Name Type Description
code

string

Error code

message

string

Error message indicating why the operation failed.

LogMetricTrigger

A log metrics trigger descriptor.

Name Type Default value Description
metricColumn

string

Evaluation of metric on a particular column

metricTriggerType

metricTriggerType

Consecutive

Metric Trigger Type - 'Consecutive' or 'Total'

threshold

number

The threshold of the metric trigger.

thresholdOperator

ConditionalOperator

GreaterThanOrEqual

Evaluation operation for Metric -'GreaterThan' or 'LessThan' or 'Equal'.

LogSearchRuleResource

The Log Search Rule resource.

Name Type Default value Description
etag

string

The etag field is not required. If it is provided in the response body, it must also be provided as a header per the normal etag convention. Entity tags are used for comparing two or more entities from the same requested resource. HTTP/1.1 uses entity tags in the etag (section 14.19), If-Match (section 14.24), If-None-Match (section 14.26), and If-Range (section 14.27) header fields.

id

string

Azure resource Id

kind

string

Metadata used by portal/tooling/etc to render different UX experiences for resources of the same type; e.g. ApiApps are a kind of Microsoft.Web/sites type. If supported, the resource provider must validate and persist this value.

location

string

Resource location

name

string

Azure resource name

properties.action Action:

Action needs to be taken on rule execution.

properties.autoMitigate

boolean

False

The flag that indicates whether the alert should be automatically resolved or not. The default is false.

properties.createdWithApiVersion

string

The api-version used when creating this alert rule

properties.description

string

The description of the Log Search rule.

properties.displayName

string

The display name of the alert rule

properties.enabled

enabled

The flag which indicates whether the Log Search rule is enabled. Value should be true or false

properties.isLegacyLogAnalyticsRule

boolean

True if alert rule is legacy Log Analytic rule

properties.lastUpdatedTime

string

Last time the rule was updated in IS08601 format.

properties.provisioningState

provisioningState

Provisioning state of the scheduled query rule

properties.schedule

Schedule

Schedule (Frequency, Time Window) for rule. Required for action type - AlertingAction

properties.source

Source

Data Source against which rule will Query Data

tags

object

Resource tags

type

string

Azure resource type

LogToMetricAction

Specify action need to be taken when rule type is converting log to metric

Name Type Description
criteria

Criteria[]

Criteria of Metric

odata.type string:

Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.LogToMetricAction

Specifies the action. Supported values - AlertingAction, LogToMetricAction

metricTriggerType

Metric Trigger Type - 'Consecutive' or 'Total'

Name Type Description
Consecutive

string

Total

string

operator

Operator for dimension values

Name Type Description
Include

string

provisioningState

Provisioning state of the scheduled query rule

Name Type Description
Canceled

string

Deploying

string

Failed

string

Succeeded

string

QueryType

Set value to 'ResultAccount'

Name Type Description
ResultCount

string

Schedule

Defines how often to run the search and the time interval.

Name Type Description
frequencyInMinutes

integer

frequency (in minutes) at which rule condition should be evaluated.

timeWindowInMinutes

integer

Time window for which data needs to be fetched for query (should be greater than or equal to frequencyInMinutes).

Source

Specifies the log search query.

Name Type Description
authorizedResources

string[]

List of Resource referred into query

dataSourceId

string

The resource uri over which log search query is to be run.

query

string

Log search query. Required for action type - AlertingAction

queryType

QueryType

Set value to 'ResultCount' .

TriggerCondition

The condition that results in the Log Search rule.

Name Type Default value Description
metricTrigger

LogMetricTrigger

Trigger condition for metric query rule

threshold

number

Result or count threshold based on which rule should be triggered.

thresholdOperator

ConditionalOperator

GreaterThanOrEqual

Evaluation operation for rule - 'GreaterThan' or 'LessThan.