changes to query examples for log alert rules

AbbyMSFT · AbbyMSFT · commit c69c433a3a10 · 2024-01-08T19:28:52.000+02:00
diff --git a/articles/azure-monitor/alerts/alerts-log-alert-query-samples.md b/articles/azure-monitor/alerts/alerts-log-alert-query-samples.md
@@ -14,9 +14,20 @@ A log alert rule monitors a resource by using a Log Analytics query to evaluate
 
 This article provides examples of log alert rule queries that use Azure Data Explorer and Azure Resource Graph. For more information about creating a log alert rule, see [Create a log alert rule](./alerts-create-log-alert-rule.md).
 
-## Query that checks virtual machine health
+## Queries that check virtual machine health
 
-This query finds virtual machines that are marked as critical and that had a heartbeat more than 24 hours ago, but that haven't had a heartbeat in the last 2 minutes.
+This query finds virtual machines marked as critical that haven't had a heartbeat in the last 2 minutes.
+
+```kusto
+    arg("").Resources
+    | where type == "microsoft.compute/virtualmachines"
+    | summarize LastCall = max(case(isnull(TimeGenerated), make_datetime(1970, 1, 1), TimeGenerated)) by name, id
+    | extend SystemDown = case(LastCall < ago(2m), 1, 0)
+    | where SystemDown == 1
+```
+
+
+This query finds virtual machines marked as critical that had a heartbeat more than 24 hours ago, but that haven't had a heartbeat in the last 2 minutes.
 
 ```kusto
 {
@@ -38,15 +49,15 @@ This query finds virtual machines that are marked as critical and that had a hea
 ## Query that filters virtual machines that need to be monitored
 
 ```kusto
-{
+   {
     let RuleGroupTags = dynamic(['Linux']);
-    Perf | where ObjectName == 'Processor' and CounterName == '% Idle Time' and (InstanceName == '_Total' or InstanceName == 'total')
+    Perf | where ObjectName == 'Processor' and CounterName == '% Idle Time' and (InstanceName in ('_Total,'total'))
     | extend CpuUtilisation = (100 - CounterValue)   
     | join kind=inner hint.remote=left (arg("").Resources
-    | where type =~ 'Microsoft.Compute/virtualMachines'
+        | where type =~ 'Microsoft.Compute/virtualMachines'
     | project _ResourceId=tolower(id), tags) on _ResourceId
     | project-away _ResourceId1
-    | where (isnull(tags.monitored) or tolower(tostring(tags.monitored)) != 'false') and (tostring(tags.monitorRuleGroup) in (RuleGroupTags) or isnull(tags.monitorRuleGroup) or tostring(tags.monitorRuleGroup) == '')
+    | where  (tostring(tags.monitorRuleGroup) in (RuleGroupTags)) 
 }
 ```
 
@@ -68,10 +79,10 @@ This query finds virtual machines that are marked as critical and that had a hea
 ```kusto
 {
     arg("").resourcechanges
-    | extend changeTime = todatetime(properties.changeAttributes.timestamp), targetResourceId = tostring(properties.targetResourceId),
+    | extend changeTime = todatetime(properties.changeAttributes.timestamp), 
     changeType = tostring(properties.changeType),targetResourceType = tostring(properties.targetResourceType),
     changedBy = tostring(properties.changeAttributes.changedBy)
-    | where changeType == "Create"
+    | where changeType == "Create" and changeTime <ago(1h)
     | project changeTime,targetResourceId,changedBy
 }
 ```
