Azure 监控规则的自定义条件未显示预期数据
[英]Custom condition for Azure monitor rule doesn't show expected data
问题描述
I am trying to set up a new custom condition for Azure monitor alert rule, but when I enter my kql query it doesn't show the expected data.
我正在尝试为 Azure 监控警报规则设置新的自定义条件,但是当我输入我的 kql 查询时,它没有显示预期的数据。 When I run the same query in Logs it outputs 9 rows that fulfil my condition, but for some reason, no data are shown in the Monitor Alerts.当我在 Logs 中运行相同的查询时,它会输出 9 行满足我的条件,但由于某种原因,Monitor Alerts 中没有显示任何数据。
I can see that the problem is in the last condition | where Anomaly has "1"我可以看到问题出在最后一个条件| where Anomaly has "1" | where Anomaly has "1" as I get data when I delete this condition - but I need to have it included in the query (or at least a similar version of it).当我删除此条件时获取数据时| where Anomaly has "1" - 但我需要将其包含在查询中(或至少是它的类似版本)。 Any suggestions?有什么建议么? (I have tried also contains and == but it gives the same problem) (我也试过 contains 和 == 但它给出了同样的问题)
ADFPipelineRun
| where TimeGenerated >= ago(30d)
| where PipelineName startswith "Dataflow"
| extend customerName = extractjson("$.customerName", Parameters, typeof(string))
| extend customerBranchName = extractjson("$.customerBranchName", Parameters, typeof(string))
| extend databaseName = extractjson("$.databaseName", Parameters, typeof(string))
| join (ADFActivityRun
| where ActivityType == "Copy" and Status == "Succeeded"
| extend RowsCopied = extractjson("$.rowsCopied", Output, typeof(int)))
on CorrelationId
| summarize AggregatedValue=any(RowsCopied) by customerName, customerBranchName, databaseName, PipelineName, bin(TimeGenerated,1d)
| order by TimeGenerated
| summarize EventCount=make_list(AggregatedValue),TimeGenerated=make_list(TimeGenerated) by customerName, customerBranchName, databaseName, PipelineName
| extend (anomalies, score, baseline)=series_decompose_anomalies(EventCount, 5, 0, "avg")
| extend Anomaly = array_slice(anomalies,0,0)
| where Anomaly has "1"
Thanks for any good ideas and help:)感谢您的任何好主意和帮助:)
2 个解决方案
解决方案1
0 2021-06-03 00:01:21
The most general answer: start by working backwards and validate your assumptions.最普遍的答案是:从逆向工作开始并验证您的假设。
remove the final | where...删除决赛| where... | where... line and see what the query returns. | where...行并查看查询返回的内容。 does it have 1s?有1s吗?
has and has_any and contains all have subtly different semantics, so you may need to use one or the other or somethin. has和has_any和contains都具有微妙的不同语义,因此您可能需要使用其中一个或其他或其他东西。
if your result doesn't have 1s, then work back one more line, is your array_slice call return the items you think it does?如果您的结果没有 1,那么再返回一行,您的array_slice调用是否返回您认为的项目?
if you just want the 0th item, why even use slice?如果您只想要第 0 项,为什么还要使用切片? why not just use Anomaly=anomalies[0] ?为什么不直接使用Anomaly=anomalies[0] ?
without having your exact data set, there's no way for us to reproduce the query /results exactly.如果没有您的确切数据集,我们无法准确地重现查询/结果。
解决方案2
0 已采纳 2021-06-08 08:40:58
The problem, in the end, was in the Azure Monitor Alert function.最后,问题出在 Azure Monitor Alert function 中。 The custom alert has a predefined time range over which it evaluates the query and it cannot be manually extended.自定义警报有一个预定义的时间范围,在该时间范围内评估查询,并且不能手动扩展。
In the predefined period given by Azure, there were no records found (it was too short to evaluate whether anomalies occur..)在Azure给出的预定义时间段内,没有发现任何记录(时间太短,无法评估是否出现异常..)
I solved it by creating a power bi report that uses M query above and I used an alert function offered by the power bi service.我通过创建使用上述 M 查询的 power bi 报告解决了这个问题,并使用了 power bi 服务提供的警报 function。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.