Exemplos de modelo do Resource Manager para regras de alerta de pesquisa de log no Azure Monitor

Este artigo inclui exemplos de modelos do Azure Resource Manager para criar e configurar alertas de pesquisa de log no Azure Monitor. Cada amostra inclui um arquivo de modelo e um arquivo de parâmetros com valores de amostra para fornecer ao modelo.


Consulte Amostras do Azure Resource Manager do Azure Monitor para obter uma lista de amostras disponíveis e diretrizes sobre como implantá-las em sua assinatura do Azure.


O tamanho combinado de todos os dados nas propriedades da regra de alerta de log não pode exceder 64 KB. Isto pode ser causado por um excesso de dimensões, a consulta ser muito grande, um excesso de grupos de ações ou uma descrição longa. Ao criar uma regra de alerta grande, lembre-se de otimizar essas áreas.

Modelo para todos os tipos de recursos (a partir da versão 2021-08-01)

O exemplo a seguir cria uma regra que pode ter como destino qualquer recurso.

@description('Name of the alert')
param alertName string

@description('Location of the alert')
param location string

@description('Description of alert')
param alertDescription string = 'This is a metric alert'

@description('Severity of alert {0,1,2,3,4}')
param alertSeverity int = 3

@description('Specifies whether the alert is enabled')
param isEnabled bool = true

@description('Specifies whether the alert will automatically resolve')
param autoMitigate bool = true

@description('Specifies whether to check linked storage and fail creation if the storage was not found')
param checkWorkspaceAlertsStorageConfigured bool = false

@description('Full Resource ID of the resource emitting the metric that will be used for the comparison. For example /subscriptions/00000000-0000-0000-0000-0000-00000000/resourceGroups/ResourceGroupName/providers/Microsoft.compute/virtualMachines/VM_xyz')
param resourceId string

@description('Name of the metric used in the comparison to activate the alert.')
param query string

@description('Name of the measure column used in the alert evaluation.')
param metricMeasureColumn string

@description('Name of the resource ID column used in the alert targeting the alerts.')
param resourceIdColumn string

@description('Operator comparing the current value with the threshold value.')
param operator string = 'GreaterThan'

@description('The threshold value at which the alert is activated.')
param threshold int = 0

@description('The number of periods to check in the alert evaluation.')
param numberOfEvaluationPeriods int = 1

@description('The number of unhealthy periods to alert on (must be lower or equal to numberOfEvaluationPeriods).')
param minFailingPeriodsToAlert int = 1

@description('How the data that is collected should be combined over time.')
param timeAggregation string = 'Average'

@description('Period of time used to monitor alert activity based on the threshold. Must be between one minute and one day. ISO 8601 duration format.')
param windowSize string = 'PT5M'

@description('how often the metric alert is evaluated represented in ISO 8601 duration format')
param evaluationFrequency string = 'PT5M'

@description('Mute actions for the chosen period of time (in ISO 8601 duration format) after the alert is fired.')
param muteActionsDuration string

@description('The ID of the action group that is triggered when the alert is activated or deactivated')
param actionGroupId string = ''

resource alert 'Microsoft.Insights/scheduledQueryRules@2021-08-01' = {
  name: alertName
  location: location
  tags: {}
  properties: {
    description: alertDescription
    severity: alertSeverity
    enabled: isEnabled
    scopes: [
    evaluationFrequency: evaluationFrequency
    windowSize: windowSize
    criteria: {
      allOf: [
          query: query
          metricMeasureColumn: metricMeasureColumn
          resourceIdColumn: resourceIdColumn
          dimensions: []
          operator: operator
          threshold: threshold
          timeAggregation: timeAggregation
          failingPeriods: {
            numberOfEvaluationPeriods: numberOfEvaluationPeriods
            minFailingPeriodsToAlert: minFailingPeriodsToAlert
    muteActionsDuration: muteActionsDuration
    autoMitigate: autoMitigate
    checkWorkspaceAlertsStorageConfigured: checkWorkspaceAlertsStorageConfigured
    actions: {
      actionGroups: [
      customProperties: {
        key1: 'value1'
        key2: 'value2'

Arquivo de parâmetro.

  "$schema": "",
  "contentVersion": "",
  "parameters": {
    "alertName": {
      "value": "New Alert"
    "location": {
      "value": "eastus"
    "alertDescription": {
      "value": "New alert created via template"
    "alertSeverity": {
    "isEnabled": {
      "value": true
    "resourceId": {
      "value": "/subscriptions/replace-with-subscription-id/resourceGroups/replace-with-resourceGroup-name/providers/Microsoft.Compute/virtualMachines/replace-with-resource-name"
    "query": {
      "value": "Perf | where ObjectName == \"Processor\" and CounterName == \"% Processor Time\""
    "metricMeasureColumn": {
      "value": "AggregatedValue"
    "operator": {
      "value": "GreaterThan"
    "threshold": {
      "value": 80
    "timeAggregation": {
      "value": "Average"
    "actionGroupId": {
      "value": "/subscriptions/replace-with-subscription-id/resourceGroups/resource-group-name/providers/Microsoft.Insights/actionGroups/replace-with-action-group"

Modelo de número de resultados (até a versão 2018-04-16)

A amostra a seguir cria uma regra de alerta de número de resultados.


  • Esta amostra inclui um conteúdo de webhook. Se a regra de alerta não deve disparar um webhook, remova o elemento customWebhookPayload.

Arquivo de modelo

@description('Resource ID of the Log Analytics workspace.')
param sourceId string = ''

@description('Location for the alert. Must be the same location as the workspace.')
param location string = ''

@description('The ID of the action group that is triggered when the alert is activated.')
param actionGroupId string = ''

resource logQueryAlert 'Microsoft.Insights/scheduledQueryRules@2018-04-16' = {
  name: 'Sample log query alert'
  location: location
  properties: {
    description: 'Sample log query alert'
    enabled: 'true'
    source: {
      query: 'Event | where EventLevelName == "Error" | summarize count() by Computer'
      dataSourceId: sourceId
      queryType: 'ResultCount'
    schedule: {
      frequencyInMinutes: 15
      timeWindowInMinutes: 60
    action: {
      'odata.type': 'Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction'
      severity: '4'
      aznsAction: {
        actionGroup: array(actionGroupId)
        emailSubject: 'Alert mail subject'
        customWebhookPayload: '{ "alertname":"#alertrulename", "IncludeSearchResults":true }'
      trigger: {
        thresholdOperator: 'GreaterThan'
        threshold: 1

Arquivo de parâmetro.

  "$schema": "",
  "contentVersion": "",
  "parameters": {
    "sourceId": {
      "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/bw-samples-arm/providers/microsoft.operationalinsights/workspaces/bw-arm-01"
    "location": {
      "value": "westus"
    "actionGroupId": {
      "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/bw-samples-arm/providers/microsoft.insights/actionGroups/ARM samples group 01"

Modelo de medição de métrica (até a versão 2018-04-16)

A amostra a seguir cria uma regra de alerta com medição métrica.

Arquivo de modelo

@description('Resource ID of the Log Analytics workspace.')
param sourceId string = ''

@description('Location for the alert. Must be the same location as the workspace.')
param location string = ''

@description('The ID of the action group that is triggered when the alert is activated.')
param actionGroupId string = ''

resource metricMeasurementLogQueryAlert 'Microsoft.Insights/scheduledQueryRules@2018-04-16' = {
  name: 'Sample metric measurement log query alert'
  location: location
  properties: {
    description: 'Sample metric measurement query alert rule'
    enabled: 'true'
    source: {
      query: 'Event | where EventLevelName == "Error" | summarize AggregatedValue = count() by bin(TimeGenerated,1h), Computer'
      dataSourceId: sourceId
      queryType: 'ResultCount'
    schedule: {
      frequencyInMinutes: 15
      timeWindowInMinutes: 60
    action: {
      'odata.type': 'Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction'
      severity: '4'
      aznsAction: {
        actionGroup: array(actionGroupId)
        emailSubject: 'Alert mail subject'
      trigger: {
        thresholdOperator: 'GreaterThan'
        threshold: 10
        metricTrigger: {
          thresholdOperator: 'Equal'
          threshold: 1
          metricTriggerType: 'Consecutive'
          metricColumn: 'Computer'

Arquivo de parâmetro.

  "$schema": "",
  "contentVersion": "",
  "parameters": {
    "sourceId": {
      "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/bw-samples-arm/providers/microsoft.operationalinsights/workspaces/bw-arm-01"
    "location": {
      "value": "westus"
    "actionGroupId": {
      "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/bw-samples-arm/providers/microsoft.insights/actionGroups/ARM samples group 01"

