是否有 ARM 模板解决方案来为日志分析创建 OMS 警报
Is there an ARM template solution to create OMS alerts for Log analytics
我正在尝试通过 ARM 模板创建一个带有附加警报的 oms 工作区。
我已经创建了一个 OMS 工作区,对于警报部分,我遵循了以下 tutorial。
经过一番努力,为什么我的警报无法部署,我在同一教程的命令中看到了以下注释。
"Action" 方案已更改,另外警报在 Azure Monitor 中:) 这是 link。
当我试图阅读文档并变得更聪明时,我陷入了无休止的参考循环 links:
教程中提供的 link 说 Beginning May 14, 2018, all alerts in an Azure public cloud instance of Log Analytics workspace began to extend into Azure. 一段时间后我发现以下 link。我以为我最终找到了如何解释新警报的地方。但这是针对应用程序洞察力的,而不是针对日志分析的。
我的问题是:是否有人可以帮助我尝试了解新警报方案的工作原理或尝试引导我朝着正确的方向前进。
我不是 OMS 专家,但这是我们一直在使用的:
{
"apiVersion": "2017-03-15-preview",
"name": "[concat(variables('namespace'), '/', variables('savedSearches').Search[copyIndex()].Name)]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"copy": {
"name": "SavedSearchCopy",
"count": "[length(variables('savedSearches').Search)]"
},
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', variables('namespace'))]",
"ActionGroupCopy"
],
"properties": {
"category": "Alerts",
"displayName": "[variables('savedSearches').Search[copyIndex()].DisplayName]",
"query": "[variables('savedSearches').Search[copyIndex()].Query]"
}
},
{
"name": "[tolower(concat(variables('namespace'), '/', variables('savedSearches').Search[copyIndex()].Name, '/', variables('savedSearches').Search[copyIndex()].Schedule.Name))]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/",
"apiVersion": "2017-03-03-preview",
"copy": {
"name": "ScheduleCopy",
"count": "[length(variables('savedSearches').Search)]"
},
"dependsOn": [
"SavedSearchCopy"
],
"properties": {
"interval": "5",
"queryTimeSpan": "10",
"enabled": true
}
},
{
"name": "[tolower(concat(variables('namespace'), '/', variables('savedSearches').Search[copyIndex()].Name, '/', variables('savedSearches').Search[copyIndex()].Schedule.Name, '/', variables('savedSearches').Search[copyIndex()].Alert.Name, '-', if(contains(variables('savedSearches').Search[copyIndex()].Alert, 'MetricsTrigger'), 'Total', 'Consecutive')))]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions",
"copy": {
"name": "ActionCopy",
"count": "[length(variables('savedSearches').Search)]"
},
"apiVersion": "2017-03-15-preview",
"dependsOn": [
"SavedSearchCopy"
],
"properties": {
"Type": "Alert",
"Name": "[variables('savedSearches').Search[copyIndex()].Alert.Name]",
"Description": "[variables('savedSearches').Search[copyIndex()].Alert.Description]",
"Severity": "warning",
"Threshold": "[variables('savedSearches').Search[copyIndex()].Alert.Threshold]",
"Throttling": {
"DurationInMinutes": 60
},
"AzNsNotification": {
"GroupIds": [
"[resourceId('microsoft.insights/actionGroups', 'xxx')]"
]
}
}
},
{
"type": "Microsoft.Insights/actionGroups",
"apiVersion": "2018-03-01",
"name": "[variables('actionGroups')[copyIndex()].Name]",
"copy": {
"name": "ActionGroupCopy",
"count": "[length(variables('actionGroups'))]"
},
"location": "Global",
"properties": {
"groupShortName": "[variables('actionGroups')[copyIndex()].Name]",
"enabled": true,
"emailReceivers": [
{
"name": "[variables('actionGroups')[copyIndex()].EmailName]",
"emailAddress": "[variables('actionGroups')[copyIndex()].EmailAddress]"
}
]
}
},
这是一个保存的搜索变量示例,我们用它来映射所有内容:
"savedSearches": {
"Search": [
{
"Name": "HighCPU",
"DisplayName": "CPU Above 90%",
"Query": "Perf | where CounterName == \"% Processor Time\" and InstanceName ==\"_Total\" | summarize AggregatedValue = avg(CounterValue) by Computer, bin(TimeGenerated, 1m)",
"Schedule": {
"Name": "HighCPUSchedule"
},
"Alert": {
"Name": "HighCPUAlert",
"Description": "Alert for High CPU",
"Threshold": {
"Operator": "gt",
"Value": 90,
"MetricsTrigger": {
"Value": 2,
"Operator": "gt",
"TriggerCondition": "Consecutive"
}
}
}
},
...
]
}
我正在尝试通过 ARM 模板创建一个带有附加警报的 oms 工作区。 我已经创建了一个 OMS 工作区,对于警报部分,我遵循了以下 tutorial。 经过一番努力,为什么我的警报无法部署,我在同一教程的命令中看到了以下注释。
"Action" 方案已更改,另外警报在 Azure Monitor 中:) 这是 link。
当我试图阅读文档并变得更聪明时,我陷入了无休止的参考循环 links:
教程中提供的 link 说 Beginning May 14, 2018, all alerts in an Azure public cloud instance of Log Analytics workspace began to extend into Azure. 一段时间后我发现以下 link。我以为我最终找到了如何解释新警报的地方。但这是针对应用程序洞察力的,而不是针对日志分析的。
我的问题是:是否有人可以帮助我尝试了解新警报方案的工作原理或尝试引导我朝着正确的方向前进。
我不是 OMS 专家,但这是我们一直在使用的:
{
"apiVersion": "2017-03-15-preview",
"name": "[concat(variables('namespace'), '/', variables('savedSearches').Search[copyIndex()].Name)]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"copy": {
"name": "SavedSearchCopy",
"count": "[length(variables('savedSearches').Search)]"
},
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', variables('namespace'))]",
"ActionGroupCopy"
],
"properties": {
"category": "Alerts",
"displayName": "[variables('savedSearches').Search[copyIndex()].DisplayName]",
"query": "[variables('savedSearches').Search[copyIndex()].Query]"
}
},
{
"name": "[tolower(concat(variables('namespace'), '/', variables('savedSearches').Search[copyIndex()].Name, '/', variables('savedSearches').Search[copyIndex()].Schedule.Name))]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/",
"apiVersion": "2017-03-03-preview",
"copy": {
"name": "ScheduleCopy",
"count": "[length(variables('savedSearches').Search)]"
},
"dependsOn": [
"SavedSearchCopy"
],
"properties": {
"interval": "5",
"queryTimeSpan": "10",
"enabled": true
}
},
{
"name": "[tolower(concat(variables('namespace'), '/', variables('savedSearches').Search[copyIndex()].Name, '/', variables('savedSearches').Search[copyIndex()].Schedule.Name, '/', variables('savedSearches').Search[copyIndex()].Alert.Name, '-', if(contains(variables('savedSearches').Search[copyIndex()].Alert, 'MetricsTrigger'), 'Total', 'Consecutive')))]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions",
"copy": {
"name": "ActionCopy",
"count": "[length(variables('savedSearches').Search)]"
},
"apiVersion": "2017-03-15-preview",
"dependsOn": [
"SavedSearchCopy"
],
"properties": {
"Type": "Alert",
"Name": "[variables('savedSearches').Search[copyIndex()].Alert.Name]",
"Description": "[variables('savedSearches').Search[copyIndex()].Alert.Description]",
"Severity": "warning",
"Threshold": "[variables('savedSearches').Search[copyIndex()].Alert.Threshold]",
"Throttling": {
"DurationInMinutes": 60
},
"AzNsNotification": {
"GroupIds": [
"[resourceId('microsoft.insights/actionGroups', 'xxx')]"
]
}
}
},
{
"type": "Microsoft.Insights/actionGroups",
"apiVersion": "2018-03-01",
"name": "[variables('actionGroups')[copyIndex()].Name]",
"copy": {
"name": "ActionGroupCopy",
"count": "[length(variables('actionGroups'))]"
},
"location": "Global",
"properties": {
"groupShortName": "[variables('actionGroups')[copyIndex()].Name]",
"enabled": true,
"emailReceivers": [
{
"name": "[variables('actionGroups')[copyIndex()].EmailName]",
"emailAddress": "[variables('actionGroups')[copyIndex()].EmailAddress]"
}
]
}
},
这是一个保存的搜索变量示例,我们用它来映射所有内容:
"savedSearches": {
"Search": [
{
"Name": "HighCPU",
"DisplayName": "CPU Above 90%",
"Query": "Perf | where CounterName == \"% Processor Time\" and InstanceName ==\"_Total\" | summarize AggregatedValue = avg(CounterValue) by Computer, bin(TimeGenerated, 1m)",
"Schedule": {
"Name": "HighCPUSchedule"
},
"Alert": {
"Name": "HighCPUAlert",
"Description": "Alert for High CPU",
"Threshold": {
"Operator": "gt",
"Value": 90,
"MetricsTrigger": {
"Value": 2,
"Operator": "gt",
"TriggerCondition": "Consecutive"
}
}
}
},
...
]
}