Merge pull request #262678 from AbbyMSFT/log-alerts-adx

ttorble · web-flow · commit 01f5da96d702 · 2024-01-09T10:55:43.000Z
Changes to query examples for log alert rules
diff --git a/articles/azure-monitor/alerts/alerts-log-alert-query-samples.md b/articles/azure-monitor/alerts/alerts-log-alert-query-samples.md
@@ -10,13 +10,24 @@ ms.reviewer: nolavime
 
 # Sample log alert queries that include ADX and ARG
 
-A log alert rule monitors a resource by using a Log Analytics query to evaluate resource logs at a set frequency. You can include data from Azure Data Explorer and Azure Resource Graph in your log alert rule queries.
+A log alert rule monitors a resource by using a Log Analytics query to evaluate logs at a set frequency. You can include data from Azure Data Explorer and Azure Resource Graph in your log alert rule queries.
 
 This article provides examples of log alert rule queries that use Azure Data Explorer and Azure Resource Graph. For more information about creating a log alert rule, see [Create a log alert rule](./alerts-create-log-alert-rule.md).
 
-## Query that checks virtual machine health
+## Queries that check virtual machine health
 
-This query finds virtual machines that are marked as critical and that had a heartbeat more than 24 hours ago, but that haven't had a heartbeat in the last 2 minutes.
+This query finds virtual machines marked as critical that haven't had a heartbeat in the last 2 minutes.
+
+```kusto
+    arg("").Resources
+    | where type == "microsoft.compute/virtualmachines"
+    | summarize LastCall = max(case(isnull(TimeGenerated), make_datetime(1970, 1, 1), TimeGenerated)) by name, id
+    | extend SystemDown = case(LastCall < ago(2m), 1, 0)
+    | where SystemDown == 1
+```
+
+
+This query finds virtual machines marked as critical that had a heartbeat more than 24 hours ago, but that haven't had a heartbeat in the last 2 minutes.
 
 ```kusto
 {
@@ -38,15 +49,15 @@ This query finds virtual machines that are marked as critical and that had a hea
 ## Query that filters virtual machines that need to be monitored
 
 ```kusto
-{
+   {
     let RuleGroupTags = dynamic(['Linux']);
-    Perf | where ObjectName == 'Processor' and CounterName == '% Idle Time' and (InstanceName == '_Total' or InstanceName == 'total')
+    Perf | where ObjectName == 'Processor' and CounterName == '% Idle Time' and (InstanceName in ('_Total,'total'))
     | extend CpuUtilisation = (100 - CounterValue)   
     | join kind=inner hint.remote=left (arg("").Resources
-    | where type =~ 'Microsoft.Compute/virtualMachines'
+        | where type =~ 'Microsoft.Compute/virtualMachines'
     | project _ResourceId=tolower(id), tags) on _ResourceId
     | project-away _ResourceId1
-    | where (isnull(tags.monitored) or tolower(tostring(tags.monitored)) != 'false') and (tostring(tags.monitorRuleGroup) in (RuleGroupTags) or isnull(tags.monitorRuleGroup) or tostring(tags.monitorRuleGroup) == '')
+    | where  (tostring(tags.monitorRuleGroup) in (RuleGroupTags)) 
 }
 ```
 
@@ -68,10 +79,10 @@ This query finds virtual machines that are marked as critical and that had a hea
 ```kusto
 {
     arg("").resourcechanges
-    | extend changeTime = todatetime(properties.changeAttributes.timestamp), targetResourceId = tostring(properties.targetResourceId),
+    | extend changeTime = todatetime(properties.changeAttributes.timestamp), 
     changeType = tostring(properties.changeType),targetResourceType = tostring(properties.targetResourceType),
     changedBy = tostring(properties.changeAttributes.changedBy)
-    | where changeType == "Create"
+    | where changeType == "Create" and changeTime <ago(1h)
     | project changeTime,targetResourceId,changedBy
 }
 ```
