Azure Diagnostics Stopped Event Reception Azure Diagnostics Resource Type
Query
let query_frequency = 1h;
let query_period = 3d;
let _ExpectedFrequencies =
_GetWatchlist("DataType-IngestedTables")
| where Type == "AzureDiagnostics"
| mv-expand ResourceType = split(Auxiliar, " & ") to typeof(string)
| project Type, ResourceType, Critical, ExpectedIngestionFrequency = totimespan(Frequency)
;
AzureDiagnostics
| where TimeGenerated > ago(query_period)
| summarize IngestionTime = max(ingestion_time()) by Type, ResourceType
| lookup kind=inner _ExpectedFrequencies on Type, ResourceType
| where IngestionTime between (ago(ExpectedIngestionFrequency + query_frequency) .. ago(ExpectedIngestionFrequency))
| extend
TimespanWithoutIngestion = now() - IngestionTime,
AlertSeverity = case(
Critical == "true", "High",
"Informational"
)
| project Type, ResourceType, Critical, ExpectedIngestionFrequency, TimespanWithoutIngestion, AlertSeverityExplanation
This query is designed to monitor the ingestion frequency of data into Azure Diagnostics tables and identify any potential issues with data ingestion. Here's a simplified explanation of what the query does:
-
Setup Parameters:
query_frequencyis set to 1 hour, which is used as a buffer time.query_periodis set to 3 days, which defines the time range for the data to be analyzed.
-
Retrieve Expected Frequencies:
- It fetches a watchlist named "DataType-IngestedTables" to get expected ingestion frequencies for different data types and resource types.
- It filters for entries where the type is "AzureDiagnostics" and expands any combined resource types into individual entries.
-
Analyze Ingestion Data:
- It queries the
AzureDiagnosticstable for data generated within the last 3 days. - It summarizes the latest ingestion time for each data type and resource type.
- It queries the
-
Compare with Expected Frequencies:
- It performs an inner join with the expected frequencies data to match the actual ingestion data with expected frequencies.
- It checks if the latest ingestion time falls within a specific time window, indicating whether the data is being ingested as expected.
-
Calculate and Classify:
- It calculates the time span since the last ingestion.
- It assigns an alert severity based on whether the data type is marked as critical.
-
Output:
- It projects the relevant information: data type, resource type, critical status, expected ingestion frequency, time since last ingestion, and alert severity.
In summary, this query helps identify if any Azure Diagnostics data types are not being ingested as frequently as expected and classifies the severity of the issue based on the criticality of the data type.
Details

Jose Sebastián Canós
Released: October 31, 2024
Tables
AzureDiagnostics
Keywords
AzureDiagnostics
Operators
letmv-expandsplitprojectwheresummarizemaxlookupbetweenagoextendnowcase