Query Details
Azure Diagnostics Stopped Event Reception Azure Diagnostics Resource Type
Query
let query_frequency = 1h;
let query_period = 3d;
let _ExpectedFrequencies =
_GetWatchlist('DataType-IngestedTables')
| where Type == "AzureDiagnostics"
| mv-expand ResourceType = split(Auxiliar, " & ") to typeof(string)
| project Type, ResourceType, Critical, ExpectedIngestionFrequency = totimespan(Frequency)
;
AzureDiagnostics
| where TimeGenerated > ago(query_period)
| summarize IngestionTime = max(ingestion_time()) by Type, ResourceType
| lookup kind=inner _ExpectedFrequencies on Type, ResourceType
| where IngestionTime between (ago(ExpectedIngestionFrequency + query_frequency) .. ago(ExpectedIngestionFrequency))
| extend
TimespanWithoutIngestion = now() - IngestionTime,
AlertSeverity = case(
Critical == "true", "High",
"Informational"
)
| project Type, ResourceType, Critical, ExpectedIngestionFrequency, TimespanWithoutIngestion, AlertSeverity
Explanation
This query is used to monitor the ingestion time of AzureDiagnostics data and generate alerts if the ingestion time exceeds the expected frequency.
The query first retrieves the expected ingestion frequencies for AzureDiagnostics data from a watchlist. It then filters the AzureDiagnostics data based on the specified query period.
Next, it calculates the maximum ingestion time for each Type and ResourceType combination. It performs an inner join with the expected frequencies data to get the expected ingestion frequency for each Type and ResourceType.
After that, it filters the data based on the condition that the ingestion time should be within the range of the expected ingestion frequency plus the query frequency.
Finally, it calculates the timespan without ingestion and assigns an alert severity based on the Critical field. The query returns the Type, ResourceType, Critical, ExpectedIngestionFrequency, TimespanWithoutIngestion, and AlertSeverity fields.
Details
Jose Sebastián Canós
Released: October 3, 2022
Tables
Keywords
Operators