Edit troubleshooting sections for alerts

Author: AbbyMSFT

articles/azure-monitor/alerts/alerts-create-log-alert-rule.md

@@ -57,9 +57,10 @@ Alerts triggered by these alert rules contain a payload that uses the [common al
     For sample log search alert queries that query ARG or ADX, see [Log search alert query samples](./alerts-log-alert-query-samples.md)
 
    For limitations:
-   * [Cross-service query limitations](https://learn.microsoft.co/azure/azure-monitor/logs/azure-monitor-data-explorer-proxy#limitations)
-   * [Combine Azure Resource Graph tables with a Log Analytics workspace](https://learn.microsoft.com/azure/azure-monitor/logs/azure-monitor-data-explorer-proxy#combine-azure-resource-graph-tables-with-a-log-analytics-workspace) limitations
-   * Not suppprted in Gov clouds
+   * [Cross-service query limitations](../logs/azure-monitor-data-explorer-proxy.md#limitations)
+   * [Combine Azure Resource Graph tables with a Log Analytics workspace](../logs/azure-monitor-data-explorer-proxy.md#combine-azure-resource-graph-tables-with-a-log-analytics-workspace)
+   * Not suppported in government clouds
+
 1. Select **Run** to run the alert.
 1. The **Preview** section shows you the query results. When you're finished editing your query, select **Continue Editing Alert**.
 1. The **Condition** tab opens populated with your log query. By default, the rule counts the number of results in the last five minutes. If the system detects summarized query results, the rule is automatically updated with that information.

articles/azure-monitor/alerts/alerts-create-metric-alert-rule.md

@@ -4,7 +4,7 @@ description: This article shows you how to create a new metric alert rule.
 author: AbbyMSFT
 ms.author: abbyweisberg
 ms.topic: how-to
-ms.date: 11/27/2023
+ms.date: 03/07/2024
 ms.reviewer: harelbr
 ---
 
@@ -16,6 +16,14 @@ You create an alert rule by combining the resources to be monitored, the monitor
 
 Alerts triggered by these alert rules contain a payload that uses the [common alert schema](alerts-common-schema.md).
 
+## Permissions to create metric alert rules
+
+To create a metric alert rule, you must have the following permissions:
+
+  - Read permission on the target resource of the alert rule.
+  - Write permission on the resource group in which the alert rule is created. If you're creating the alert rule from the Azure portal, the alert rule is created by default in the same resource group in which the target resource resides.
+  - Read permission on any action group associated to the alert rule, if applicable.
+
 [!INCLUDE [alerts-wizard-access](../includes/alerts-wizard-access.md)]
 
 [!INCLUDE [alerts-wizard-scope](../includes/alerts-wizard-scope.md)]
@@ -126,5 +134,41 @@ Alerts triggered by these alert rules contain a payload that uses the [common al
 [!INCLUDE [alerts-wizard-finish](../includes/alerts-wizard-finish.md)]
 
 
+## Naming restrictions for metric alert rules
+
+Consider the following restrictions for metric alert rule names:
+
+- Metric alert rule names can't be changed (renamed) after they're created.
+- Metric alert rule names must be unique within a resource group.
+- Metric alert rule names can't contain the following characters: * # & + : < > ? @ % { } \ /
+- Metric alert rule names can't end with a space or a period.
+- The combined resource group name and alert rule name can't exceed 252 characters.
+
+> [!NOTE]
+> If the alert rule name contains characters that aren't alphabetic or numeric, for example, spaces, punctuation marks, or symbols, these characters might be URL-encoded when retrieved by certain clients.
+
+## Restrictions when you use dimensions in a metric alert rule with multiple conditions
+
+Metric alerts support alerting on multi-dimensional metrics and support defining multiple conditions, up to five conditions per alert rule.
+
+Consider the following constraints when you use dimensions in an alert rule that contains multiple conditions:
+
+- You can only select one value per dimension within each condition.
+- You can't use the option to **Select all current and future values**. Select the asterisk (\*).
+- When metrics that are configured in different conditions support the same dimension, a configured dimension value must be explicitly set in the same way for all those metrics in the relevant conditions.
+For example:
+    - Consider a metric alert rule that's defined on a storage account and monitors two conditions:
+        * Total **Transactions** > 5
+        * Average **SuccessE2ELatency** > 250 ms
+    - You want to update the first condition and only monitor transactions where the **ApiName** dimension equals `"GetBlob"`.
+    - Because both the **Transactions** and **SuccessE2ELatency** metrics support an **ApiName** dimension, you'll need to update both conditions, and have them specify the **ApiName** dimension with a `"GetBlob"` value.
+
+
+## Considerations when creating an alert rule that contains multiple criteria
+   - You can only select one value per dimension within each criterion.
+   - You can't use an asterisk (\*) as a dimension value.
+   - When metrics that are configured in different criteria support the same dimension, a configured dimension value must be explicitly set in the same way for all those metrics. For a Resource Manager template example, see [Create a metric alert with a Resource Manager template](./alerts-metric-create-templates.md#template-for-a-static-threshold-metric-alert-that-monitors-multiple-criteria).
+
+
 ## Next steps
  [View and manage your alert instances](alerts-manage-alert-instances.md)

articles/azure-monitor/alerts/alerts-manage-alert-rules.md

@@ -3,7 +3,7 @@ title: Manage your alert rules
 description: Manage your alert rules in the Azure portal, or using the CLI or PowerShell.
 author: AbbyMSFT
 ms.author: abbyweisberg
-ms.topic: conceptual
+ms.topic: how-to
 ms.custom: devx-track-azurecli
 ms.date: 01/14/2024
 ms.reviewer: harelbr
@@ -120,6 +120,16 @@ Metric alert rules have these dedicated PowerShell cmdlets:
 - [Update](/rest/api/monitor/metricalerts/update): Update a metric alert rule.
 - [Delete](/rest/api/monitor/metricalerts/delete): Delete a metric alert rule.
 
+## Delete metric alert rules defined on a deleted resource
+
+When you delete an Azure resource, associated metric alert rules aren't deleted automatically. To delete alert rules associated with a resource that's been deleted:
+
+1. Open the resource group in which the deleted resource was defined.
+1. In the list that displays the resources, select the **Show hidden types** checkbox.
+1. Filter the list by Type == **microsoft.insights/metricalerts**.
+1. Select the relevant alert rules and select **Delete**.
+
+
 ## Manage log search alert rules using the CLI
 
 This section describes how to manage log search alerts using the cross-platform [Azure CLI](/cli/azure/get-started-with-azure-cli). The following examples use [Azure Cloud Shell](../../cloud-shell/overview.md). 

articles/azure-monitor/alerts/alerts-troubleshoot-log.md

@@ -16,9 +16,9 @@ You can use log alerts to evaluate resources logs every set frequency by using a
 > [!NOTE]
 > This article doesn't consider cases where the Azure portal shows that an alert rule was triggered but a notification isn't received. For such cases, see [Action or notification on my alert did not work as expected](./alerts-troubleshoot.md#action-or-notification-on-my-alert-did-not-work-as-expected).
 
-## Log search alert wasn't fired when it should
+## A log search alert didn't fire when it should have
 
-### The alert rule is in a degraded or unavailable health state
+1. **Is the alert rule is in a degraded or unavailable health state?**
 
 View the health status of your log search alert rule:
 
@@ -31,42 +31,40 @@ View the health status of your log search alert rule:
 
 See [Monitor the health of log search alert rules](log-alert-rule-health.md#monitor-the-health-of-log-search-alert-rules) to learn more.  
 
-### Data ingestion time for logs
+1. **Check the log ingestion latency.**
 
 Azure Monitor processes terabytes of customers' logs from across the world, which can cause [logs ingestion latency](../logs/data-ingestion-time.md).
 
 Logs are semi-structured data and are inherently more latent than metrics. If you're experiencing more than a 4-minute delay in fired alerts, you should consider using [metric alerts](alerts-metric-overview.md). You can send data to the metric store from logs using [metric alerts for logs](alerts-metric-logs.md).
 
 To mitigate latency, the system retries the alert evaluation multiple times. After the data arrives, the alert fires, which in most cases don't equal the log record time.
 
-### Actions are muted or alert rule is defined to resolve automatically
+1. **Are the actions muted or was the alert rule configured to resolve automatically?**
 
-Log alerts provide an option to mute fired alert actions for a set amount of time using **Mute actions** and to only fire once per condition being met using **Automatically resolve alerts**. 
-
-A common issue is that you think that the alert didn't fire, but it was actually the rule configuration.
+A common issue is that you think that the alert didn't fire, but the rule was configured so that the alert would not fire. See the advanced options of the [log search alert rule](./alerts-create-log-alert-rule.md) to verify that both of the following are not selected:
+* The **Mute actions** checkbox: allows you to mute fired alert actions for a set amount of time.
+* **Automatically resolve alerts**: configures the alert to only fire once per condition being met.
 
 :::image type="content" source="media/alerts-troubleshoot-log/LogAlertSuppress.png" lightbox="media/alerts-troubleshoot-log/LogAlertSuppress.png" alt-text="Suppress alerts":::
 
-## Log search alert fired when it shouldn't have
+## A log search alert fired when it shouldn't have
 
 A configured [log alert rule in Azure Monitor](./alerts-log.md) might be triggered unexpectedly. The following sections describe some common reasons.
 
-### Alert triggered by partial data
-
-Azure Monitor processes terabytes of customers' logs from across the world, which can cause [logs ingestion latency](../logs/data-ingestion-time.md).
+1. **Was the alert triggered due to latency issues?**
 
-Logs are semi-structured data and are inherently more latent than metrics. If you're experiencing many misfires in fired alerts, you should consider using [metric alerts](alerts-metric-overview.md). You can send data to the metric store from logs using [metric alerts for logs](alerts-metric-logs.md).
+Azure Monitor processes terabytes of customer logs globally, which can cause [logs ingestion latency](../logs/data-ingestion-time.md). There are built-in capabilities to prevent false alerts, but they can still occur on very latent data (over ~30 minutes) and data with latency spikes.
 
-Log alerts work best when you try to detect data in the logs. It works less well when you try to detect lack of data in the logs, like alerting on virtual machine heartbeat. 
+Logs are semi-structured data and are inherently more latent than metrics. If you're experiencing many misfires in fired alerts, consider using [metric alerts](alerts-types.md#metric-alerts). You can send data to the metric store from logs using [metric alerts for logs](alerts-metric-logs.md).
 
-There are built-in capabilities to prevent false alerts, but they can still occur on very latent data (over ~30 minutes) and data with latency spikes.
+Log search alerts work best when you are try to detect specific data in the logs. They are less effective when you are trying to detect lack of data in the logs, like alerting on virtual machine heartbeat. 
 
-## Log search alert rule was disabled
+1. **Was the the Log search alert rule disabled?**
 
 If a log search alert rule query fails to evaluate continuously for a week, Azure Monitor disables it automatically. 
 The following sections list some reasons why Azure Monitor might disable a log search alert rule. Additionally, there's an example of the [Activity log](../../azure-monitor/essentials/activity-log.md) event that is submitted when a rule is disabled.
 
-#### Activity log example when rule is disabled
+### Activity log example when rule is disabled
 
 ```json
 {
@@ -129,57 +127,55 @@ The following sections list some reasons why Azure Monitor might disable a log s
 }
 ```
 
-### Alert rule scope no longer exists or was moved
+1. **Was the alert rule resource moved or deleted?**
 
-If an alert rule scope resource moves, gets renamed, or is deleted, all log alert rules referring to that resource will break. To fix this issue, alert rules need to be recreated using a valid target resource for the scope.
+If an alert rule resource moves, gets renamed, or is deleted, all log alert rules referring to that resource will break. To fix this issue, alert rules need to be recreated using a valid target resource for the scope.
 
-### The alert rule uses a system-assigned managed identity with empty permissions
+1. **Does the alert rule uses a system-assigned managed identity?** 
 
 When you create a log alert rule with system-assigned managed identity, the identity is created without any permissions. After you create the rule, you need to assign the appropriate roles to the rule’s identity so that it can access the data you want to query. For example, you might need to give it a Reader role for the relevant Log Analytics workspaces, or a Reader role and a Database Viewer role for the relevant ADX cluster. See [managed identities](/azure/azure-monitor/alerts/alerts-create-log-alert-rule#configure-the-alert-rule-details) for more information about using managed identities in log alerts.
 
-### Query used in a log search alert isn't valid
+1. **Is the query used in the log search alert rule valid?**
 
-When a log alert rule is created, the query is validated for correct syntax. But sometimes, the query provided in the log alert rule can start to fail. Some common reasons are:
+When a log alert rule is created, the query is validated for correct syntax. But sometimes the query provided in the log alert rule can start to fail. Some common reasons are:
 
-- Rules were created via the API, and validation was skipped by the user.
+- Rules were created via the API, and the user skipped validation.
 - The query [runs on multiple resources](../logs/cross-workspace-query.md), and one or more of the resources was deleted or moved.
 - The [query fails](../logs/api/errors.md) because:
     - The logging solution wasn't [deployed to the workspace](../insights/solutions.md#install-a-monitoring-solution), so tables aren't created.
     - Data stopped flowing to a table in the query for more than 30 days.
-    - [Custom logs tables](../agents/data-sources-custom-logs.md) aren't yet created, because the data flow hasn't started.
-- Changes in [query language](/azure/kusto/query/) include a revised format for commands and functions, so the query provided earlier is no longer valid.
+    - [Custom logs tables](../agents/data-sources-custom-logs.md) haven't been created because the data flow hasn't started.
+- Changes in the [query language](/azure/kusto/query/) include a revised format for commands and functions, so the query provided earlier is no longer valid.
 
 [Azure Advisor](../../advisor/advisor-overview.md) warns you about this behavior. It adds a recommendation about the affected log search alert rule. The category used is 'High Availability' with medium impact and a description of 'Repair your log alert rule to ensure monitoring'.
 
-## Issues configuring Log search alert rules
+## Error messages when configuring log search alert rules
 
-### The query couldn't be validated since you need permission for the logs error
+### The query couldn't be validated since you need permission for the logs
 
-If you receive this error message when creating or editing your alert rule query, make sure you have enough permissions to read the target resource logs.
+If you receive this error message when creating or editing your alert rule query, make sure you have permissions to read the target resource logs.
 
-- Permissions required to read logs in workspace-context access mode:
-  Microsoft.OperationalInsights/workspaces/query/read.  
-- Permissions required to read logs in resource-context access mode (including workspace-based Application Insights resource):
-  Microsoft.Insights/logs/tableName/read.
+- Permissions required to read logs in workspace-context access mode: `Microsoft.OperationalInsights/workspaces/query/read`. 
+- Permissions required to read logs in resource-context access mode (including workspace-based Application Insights resource): `Microsoft.Insights/logs/tableName/read`.
 
 See [Manage access to Log Analytics workspaces](../logs/manage-access.md) to learn more about permissions.
 
-### One-minute frequency is not supported for this query error
+### One-minute frequency is not supported for this query
 
 There are some limitations to using a one minute alert rule frequency. When you set the alert rule frequency to one minute, an internal manipulation is performed to optimize the query. This manipulation can cause the query to fail if it contains unsupported operations.
 
 For a list of unsupported scenarios, see [this note](https://aka.ms/lsa_1m_limits). 
 
-### Failed to resolve scalar expression named <> error 
+### Failed to resolve scalar expression named <>  
 
-This error message when creating or editing your alert rule query can be returned if:
+This error message can be returned when creating or editing your alert rule query if:
 
 - You are referencing a column that doesn't exist in the table schema.
 - You are referencing a column that wasn't used in a prior project clause of the query.
 
 To mitigate this, you can either add the column to the previous project clause or use the [columnifexists](https://learn.microsoft.com/azure/data-explorer/kusto/query/column-ifexists-function) operator.
 
-### ScheduledQueryRules API is not supported for read only OMS Alerts error
+### ScheduledQueryRules API is not supported for read only OMS Alerts
 
 This error message is returned when trying to update or delete rules created with the legacy API version by using the Azure Portal.
 
@@ -189,23 +185,20 @@ This error message is returned when trying to update or delete rules created wit
 ## Alert rule quota was reached
 
 For details about the number of log search alert rules per subscription and maximum limits of resources, see [Azure Monitor service limits](../service-limits.md).
-
-### Recommended Steps
-    
 If you've reached the quota limit, the following steps might help resolve the issue.
 
 1. Delete or disable log search alert rules that aren’t used anymore.
-1. Use [splitting of alerts by dimensions](alerts-unified-log.md#split-by-alert-dimensions) to reduce rules count. These rules can monitor many resources and detection cases.
+1. Use [splitting by dimensions](alerts-types.md#monitor-multiple-instances-of-a-resource-using-dimensions) to reduce the number of rules. When you use splitting by dimensions, one rule can monitor many resources.
 1. If you need the quota limit to be increased, continue to open a support request, and provide the following information:
 
     - The Subscription IDs and Resource IDs for which the quota limit needs to be increased
     - The reason for quota increase
     - The resource type for the quota increase, such as **Log Analytics** or **Application Insights**
     - The requested quota limit
 
-### To check the current usage of new log alert rules
-	
-#### From the Azure portal
+### Check the current usage of log alert rules
+
+#### Check the number of log alert rules in use in the Azure portal
 
 1. On the Alerts screen in Azure Monitor, select **Alert rules**.
 1. In the **Subscription** dropdown control, filter to the subscription you want. (Make sure you don't filter to a specific resource group, resource type, or resource.)
@@ -214,7 +207,7 @@ If you've reached the quota limit, the following steps might help resolve the is
 
 The total number of log search alert rules is displayed above the rules list.
 
-#### From API
+### Use the API to check the number of log alert rules in use
 
 - PowerShell - [Get-AzScheduledQueryRule](/powershell/module/az.monitor/get-azscheduledqueryrule)
 - CLI: [az monitor scheduled-query list](/cli/azure/monitor/scheduled-query#az-monitor-scheduled-query-list)