Merge pull request #247744 from nolavime/main

prmerger-automator[bot] · web-flow · commit efa028ed994c · 2023-08-09T10:43:43.000Z
Main
diff --git a/articles/azure-monitor/alerts/alerts-common-schema.md b/articles/azure-monitor/alerts/alerts-common-schema.md
@@ -102,7 +102,7 @@ For sample alerts that use the common schema, see [Sample alert payloads](alerts
 | signalType | Identifies the signal on which the alert rule was defined. Possible values are Metric, Log, or Activity Log. |
 | monitorCondition | When an alert fires, the alert's monitor condition is set to **Fired**. When the underlying condition that caused the alert to fire clears, the monitor condition is set to **Resolved**.   |
 | monitoringService | The monitoring service or solution that generated the alert. The monitoring service determines which fields are in the alert context. |
-| targetResource | The list of the Azure Resource Manager IDs that are affected targets of an alert. For a log alert defined on a Log Analytics workspace or Application Insights instance, it's the respective workspace or application. |
+| alertTargetIDs | The list of the Azure Resource Manager IDs that are affected targets of an alert. For a log alert defined on a Log Analytics workspace or Application Insights instance, it's the respective workspace or application. |
 | configurationItems |The list of affected resources of an alert.<br>In some cases, the configuration items can be different from the alert targets. For example, in metric-for-log or log alerts defined on a Log Analytics workspace, the configuration items are the actual resources sending the data, and not the workspace.<br><ul><li>In the log alerts API (Scheduled Query Rules) v2021-08-01, the `configurationItem` values are taken from explicitly defined dimensions in this priority: `_ResourceId`, `ResourceId`, `Resource`, `Computer`.</li><li>In earlier versions of the log alerts API, the `configurationItem` values are taken implicitly from the results in this priority: `_ResourceId`, `ResourceId`, `Resource`, `Computer`.</li></ul>In ITSM systems, the `configurationItems` field is used to correlate alerts to resources in a configuration management database. |
 | originAlertId | The ID of the alert instance, as generated by the monitoring service generating it. |
 | firedDateTime | The date and time when the alert instance was fired in Coordinated Universal Time (UTC). |
diff --git a/articles/azure-monitor/alerts/alerts-create-new-alert-rule.md b/articles/azure-monitor/alerts/alerts-create-new-alert-rule.md
@@ -144,12 +144,16 @@ To edit an existing alert rule:
 
         To use one of the predefined alert rule queries, expand the **Schema and filter** pane on the left of the **Logs** pane. Then select the **Queries** tab, and select one of the queries.
 
-    1. (Optional) If you're querying an ADX cluster, Log Analytics can't automatically identify the column with the event timestamp, so we recommend that you add a time range filter to the query. For example:
-        ```azurecli
+    1. (Optional) If you're querying an ADX or ARG cluster, Log Analytics can't automatically identify the column with the event timestamp, so we recommend that you add a time range filter to the query. For example:
+        ```KQL
          adx(cluster).table    
          | where MyTS >= ago(5m) and MyTS <= now()
         ```     
-
+         ```KQL
+         arg("").Resources
+         | where type =~ 'Microsoft.Compute/virtualMachines'
+         | project _ResourceId=tolower(id), tags
+        ```  
         :::image type="content" source="media/alerts-create-new-alert-rule/alerts-logs-conditions-tab.png" alt-text="Screenshot that shows the Condition tab when creating a new log alert rule.":::
 
     1. Select **Run** to run the alert.
