是否有ARM模板解决方案可为日志分析创建OMS警报
[英]Is there an ARM template solution to create OMS alerts for Log analytics
问题描述
I am trying to create an oms workspace with alerts attached to it through ARM templates. 
我正在尝试创建一个带有通过ARM模板附加警报的oms工作空间。 I already created an OMS workspace and for the alert part I followed the following tutorial . 我已经创建了OMS工作区,并在警报部分中遵循了以下教程 。 After some struggle why my alert won't deploy i saw in the commands of the same tuturial following note. 经过一番挣扎之后,为什么我的警报无法部署,我在以下注释中看到了同一教程的命令。
The "Action" scheme has been changed and additionally the alerts are in the Azure Monitor:) Here is link . “操作”方案已更改,此外警报在Azure Monitor中:)这是link 。
When I tried to read the documentation and get any smarter I just got stuck in a endless loop of reference links: 当我尝试阅读文档并变得更聪明时,我陷入了无休止的参考链接循环中:
The link provided in the tutorial said that Beginning May 14, 2018, all alerts in an Azure public cloud instance of Log Analytics workspace began to extend into Azure. 教程中提供的链接表示, Beginning May 14, 2018, all alerts in an Azure public cloud instance of Log Analytics workspace began to extend into Azure. After some Time I found following link . 一段时间后,我发现以下链接 。 Where I thought I finnaly found how the new alert will be explained. 我以为我终于找到了如何解释新警报的地方。 But this is for application insights not for log analytics. 但这是针对应用程序的见解,而非日志分析。
TO my question than: Is there someone who can help me out try to find how the new Alert scheme works or try to guide me in the right direction. 对于我的问题,还有:是否有人可以帮助我尝试找到新的警报计划的工作方式,或者尝试向正确的方向提供指导。
1 个解决方案
解决方案1
1 已采纳 2018-12-03 09:19:30
I'm not an OMS expert, but this is what we've been using: 我不是OMS专家,但这是我们一直在使用的方法:
{
"apiVersion": "2017-03-15-preview",
"name": "[concat(variables('namespace'), '/', variables('savedSearches').Search[copyIndex()].Name)]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"copy": {
"name": "SavedSearchCopy",
"count": "[length(variables('savedSearches').Search)]"
},
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', variables('namespace'))]",
"ActionGroupCopy"
],
"properties": {
"category": "Alerts",
"displayName": "[variables('savedSearches').Search[copyIndex()].DisplayName]",
"query": "[variables('savedSearches').Search[copyIndex()].Query]"
}
},
{
"name": "[tolower(concat(variables('namespace'), '/', variables('savedSearches').Search[copyIndex()].Name, '/', variables('savedSearches').Search[copyIndex()].Schedule.Name))]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/",
"apiVersion": "2017-03-03-preview",
"copy": {
"name": "ScheduleCopy",
"count": "[length(variables('savedSearches').Search)]"
},
"dependsOn": [
"SavedSearchCopy"
],
"properties": {
"interval": "5",
"queryTimeSpan": "10",
"enabled": true
}
},
{
"name": "[tolower(concat(variables('namespace'), '/', variables('savedSearches').Search[copyIndex()].Name, '/', variables('savedSearches').Search[copyIndex()].Schedule.Name, '/', variables('savedSearches').Search[copyIndex()].Alert.Name, '-', if(contains(variables('savedSearches').Search[copyIndex()].Alert, 'MetricsTrigger'), 'Total', 'Consecutive')))]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions",
"copy": {
"name": "ActionCopy",
"count": "[length(variables('savedSearches').Search)]"
},
"apiVersion": "2017-03-15-preview",
"dependsOn": [
"SavedSearchCopy"
],
"properties": {
"Type": "Alert",
"Name": "[variables('savedSearches').Search[copyIndex()].Alert.Name]",
"Description": "[variables('savedSearches').Search[copyIndex()].Alert.Description]",
"Severity": "warning",
"Threshold": "[variables('savedSearches').Search[copyIndex()].Alert.Threshold]",
"Throttling": {
"DurationInMinutes": 60
},
"AzNsNotification": {
"GroupIds": [
"[resourceId('microsoft.insights/actionGroups', 'xxx')]"
]
}
}
},
{
"type": "Microsoft.Insights/actionGroups",
"apiVersion": "2018-03-01",
"name": "[variables('actionGroups')[copyIndex()].Name]",
"copy": {
"name": "ActionGroupCopy",
"count": "[length(variables('actionGroups'))]"
},
"location": "Global",
"properties": {
"groupShortName": "[variables('actionGroups')[copyIndex()].Name]",
"enabled": true,
"emailReceivers": [
{
"name": "[variables('actionGroups')[copyIndex()].EmailName]",
"emailAddress": "[variables('actionGroups')[copyIndex()].EmailAddress]"
}
]
}
},
here is a sample saved search variable which we use to map everything: 这是一个示例保存的搜索变量,我们将其用于映射所有内容:
"savedSearches": {
"Search": [
{
"Name": "HighCPU",
"DisplayName": "CPU Above 90%",
"Query": "Perf | where CounterName == \"% Processor Time\" and InstanceName ==\"_Total\" | summarize AggregatedValue = avg(CounterValue) by Computer, bin(TimeGenerated, 1m)",
"Schedule": {
"Name": "HighCPUSchedule"
},
"Alert": {
"Name": "HighCPUAlert",
"Description": "Alert for High CPU",
"Threshold": {
"Operator": "gt",
"Value": 90,
"MetricsTrigger": {
"Value": 2,
"Operator": "gt",
"TriggerCondition": "Consecutive"
}
}
}
},
...
]
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.