Azure 日志分析。使用 ARM 模板创建警报规则
Azure Log Analytics. Create Alert Rules with ARM Template
我正在尝试使用 ARM 模板创建警报规则。但是,当我部署在 documentation 中找到的示例时,它报告成功但似乎没有创建任何警报。
我使用的模板与文档中的模板相同:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0",
"parameters": {
"workspaceName": {
"type": "string",
"metadata": {
"Description": "Name of Log Analytics workspace"
}
},
"accountName": {
"type": "string",
"metadata": {
"Description": "Name of Automation account"
}
},
"workspaceregionId": {
"type": "string",
"metadata": {
"Description": "Region of Log Analytics workspace"
}
},
"regionId": {
"type": "string",
"metadata": {
"Description": "Region of Automation account"
}
},
"pricingTier": {
"type": "string",
"metadata": {
"Description": "Pricing tier of both Log Analytics workspace and Azure Automation account"
}
},
"recipients": {
"type": "string",
"metadata": {
"Description": "List of recipients for the email alert separated by semicolon"
}
}
},
"variables": {
"SolutionName": "MySolution",
"SolutionVersion": "1.0",
"SolutionPublisher": "Contoso",
"ProductName": "SampleSolution",
"LogAnalyticsApiVersion": "2015-11-01-preview",
"MySearch": {
"displayName": "Error records by hour",
"query": "Type=MyRecord_CL | measure avg(Rating_d) by Instance_s interval 60minutes",
"category": "Samples",
"name": "Samples-Count of data"
},
"MyAlert": {
"Name": "[toLower(concat('myalert-',uniqueString(resourceGroup().id, deployment().name)))]",
"DisplayName": "My alert rule",
"Description": "Sample alert. Fires when 3 error records found over hour interval.",
"Severity": "Critical",
"ThresholdOperator": "gt",
"ThresholdValue": 3,
"Schedule": {
"Name": "[toLower(concat('myschedule-',uniqueString(resourceGroup().id, deployment().name)))]",
"Interval": 15,
"TimeSpan": 60
},
"MetricsTrigger": {
"TriggerCondition": "Consecutive",
"Operator": "gt",
"Value": 3
},
"ThrottleMinutes": 60,
"Notification": {
"Recipients": [
"[parameters('recipients')]"
],
"Subject": "Sample alert"
},
"Remediation": {
"RunbookName": "MyRemediationRunbook",
"WebhookUri": "https://s1events.azure-automation.net/webhooks?token=TluBFH3GpX4IEAnFoImoAWLTULkjD%2bTS0yscyrr7ogw%3d"
},
"Webhook": {
"Name": "MyWebhook",
"Uri": "https://MyService.com/webhook",
"Payload": "{\"field1\":\"value1\",\"field2\":\"value2\"}"
}
}
},
"resources": [
{
"name": "[concat(variables('SolutionName'), '[' ,parameters('workspaceName'), ']')]",
"location": "[parameters('workspaceRegionId')]",
"tags": {},
"type": "Microsoft.OperationsManagement/solutions",
"apiVersion": "[variables('LogAnalyticsApiVersion')]",
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspaceName'), variables('MySearch').Name)]",
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules', parameters('workspaceName'), variables('MySearch').Name, variables('MyAlert').Schedule.Name)]",
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions', parameters('workspaceName'), variables('MySearch').Name, variables('MyAlert').Schedule.Name, variables('MyAlert').Name)]",
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions', parameters('workspaceName'), variables('MySearch').Name, variables('MyAlert').Schedule.Name, variables('MyAlert').Webhook.Name)]"
],
"properties": {
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]",
"referencedResources": [
],
"containedResources": [
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspaceName'), variables('MySearch').Name)]",
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules', parameters('workspaceName'), variables('MySearch').Name, variables('MyAlert').Schedule.Name)]",
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions', parameters('workspaceName'), variables('MySearch').Name, variables('MyAlert').Schedule.Name, variables('MyAlert').Name)]",
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions', parameters('workspaceName'), variables('MySearch').Name, variables('MyAlert').Schedule.Name, variables('MyAlert').Webhook.Name)]"
]
},
"plan": {
"name": "[concat(variables('SolutionName'), '[' ,parameters('workspaceName'), ']')]",
"Version": "[variables('SolutionVersion')]",
"product": "[variables('ProductName')]",
"publisher": "[variables('SolutionPublisher')]",
"promotionCode": ""
}
},
{
"name": "[concat(parameters('workspaceName'), '/', variables('MySearch').Name)]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "[variables('LogAnalyticsApiVersion')]",
"dependsOn": [],
"tags": {},
"properties": {
"etag": "*",
"query": "[variables('MySearch').query]",
"displayName": "[variables('MySearch').displayName]",
"category": "[variables('MySearch').category]"
}
},
{
"name": "[concat(parameters('workspaceName'), '/', variables('MySearch').Name, '/', variables('MyAlert').Schedule.Name)]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/",
"apiVersion": "[variables('LogAnalyticsApiVersion')]",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'), '/savedSearches/', variables('MySearch').Name)]"
],
"properties": {
"etag": "*",
"interval": "[variables('MyAlert').Schedule.Interval]",
"queryTimeSpan": "[variables('MyAlert').Schedule.TimeSpan]",
"enabled": true
}
},
{
"name": "[concat(parameters('workspaceName'), '/', variables('MySearch').Name, '/', variables('MyAlert').Schedule.Name, '/', variables('MyAlert').Name)]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions",
"apiVersion": "[variables('LogAnalyticsApiVersion')]",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'), '/savedSearches/', variables('MySearch').Name, '/schedules/', variables('MyAlert').Schedule.Name)]"
],
"properties": {
"etag": "*",
"Type": "Alert",
"Name": "[variables('MyAlert').DisplayName]",
"Description": "[variables('MyAlert').Description]",
"Severity": "[variables('MyAlert').Severity]",
"Threshold": {
"Operator": "[variables('MyAlert').ThresholdOperator]",
"Value": "[variables('MyAlert').ThresholdValue]",
"MetricsTrigger": {
"TriggerCondition": "[variables('MyAlert').MetricsTrigger.TriggerCondition]",
"Operator": "[variables('MyAlert').MetricsTrigger.Operator]",
"Value": "[variables('MyAlert').MetricsTrigger.Value]"
}
},
"Throttling": {
"DurationInMinutes": "[variables('MyAlert').ThrottleMinutes]"
},
"EmailNotification": {
"Recipients": "[variables('MyAlert').Notification.Recipients]",
"Subject": "[variables('MyAlert').Notification.Subject]",
"Attachment": "None"
},
"Remediation": {
"RunbookName": "[variables('MyAlert').Remediation.RunbookName]",
"WebhookUri": "[variables('MyAlert').Remediation.WebhookUri]"
}
}
},
{
"name": "[concat(parameters('workspaceName'), '/', variables('MySearch').Name, '/', variables('MyAlert').Schedule.Name, '/', variables('MyAlert').Webhook.Name)]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions",
"apiVersion": "[variables('LogAnalyticsApiVersion')]",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'), '/savedSearches/', variables('MySearch').Name, '/schedules/', variables('MyAlert').Schedule.Name)]",
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'), '/savedSearches/', variables('MySearch').Name, '/schedules/', variables('MyAlert').Schedule.Name, '/actions/',variables('MyAlert').Name)]"
],
"properties": {
"etag": "*",
"Type": "Webhook",
"Name": "[variables('MyAlert').Webhook.Name]",
"WebhookUri": "[variables('MyAlert').Webhook.Uri]",
"CustomPayload": "[variables('MyAlert').Webhook.Payload]"
}
}
]
}
参数文件为:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"accountName": {
"value": "test-dev-automation113"
},
"workspaceregionId": {
"value": "West Europe"
},
"regionId": {
"value": "West Europe"
},
"pricingTier": {
"value": "Free"
},
"recipients": {
"value": "myemail@outlook.com"
},
"workspaceName": {
"value": "test-dev-oms113"
}
}
}
在部署模板之前,我创建了名为 "test-dev-automation113" 的 Log Analytics 和名为 "test-dev-automation113" 的 Automaion 帐户。非常感谢任何关于它为何不起作用的建议。
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0",
"parameters": {
"workspaceName": {
"type": "string",
"metadata": {
"Description": "Name of Log Analytics workspace"
}
},
"workspaceregionId": {
"type": "string",
"metadata": {
"Description": "Region of Log Analytics workspace"
}
},
"actiongroup": {
"type": "string",
"metadata": {
"Description": "List of action groups for alert actions separated by semicolon"
}
}
},
"variables": {
"SolutionName": "SolutionTest",
"SolutionVersion": "1.0",
"SolutionPublisher": "SolutionTesters",
"ProductName": "SolutionTest1",
"LogAnalyticsApiVersion": "2017-03-03-preview",
"MySearch": {
"displayName": "Processor over 70%",
"query": 'Perf | where ObjectName=="Processor" and CounterName=="% Processor Time" and CounterValue>70',
"category": "Samples",
"name": "Samples-Count of data"
},
"MyAlert": {
"Name": "[toLower(concat('myalert-',uniqueString(resourceGroup().id, deployment().name)))]",
"DisplayName": "Processor over 70%",
"Description": "Processor alert. Fires when 3 error records found over hour interval.",
"Severity": "Critical",
"ThresholdOperator": "gt",
"ThresholdValue": 3,
"Schedule": {
"Name": "[toLower(concat('myschedule-',uniqueString(resourceGroup().id, deployment().name)))]",
"Interval": 15,
"TimeSpan": 60
},
"MetricsTrigger": {
"TriggerCondition": "Consecutive",
"Operator": "gt",
"Value": 3
},
"ThrottleMinutes": 60,
"AzNsNotification": {
"GroupIds": [
"[parameters('actiongroup')]"
],
"CustomEmailSubject": "Sample alert for processor query"
}
}
},
"resources": [
{
"name": "[concat(variables('SolutionName'), '[' ,parameters('workspacename'), ']')]",
"location": "[parameters('workspaceRegionId')]",
"tags": { },
"type": "Microsoft.OperationsManagement/solutions",
"apiVersion": "2015-11-01-preview",
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspacename'), variables('MySearch').Name)]",
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules', parameters('workspacename'), variables('MySearch').Name, variables('MyAlert').Schedule.Name)]",
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions', parameters('workspacename'), variables('MySearch').Name, variables('MyAlert').Schedule.Name, variables('MyAlert').Name)]",
],
"properties": {
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspacename'))]",
"referencedResources": [
],
"containedResources": [
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspacename'), variables('MySearch').Name)]",
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules', parameters('workspacename'), variables('MySearch').Name, variables('MyAlert').Schedule.Name)]",
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions', parameters('workspacename'), variables('MySearch').Name, variables('MyAlert').Schedule.Name, variables('MyAlert').Name)]"
]
},
"plan": {
"name": "[concat(variables('SolutionName'), '[' ,parameters('workspaceName'), ']')]",
"Version": "[variables('SolutionVersion')]",
"product": "[variables('ProductName')]",
"publisher": "[variables('SolutionPublisher')]",
"promotionCode": ""
}
},
{
"name": "[concat(parameters('workspaceName'), '/', variables('MySearch').Name)]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "[variables('LogAnalyticsApiVersion')]",
"dependsOn": [ ],
"tags": { },
"properties": {
"etag": "*",
"query": "[variables('MySearch').query]",
"displayName": "[variables('MySearch').displayName]",
"category": "[variables('MySearch').category]"
}
},
{
"name": "[concat(parameters('workspaceName'), '/', variables('MySearch').Name, '/', variables('MyAlert').Schedule.Name)]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/",
"apiVersion": "[variables('LogAnalyticsApiVersion')]",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'), '/savedSearches/', variables('MySearch').Name)]"
],
"properties": {
"etag": "*",
"interval": "[variables('MyAlert').Schedule.Interval]",
"queryTimeSpan": "[variables('MyAlert').Schedule.TimeSpan]",
"enabled": true
}
},
{
"name": "[concat(parameters('workspaceName'), '/', variables('MySearch').Name, '/', variables('MyAlert').Schedule.Name, '/', variables('MyAlert').Name)]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions",
"apiVersion": "[variables('LogAnalyticsApiVersion')]",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'), '/savedSearches/', variables('MySearch').Name, '/schedules/', variables('MyAlert').Schedule.Name)]"
],
"properties": {
"etag": "*",
"Type": "Alert",
"Name": "[variables('MyAlert').DisplayName]",
"Description": "[variables('MyAlert').Description]",
"Severity": "[variables('MyAlert').Severity]",
"Threshold": {
"Operator": "[variables('MyAlert').ThresholdOperator]",
"Value": "[variables('MyAlert').ThresholdValue]",
"MetricsTrigger": {
"TriggerCondition": "[variables('MyAlert').MetricsTrigger.TriggerCondition]",
"Operator": "[variables('MyAlert').MetricsTrigger.Operator]",
"Value": "[variables('MyAlert').MetricsTrigger.Value]"
}
},
"Throttling": {
"DurationInMinutes": "[variables('MyAlert').ThrottleMinutes]"
},
"AzNsNotification": {
"GroupIds": "[variables('MyAlert').AzNsNotification.GroupIds]",
"CustomEmailSubject": "[variables('MyAlert').AzNsNotification.CustomEmailSubject]"
}
}
}
]
}
下面是参数文件
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspacename": {
"value": "WorkspaceName"
},
"workspaceregionId": {
"value": "westeurope"
},
"actiongroup": {
"value": "/subscriptions/<SubID>/resourcegroups/<ResourceGroupName>/providers/microsoft.insights/actiongroups/<ActionGroupName>"
}
}
}
要在日志分析工作区中创建自定义日志查询警报,请使用计划查询规则创建模板,API 版本 - 2018-04-16。参考:
我正在尝试使用 ARM 模板创建警报规则。但是,当我部署在 documentation 中找到的示例时,它报告成功但似乎没有创建任何警报。
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0",
"parameters": {
"workspaceName": {
"type": "string",
"metadata": {
"Description": "Name of Log Analytics workspace"
}
},
"accountName": {
"type": "string",
"metadata": {
"Description": "Name of Automation account"
}
},
"workspaceregionId": {
"type": "string",
"metadata": {
"Description": "Region of Log Analytics workspace"
}
},
"regionId": {
"type": "string",
"metadata": {
"Description": "Region of Automation account"
}
},
"pricingTier": {
"type": "string",
"metadata": {
"Description": "Pricing tier of both Log Analytics workspace and Azure Automation account"
}
},
"recipients": {
"type": "string",
"metadata": {
"Description": "List of recipients for the email alert separated by semicolon"
}
}
},
"variables": {
"SolutionName": "MySolution",
"SolutionVersion": "1.0",
"SolutionPublisher": "Contoso",
"ProductName": "SampleSolution",
"LogAnalyticsApiVersion": "2015-11-01-preview",
"MySearch": {
"displayName": "Error records by hour",
"query": "Type=MyRecord_CL | measure avg(Rating_d) by Instance_s interval 60minutes",
"category": "Samples",
"name": "Samples-Count of data"
},
"MyAlert": {
"Name": "[toLower(concat('myalert-',uniqueString(resourceGroup().id, deployment().name)))]",
"DisplayName": "My alert rule",
"Description": "Sample alert. Fires when 3 error records found over hour interval.",
"Severity": "Critical",
"ThresholdOperator": "gt",
"ThresholdValue": 3,
"Schedule": {
"Name": "[toLower(concat('myschedule-',uniqueString(resourceGroup().id, deployment().name)))]",
"Interval": 15,
"TimeSpan": 60
},
"MetricsTrigger": {
"TriggerCondition": "Consecutive",
"Operator": "gt",
"Value": 3
},
"ThrottleMinutes": 60,
"Notification": {
"Recipients": [
"[parameters('recipients')]"
],
"Subject": "Sample alert"
},
"Remediation": {
"RunbookName": "MyRemediationRunbook",
"WebhookUri": "https://s1events.azure-automation.net/webhooks?token=TluBFH3GpX4IEAnFoImoAWLTULkjD%2bTS0yscyrr7ogw%3d"
},
"Webhook": {
"Name": "MyWebhook",
"Uri": "https://MyService.com/webhook",
"Payload": "{\"field1\":\"value1\",\"field2\":\"value2\"}"
}
}
},
"resources": [
{
"name": "[concat(variables('SolutionName'), '[' ,parameters('workspaceName'), ']')]",
"location": "[parameters('workspaceRegionId')]",
"tags": {},
"type": "Microsoft.OperationsManagement/solutions",
"apiVersion": "[variables('LogAnalyticsApiVersion')]",
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspaceName'), variables('MySearch').Name)]",
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules', parameters('workspaceName'), variables('MySearch').Name, variables('MyAlert').Schedule.Name)]",
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions', parameters('workspaceName'), variables('MySearch').Name, variables('MyAlert').Schedule.Name, variables('MyAlert').Name)]",
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions', parameters('workspaceName'), variables('MySearch').Name, variables('MyAlert').Schedule.Name, variables('MyAlert').Webhook.Name)]"
],
"properties": {
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]",
"referencedResources": [
],
"containedResources": [
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspaceName'), variables('MySearch').Name)]",
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules', parameters('workspaceName'), variables('MySearch').Name, variables('MyAlert').Schedule.Name)]",
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions', parameters('workspaceName'), variables('MySearch').Name, variables('MyAlert').Schedule.Name, variables('MyAlert').Name)]",
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions', parameters('workspaceName'), variables('MySearch').Name, variables('MyAlert').Schedule.Name, variables('MyAlert').Webhook.Name)]"
]
},
"plan": {
"name": "[concat(variables('SolutionName'), '[' ,parameters('workspaceName'), ']')]",
"Version": "[variables('SolutionVersion')]",
"product": "[variables('ProductName')]",
"publisher": "[variables('SolutionPublisher')]",
"promotionCode": ""
}
},
{
"name": "[concat(parameters('workspaceName'), '/', variables('MySearch').Name)]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "[variables('LogAnalyticsApiVersion')]",
"dependsOn": [],
"tags": {},
"properties": {
"etag": "*",
"query": "[variables('MySearch').query]",
"displayName": "[variables('MySearch').displayName]",
"category": "[variables('MySearch').category]"
}
},
{
"name": "[concat(parameters('workspaceName'), '/', variables('MySearch').Name, '/', variables('MyAlert').Schedule.Name)]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/",
"apiVersion": "[variables('LogAnalyticsApiVersion')]",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'), '/savedSearches/', variables('MySearch').Name)]"
],
"properties": {
"etag": "*",
"interval": "[variables('MyAlert').Schedule.Interval]",
"queryTimeSpan": "[variables('MyAlert').Schedule.TimeSpan]",
"enabled": true
}
},
{
"name": "[concat(parameters('workspaceName'), '/', variables('MySearch').Name, '/', variables('MyAlert').Schedule.Name, '/', variables('MyAlert').Name)]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions",
"apiVersion": "[variables('LogAnalyticsApiVersion')]",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'), '/savedSearches/', variables('MySearch').Name, '/schedules/', variables('MyAlert').Schedule.Name)]"
],
"properties": {
"etag": "*",
"Type": "Alert",
"Name": "[variables('MyAlert').DisplayName]",
"Description": "[variables('MyAlert').Description]",
"Severity": "[variables('MyAlert').Severity]",
"Threshold": {
"Operator": "[variables('MyAlert').ThresholdOperator]",
"Value": "[variables('MyAlert').ThresholdValue]",
"MetricsTrigger": {
"TriggerCondition": "[variables('MyAlert').MetricsTrigger.TriggerCondition]",
"Operator": "[variables('MyAlert').MetricsTrigger.Operator]",
"Value": "[variables('MyAlert').MetricsTrigger.Value]"
}
},
"Throttling": {
"DurationInMinutes": "[variables('MyAlert').ThrottleMinutes]"
},
"EmailNotification": {
"Recipients": "[variables('MyAlert').Notification.Recipients]",
"Subject": "[variables('MyAlert').Notification.Subject]",
"Attachment": "None"
},
"Remediation": {
"RunbookName": "[variables('MyAlert').Remediation.RunbookName]",
"WebhookUri": "[variables('MyAlert').Remediation.WebhookUri]"
}
}
},
{
"name": "[concat(parameters('workspaceName'), '/', variables('MySearch').Name, '/', variables('MyAlert').Schedule.Name, '/', variables('MyAlert').Webhook.Name)]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions",
"apiVersion": "[variables('LogAnalyticsApiVersion')]",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'), '/savedSearches/', variables('MySearch').Name, '/schedules/', variables('MyAlert').Schedule.Name)]",
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'), '/savedSearches/', variables('MySearch').Name, '/schedules/', variables('MyAlert').Schedule.Name, '/actions/',variables('MyAlert').Name)]"
],
"properties": {
"etag": "*",
"Type": "Webhook",
"Name": "[variables('MyAlert').Webhook.Name]",
"WebhookUri": "[variables('MyAlert').Webhook.Uri]",
"CustomPayload": "[variables('MyAlert').Webhook.Payload]"
}
}
]
}
参数文件为:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"accountName": {
"value": "test-dev-automation113"
},
"workspaceregionId": {
"value": "West Europe"
},
"regionId": {
"value": "West Europe"
},
"pricingTier": {
"value": "Free"
},
"recipients": {
"value": "myemail@outlook.com"
},
"workspaceName": {
"value": "test-dev-oms113"
}
}
}
在部署模板之前,我创建了名为 "test-dev-automation113" 的 Log Analytics 和名为 "test-dev-automation113" 的 Automaion 帐户。非常感谢任何关于它为何不起作用的建议。
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0",
"parameters": {
"workspaceName": {
"type": "string",
"metadata": {
"Description": "Name of Log Analytics workspace"
}
},
"workspaceregionId": {
"type": "string",
"metadata": {
"Description": "Region of Log Analytics workspace"
}
},
"actiongroup": {
"type": "string",
"metadata": {
"Description": "List of action groups for alert actions separated by semicolon"
}
}
},
"variables": {
"SolutionName": "SolutionTest",
"SolutionVersion": "1.0",
"SolutionPublisher": "SolutionTesters",
"ProductName": "SolutionTest1",
"LogAnalyticsApiVersion": "2017-03-03-preview",
"MySearch": {
"displayName": "Processor over 70%",
"query": 'Perf | where ObjectName=="Processor" and CounterName=="% Processor Time" and CounterValue>70',
"category": "Samples",
"name": "Samples-Count of data"
},
"MyAlert": {
"Name": "[toLower(concat('myalert-',uniqueString(resourceGroup().id, deployment().name)))]",
"DisplayName": "Processor over 70%",
"Description": "Processor alert. Fires when 3 error records found over hour interval.",
"Severity": "Critical",
"ThresholdOperator": "gt",
"ThresholdValue": 3,
"Schedule": {
"Name": "[toLower(concat('myschedule-',uniqueString(resourceGroup().id, deployment().name)))]",
"Interval": 15,
"TimeSpan": 60
},
"MetricsTrigger": {
"TriggerCondition": "Consecutive",
"Operator": "gt",
"Value": 3
},
"ThrottleMinutes": 60,
"AzNsNotification": {
"GroupIds": [
"[parameters('actiongroup')]"
],
"CustomEmailSubject": "Sample alert for processor query"
}
}
},
"resources": [
{
"name": "[concat(variables('SolutionName'), '[' ,parameters('workspacename'), ']')]",
"location": "[parameters('workspaceRegionId')]",
"tags": { },
"type": "Microsoft.OperationsManagement/solutions",
"apiVersion": "2015-11-01-preview",
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspacename'), variables('MySearch').Name)]",
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules', parameters('workspacename'), variables('MySearch').Name, variables('MyAlert').Schedule.Name)]",
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions', parameters('workspacename'), variables('MySearch').Name, variables('MyAlert').Schedule.Name, variables('MyAlert').Name)]",
],
"properties": {
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspacename'))]",
"referencedResources": [
],
"containedResources": [
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspacename'), variables('MySearch').Name)]",
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules', parameters('workspacename'), variables('MySearch').Name, variables('MyAlert').Schedule.Name)]",
"[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions', parameters('workspacename'), variables('MySearch').Name, variables('MyAlert').Schedule.Name, variables('MyAlert').Name)]"
]
},
"plan": {
"name": "[concat(variables('SolutionName'), '[' ,parameters('workspaceName'), ']')]",
"Version": "[variables('SolutionVersion')]",
"product": "[variables('ProductName')]",
"publisher": "[variables('SolutionPublisher')]",
"promotionCode": ""
}
},
{
"name": "[concat(parameters('workspaceName'), '/', variables('MySearch').Name)]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "[variables('LogAnalyticsApiVersion')]",
"dependsOn": [ ],
"tags": { },
"properties": {
"etag": "*",
"query": "[variables('MySearch').query]",
"displayName": "[variables('MySearch').displayName]",
"category": "[variables('MySearch').category]"
}
},
{
"name": "[concat(parameters('workspaceName'), '/', variables('MySearch').Name, '/', variables('MyAlert').Schedule.Name)]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/",
"apiVersion": "[variables('LogAnalyticsApiVersion')]",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'), '/savedSearches/', variables('MySearch').Name)]"
],
"properties": {
"etag": "*",
"interval": "[variables('MyAlert').Schedule.Interval]",
"queryTimeSpan": "[variables('MyAlert').Schedule.TimeSpan]",
"enabled": true
}
},
{
"name": "[concat(parameters('workspaceName'), '/', variables('MySearch').Name, '/', variables('MyAlert').Schedule.Name, '/', variables('MyAlert').Name)]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions",
"apiVersion": "[variables('LogAnalyticsApiVersion')]",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'), '/savedSearches/', variables('MySearch').Name, '/schedules/', variables('MyAlert').Schedule.Name)]"
],
"properties": {
"etag": "*",
"Type": "Alert",
"Name": "[variables('MyAlert').DisplayName]",
"Description": "[variables('MyAlert').Description]",
"Severity": "[variables('MyAlert').Severity]",
"Threshold": {
"Operator": "[variables('MyAlert').ThresholdOperator]",
"Value": "[variables('MyAlert').ThresholdValue]",
"MetricsTrigger": {
"TriggerCondition": "[variables('MyAlert').MetricsTrigger.TriggerCondition]",
"Operator": "[variables('MyAlert').MetricsTrigger.Operator]",
"Value": "[variables('MyAlert').MetricsTrigger.Value]"
}
},
"Throttling": {
"DurationInMinutes": "[variables('MyAlert').ThrottleMinutes]"
},
"AzNsNotification": {
"GroupIds": "[variables('MyAlert').AzNsNotification.GroupIds]",
"CustomEmailSubject": "[variables('MyAlert').AzNsNotification.CustomEmailSubject]"
}
}
}
]
}
下面是参数文件
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspacename": {
"value": "WorkspaceName"
},
"workspaceregionId": {
"value": "westeurope"
},
"actiongroup": {
"value": "/subscriptions/<SubID>/resourcegroups/<ResourceGroupName>/providers/microsoft.insights/actiongroups/<ActionGroupName>"
}
}
}
要在日志分析工作区中创建自定义日志查询警报,请使用计划查询规则创建模板,API 版本 - 2018-04-16。参考: