Azure 日志分析。使用 ARM 模板创建警报规则

Azure Log Analytics. Create Alert Rules with ARM Template

我正在尝试使用 ARM 模板创建警报规则。但是,当我部署在 documentation 中找到的示例时,它报告成功但似乎没有创建任何警报。 我使用的模板与文档中的模板相同:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0",
  "parameters": {
    "workspaceName": {
      "type": "string",
      "metadata": {
        "Description": "Name of Log Analytics workspace"
      }
    },
    "accountName": {
      "type": "string",
      "metadata": {
        "Description": "Name of Automation account"
      }
    },
    "workspaceregionId": {
      "type": "string",
      "metadata": {
        "Description": "Region of Log Analytics workspace"
      }
    },
    "regionId": {
      "type": "string",
      "metadata": {
        "Description": "Region of Automation account"
      }
    },
    "pricingTier": {
      "type": "string",
      "metadata": {
        "Description": "Pricing tier of both Log Analytics workspace and Azure Automation account"
      }
    },
    "recipients": {
      "type": "string",
      "metadata": {
        "Description": "List of recipients for the email alert separated by semicolon"
      }
    }
  },
  "variables": {
    "SolutionName": "MySolution",
    "SolutionVersion": "1.0",
    "SolutionPublisher": "Contoso",
    "ProductName": "SampleSolution",

    "LogAnalyticsApiVersion": "2015-11-01-preview",

    "MySearch": {
      "displayName": "Error records by hour",
      "query": "Type=MyRecord_CL | measure avg(Rating_d) by Instance_s interval 60minutes",
      "category": "Samples",
      "name": "Samples-Count of data"
    },
    "MyAlert": {
      "Name": "[toLower(concat('myalert-',uniqueString(resourceGroup().id, deployment().name)))]",
      "DisplayName": "My alert rule",
      "Description": "Sample alert.  Fires when 3 error records found over hour interval.",
      "Severity": "Critical",
      "ThresholdOperator": "gt",
      "ThresholdValue": 3,
      "Schedule": {
        "Name": "[toLower(concat('myschedule-',uniqueString(resourceGroup().id, deployment().name)))]",
        "Interval": 15,
        "TimeSpan": 60
      },
      "MetricsTrigger": {
        "TriggerCondition": "Consecutive",
        "Operator": "gt",
        "Value": 3
      },
      "ThrottleMinutes": 60,
      "Notification": {
        "Recipients": [
          "[parameters('recipients')]"
        ],
        "Subject": "Sample alert"
      },
      "Remediation": {
        "RunbookName": "MyRemediationRunbook",
        "WebhookUri": "https://s1events.azure-automation.net/webhooks?token=TluBFH3GpX4IEAnFoImoAWLTULkjD%2bTS0yscyrr7ogw%3d"
      },
      "Webhook": {
        "Name": "MyWebhook",
        "Uri": "https://MyService.com/webhook",
        "Payload": "{\"field1\":\"value1\",\"field2\":\"value2\"}"
      }
    }
  },
  "resources": [
    {
      "name": "[concat(variables('SolutionName'), '[' ,parameters('workspaceName'), ']')]",
      "location": "[parameters('workspaceRegionId')]",
      "tags": {},
      "type": "Microsoft.OperationsManagement/solutions",
      "apiVersion": "[variables('LogAnalyticsApiVersion')]",
      "dependsOn": [
        "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspaceName'), variables('MySearch').Name)]",
        "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules', parameters('workspaceName'), variables('MySearch').Name, variables('MyAlert').Schedule.Name)]",
        "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions', parameters('workspaceName'), variables('MySearch').Name, variables('MyAlert').Schedule.Name, variables('MyAlert').Name)]",
        "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions', parameters('workspaceName'), variables('MySearch').Name, variables('MyAlert').Schedule.Name, variables('MyAlert').Webhook.Name)]"
      ],
      "properties": {
        "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]",
        "referencedResources": [
        ],
        "containedResources": [
          "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspaceName'), variables('MySearch').Name)]",
          "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules', parameters('workspaceName'), variables('MySearch').Name, variables('MyAlert').Schedule.Name)]",
          "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions', parameters('workspaceName'), variables('MySearch').Name, variables('MyAlert').Schedule.Name, variables('MyAlert').Name)]",
          "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions', parameters('workspaceName'), variables('MySearch').Name, variables('MyAlert').Schedule.Name, variables('MyAlert').Webhook.Name)]"
        ]
      },
      "plan": {
        "name": "[concat(variables('SolutionName'), '[' ,parameters('workspaceName'), ']')]",
        "Version": "[variables('SolutionVersion')]",
        "product": "[variables('ProductName')]",
        "publisher": "[variables('SolutionPublisher')]",
        "promotionCode": ""
      }
    },
    {
      "name": "[concat(parameters('workspaceName'), '/', variables('MySearch').Name)]",
      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
      "apiVersion": "[variables('LogAnalyticsApiVersion')]",
      "dependsOn": [],
      "tags": {},
      "properties": {
        "etag": "*",
        "query": "[variables('MySearch').query]",
        "displayName": "[variables('MySearch').displayName]",
        "category": "[variables('MySearch').category]"
      }
    },
    {
      "name": "[concat(parameters('workspaceName'), '/', variables('MySearch').Name, '/', variables('MyAlert').Schedule.Name)]",
      "type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/",
      "apiVersion": "[variables('LogAnalyticsApiVersion')]",
      "dependsOn": [
        "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'), '/savedSearches/', variables('MySearch').Name)]"
      ],
      "properties": {
        "etag": "*",
        "interval": "[variables('MyAlert').Schedule.Interval]",
        "queryTimeSpan": "[variables('MyAlert').Schedule.TimeSpan]",
        "enabled": true
      }
    },
    {
      "name": "[concat(parameters('workspaceName'), '/', variables('MySearch').Name, '/',  variables('MyAlert').Schedule.Name, '/',  variables('MyAlert').Name)]",
      "type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions",
      "apiVersion": "[variables('LogAnalyticsApiVersion')]",
      "dependsOn": [
        "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'), '/savedSearches/',  variables('MySearch').Name, '/schedules/', variables('MyAlert').Schedule.Name)]"
      ],
      "properties": {
        "etag": "*",
        "Type": "Alert",
        "Name": "[variables('MyAlert').DisplayName]",
        "Description": "[variables('MyAlert').Description]",
        "Severity": "[variables('MyAlert').Severity]",
        "Threshold": {
          "Operator": "[variables('MyAlert').ThresholdOperator]",
          "Value": "[variables('MyAlert').ThresholdValue]",
          "MetricsTrigger": {
            "TriggerCondition": "[variables('MyAlert').MetricsTrigger.TriggerCondition]",
            "Operator": "[variables('MyAlert').MetricsTrigger.Operator]",
            "Value": "[variables('MyAlert').MetricsTrigger.Value]"
          }
        },
        "Throttling": {
          "DurationInMinutes": "[variables('MyAlert').ThrottleMinutes]"
        },
        "EmailNotification": {
          "Recipients": "[variables('MyAlert').Notification.Recipients]",
          "Subject": "[variables('MyAlert').Notification.Subject]",
          "Attachment": "None"
        },
        "Remediation": {
          "RunbookName": "[variables('MyAlert').Remediation.RunbookName]",
          "WebhookUri": "[variables('MyAlert').Remediation.WebhookUri]"
        }
      }
    },
    {
      "name": "[concat(parameters('workspaceName'), '/', variables('MySearch').Name, '/', variables('MyAlert').Schedule.Name, '/', variables('MyAlert').Webhook.Name)]",
      "type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions",
      "apiVersion": "[variables('LogAnalyticsApiVersion')]",
      "dependsOn": [
        "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'), '/savedSearches/', variables('MySearch').Name, '/schedules/', variables('MyAlert').Schedule.Name)]",
        "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'), '/savedSearches/', variables('MySearch').Name, '/schedules/', variables('MyAlert').Schedule.Name, '/actions/',variables('MyAlert').Name)]"
      ],
      "properties": {
        "etag": "*",
        "Type": "Webhook",
        "Name": "[variables('MyAlert').Webhook.Name]",
        "WebhookUri": "[variables('MyAlert').Webhook.Uri]",
        "CustomPayload": "[variables('MyAlert').Webhook.Payload]"
      }
    }
  ]
}

参数文件为:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
  "parameters": {
    "accountName": {
      "value": "test-dev-automation113"
    },
    "workspaceregionId": {
      "value": "West Europe"
    },
    "regionId": {
      "value": "West Europe"
    },
    "pricingTier": {
      "value": "Free"
    },
    "recipients": {
      "value": "myemail@outlook.com"
    },
      "workspaceName": {
          "value": "test-dev-oms113"
      }
  }
}

在部署模板之前,我创建了名为 "test-dev-automation113" 的 Log Analytics 和名为 "test-dev-automation113" 的 Automaion 帐户。非常感谢任何关于它为何不起作用的建议。

 {
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0",
    "parameters": {
      "workspaceName": {
        "type": "string",
        "metadata": {
          "Description": "Name of Log Analytics workspace"
        }
      },
      "workspaceregionId": {
        "type": "string",
        "metadata": {
          "Description": "Region of Log Analytics workspace"
        }
      },
      "actiongroup": {
        "type": "string",
        "metadata": {
          "Description": "List of action groups for alert actions separated by semicolon"
        }
      }
    },
    "variables": {
      "SolutionName": "SolutionTest",
      "SolutionVersion": "1.0",
      "SolutionPublisher": "SolutionTesters",
      "ProductName": "SolutionTest1",

      "LogAnalyticsApiVersion": "2017-03-03-preview",

      "MySearch": {
        "displayName": "Processor over 70%",
        "query": 'Perf | where ObjectName=="Processor" and CounterName=="% Processor Time" and CounterValue>70',
        "category": "Samples",
        "name": "Samples-Count of data"
      },
      "MyAlert": {
        "Name": "[toLower(concat('myalert-',uniqueString(resourceGroup().id, deployment().name)))]",
        "DisplayName": "Processor over 70%",
        "Description": "Processor alert.  Fires when 3 error records found over hour interval.",
        "Severity": "Critical",
        "ThresholdOperator": "gt",
        "ThresholdValue": 3,
        "Schedule": {
          "Name": "[toLower(concat('myschedule-',uniqueString(resourceGroup().id, deployment().name)))]",
          "Interval": 15,
          "TimeSpan": 60
        },
        "MetricsTrigger": {
          "TriggerCondition": "Consecutive",
          "Operator": "gt",
          "Value": 3
        },
        "ThrottleMinutes": 60,
        "AzNsNotification": {
          "GroupIds": [
            "[parameters('actiongroup')]"
          ],
          "CustomEmailSubject": "Sample alert for processor query"
        }
      }
    },
    "resources": [
      {
        "name": "[concat(variables('SolutionName'), '[' ,parameters('workspacename'), ']')]",
        "location": "[parameters('workspaceRegionId')]",
        "tags": { },
        "type": "Microsoft.OperationsManagement/solutions",
        "apiVersion": "2015-11-01-preview",
        "dependsOn": [
          "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspacename'), variables('MySearch').Name)]",
          "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules', parameters('workspacename'), variables('MySearch').Name, variables('MyAlert').Schedule.Name)]",
          "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions', parameters('workspacename'), variables('MySearch').Name, variables('MyAlert').Schedule.Name, variables('MyAlert').Name)]",
        ],
        "properties": {
          "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspacename'))]",
          "referencedResources": [
          ],
          "containedResources": [
            "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspacename'), variables('MySearch').Name)]",
            "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules', parameters('workspacename'), variables('MySearch').Name, variables('MyAlert').Schedule.Name)]",
            "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions', parameters('workspacename'), variables('MySearch').Name, variables('MyAlert').Schedule.Name, variables('MyAlert').Name)]"
          ]
        },
        "plan": {
          "name": "[concat(variables('SolutionName'), '[' ,parameters('workspaceName'), ']')]",
          "Version": "[variables('SolutionVersion')]",
          "product": "[variables('ProductName')]",
          "publisher": "[variables('SolutionPublisher')]",
          "promotionCode": ""
        }
      },
      {
        "name": "[concat(parameters('workspaceName'), '/', variables('MySearch').Name)]",
        "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
        "apiVersion": "[variables('LogAnalyticsApiVersion')]",
        "dependsOn": [ ],
        "tags": { },
        "properties": {
          "etag": "*",
          "query": "[variables('MySearch').query]",
          "displayName": "[variables('MySearch').displayName]",
          "category": "[variables('MySearch').category]"
        }
      },
      {
        "name": "[concat(parameters('workspaceName'), '/', variables('MySearch').Name, '/', variables('MyAlert').Schedule.Name)]",
        "type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/",
        "apiVersion": "[variables('LogAnalyticsApiVersion')]",
        "dependsOn": [
          "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'), '/savedSearches/', variables('MySearch').Name)]"
        ],
        "properties": {
          "etag": "*",
          "interval": "[variables('MyAlert').Schedule.Interval]",
          "queryTimeSpan": "[variables('MyAlert').Schedule.TimeSpan]",
          "enabled": true
        }
      },
      {
        "name": "[concat(parameters('workspaceName'), '/', variables('MySearch').Name, '/',  variables('MyAlert').Schedule.Name, '/',  variables('MyAlert').Name)]",
        "type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions",
        "apiVersion": "[variables('LogAnalyticsApiVersion')]",
        "dependsOn": [
          "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'), '/savedSearches/',  variables('MySearch').Name, '/schedules/', variables('MyAlert').Schedule.Name)]"
        ],
        "properties": {
          "etag": "*",
          "Type": "Alert",
          "Name": "[variables('MyAlert').DisplayName]",
          "Description": "[variables('MyAlert').Description]",
          "Severity": "[variables('MyAlert').Severity]",
          "Threshold": {
            "Operator": "[variables('MyAlert').ThresholdOperator]",
            "Value": "[variables('MyAlert').ThresholdValue]",
            "MetricsTrigger": {
              "TriggerCondition": "[variables('MyAlert').MetricsTrigger.TriggerCondition]",
              "Operator": "[variables('MyAlert').MetricsTrigger.Operator]",
              "Value": "[variables('MyAlert').MetricsTrigger.Value]"
            }
          },
          "Throttling": {
            "DurationInMinutes": "[variables('MyAlert').ThrottleMinutes]"
          },
        "AzNsNotification": {
          "GroupIds": "[variables('MyAlert').AzNsNotification.GroupIds]",
          "CustomEmailSubject": "[variables('MyAlert').AzNsNotification.CustomEmailSubject]"
        }             
        }
      }
    ]
}

下面是参数文件

 {
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "workspacename": {
            "value": "WorkspaceName"
        },
          "workspaceregionId": {
            "value": "westeurope"
        },
        "actiongroup": {
            "value": "/subscriptions/<SubID>/resourcegroups/<ResourceGroupName>/providers/microsoft.insights/actiongroups/<ActionGroupName>"
        }
    }
}

要在日志分析工作区中创建自定义日志查询警报,请使用计划查询规则创建模板,API 版本 - 2018-04-16。参考: