How to retrieve a “Log Search” alert rule using the Azure API

Question

I have created a "Log Search" alert rule using the Azure Portal, and I want to retrieve its configuration so that I can automate its creation. I've done that for other alert rules without issues.

The problem is that I could not find which API to call to retrieve the rule . I would expect to find it when calling https://management.azure.com/subscriptions/{subscriptionId}/providers/microsoft.insights/scheduledQueryRules , but that returns an empty list. (I've triple checked that the subscriptionId is correct)

I can see the rule in the Azure Portal, and also if I list the resources from the containing resource group:

GET https://management.azure.com/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/dev-shared/resources?api-version=2018-05-01

{
  "value": [
    {
      "id": "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/dev-shared/providers/Microsoft.Insights/actiongroups/Development",
      "name": "Development",
      "type": "Microsoft.Insights/actiongroups",
      "location": "global"
    },
    // This is the alert rule that I am looking for:
    {
      "id": "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/dev-shared/providers/microsoft.insights/scheduledqueryrules/dev-thelistlogs|7719d32a-4617-46bf-91e8-3f6977076d52|139d8419-a218-4774-b9a5-7c513f87384d|6fa515f3-b78e-4087-9621-ed5a14e62903",
      "name": "dev-thelistlogs|7719d32a-4617-46bf-91e8-3f6977076d52|139d8419-a218-4774-b9a5-7c513f87384d|6fa515f3-b78e-4087-9621-ed5a14e62903",
      "type": "microsoft.insights/scheduledqueryrules",
      "location": "westeurope",
      "tags": {
        "hidden-link:/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/dev-shared/providers/Microsoft.OperationalInsights/workspaces/dev-thelistlogs": "Resource"
      }
    },
    {
      "id": "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/dev-shared/providers/Microsoft.OperationalInsights/workspaces/dev-thelistlogs",
      "name": "dev-thelistlogs",
      "type": "Microsoft.OperationalInsights/workspaces",
      "location": "westeurope"
    }
  ]
}

I am also unable to find the rule in the Azure Resource Explorer.

I've been running in circles trying every API remotely related with alerts, log analytics, metric, etc..., all without success.

How can I retrieve the details of this rule using the Azure API ?

Edit

As can be seen on my answer, I found a way to retrieve the details. Still I'd like to know why is the scheduledQueryRules list api not returning that rule ?

Edit 2

After being able to retrieve the rule details I went ahead and created a new rule similar to that one using a resource manager template. It turns out that this new rule is returned by the APIs, but the original one is still missing.

Answer 1

I found a way, by first listing the resources in the resource group, figuring out the name of the alert rule, then retrieving the detail of that rule using GET https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/microsoft.insights/scheduledQueryRules/{ruleName} :

GET https://management.azure.com/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourcegroups/dev-shared/providers/microsoft.insights/scheduledQueryRules/dev-thelistlogs|7719d32a-4617-46bf-91e8-3f6977076d52|139d8419-a218-4774-b9a5-7c513f87384d|6fa515f3-b78e-4087-9621-ed5a14e62903

{
  "id": "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/dev-shared/providers/microsoft.insights/scheduledqueryrules/dev-thelistlogs|7719d32a-4617-46bf-91e8-3f6977076d52|139d8419-a218-4774-b9a5-7c513f87384d|6fa515f3-b78e-4087-9621-ed5a14e62903",
  "name": "dev-thelistlogs|7719d32a-4617-46bf-91e8-3f6977076d52|139d8419-a218-4774-b9a5-7c513f87384d|6fa515f3-b78e-4087-9621-ed5a14e62903",
  "type": "microsoft.insights/scheduledqueryrules",
  "location": "westeurope",
  "tags": {
    "hidden-link:/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/dev-shared/providers/Microsoft.OperationalInsights/workspaces/dev-thelistlogs": "Resource"
  },
  "kind": null,
  "etag": "\"dc011985-0000-0000-0000-5c8641250000\"",
  "properties": {
    "description": "temp2",
    "displayName": "temp2",
    "enabled": "true",
    "lastUpdatedTime": "2019-03-11T11:06:13.5080064Z",
    "provisioningState": "Succeeded",
    "source": {
      "query": "<omitted>",
      "dataSourceId": "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/dev-shared/providers/Microsoft.OperationalInsights/workspaces/dev-thelistlogs",
      "queryType": "ResultCount"
    },
    "schedule": {
      "frequencyInMinutes": 5,
      "timeWindowInMinutes": 5
    },
    "action": {
      "severity": "1",
      "aznsAction": {
        "actionGroup": [
          "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourcegroups/dev-shared/providers/microsoft.insights/actiongroups/development"
        ],
        "emailSubject": null,
        "customWebhookPayload": "{ \"alertname\":\"#alertrulename\", \"IncludeSearchResults\":true }"
      },
      "trigger": {
        "thresholdOperator": "GreaterThan",
        "threshold": 0
      },
      "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction"
    }
  }
}