Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,457 questions
How to create an alerte over a long period of time in Azure
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 87%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EQL%3C/text%3E%3C/svg%3E)
Quentin Levasseur
0
Reputation points
I am trying to create an alert that triggers if a backup process has not happen over the last 3 days (backup period). I have sett my service to create a custom event when the backup starts and created a query that looks for this event in the last 3 days. when i run it manually it works flawlessly but when the alert runs it, the Time range defined by the query get overridden and the alert has false triggers continuously. Any idea how i could make it work ?
Here is my query:
customEvents
| where name == "MyEventName"
| where timestamp >= ago(3d)
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 20%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPR%3C/text%3E%3C/svg%3E)
Pranay Reddy Madireddy 1,690 Reputation points Microsoft Vendor2025-02-03T19:24:27.9866667+00:00 Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
Ensure your query checks if no events occurred in the last 3 days by counting the events. Use this count to trigger the alert.
customEvents | where name == "MyEventName" | where timestamp >= ago(3d) | summarize EventCount = count() | where EventCount == 0In this query, if no events have occurred in the last 3 days, the EventCount will be 0, which should be the condition for triggering the alert.
Azure Monitor might change the time frame from your query based on the alert rule settings. So, ensure the alert rule's evaluation period matches the time frame in your query.
Since you want the alert to trigger when there are no events, make sure the alert is set to trigger when the event count is less than 1 during the evaluation period.
After setting up the alert, test it by making sure no backup event happens for 3 days to check if the alert triggers. Also, ensure the alert doesn’t trigger when a backup event occurs.
https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-types
https://learn.microsoft.com/en-us/kusto/query/?view=azure-data-explorer&preserve-view=true
https://learn.microsoft.com/en-us/kusto/query/?view=azure-data-explorer&preserve-view=trueIf you have any further queries, do let us know.
If the answer is helpful, please and "Upvote it".
-
Quentin Levasseur 0 Reputation points
2025-02-03T20:18:30.91+00:00 Hi @Pranay Reddy Madireddy ,
I found this in the documentation earlier which seems to indicate that any custom Time range will be overridden to 48h if using ago(). Will this apply ?https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-create-log-alert-rule (step 11)
-
Pranay Reddy Madireddy 1,690 Reputation points Microsoft Vendor
2025-02-03T20:40:05.14+00:00 Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
Yes, the alert time range is limited to a maximum of two days. Because if the query contains an ago command it changes the automatically to two days.
If you have any further queries, do let us know.
If the answer is helpful, please and "Upvote it".
-
Quentin Levasseur 0 Reputation points
2025-02-03T20:47:43.5166667+00:00 @Pranay Reddy Madireddy How can i use your solution then ? It contains an ago() of 3 days. How will that work if it's overridden to 48h. Am I missing something ?
-
Pranay Reddy Madireddy 1,690 Reputation points Microsoft Vendor
2025-02-03T21:44:15.15+00:00 Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
The term you are referring to concerns the evolution period, which indicates how frequently the alert rule checks if the condition is met. This means the alert will trigger initially and then be ready for evaluation, like a periodic cycle.
Typically, the evolution period can be set from 1 minute onwards.
However, if we use the Ago command in the query, it will check for a maximum of 2 days for the evolution time. Beyond 2 days, the evolution cannot occur.
Therefore, this is about the evolution period, not the alert trigger time.
If you have any further queries, do let us know.
If the answer is helpful, please and "Upvote it".
-
Quentin Levasseur 0 Reputation points
2025-02-04T13:12:10.4833333+00:00 @Pranay Reddy Madireddy
You sayAzure Monitor might change the time frame from your query based on the alert rule settings. So, ensure the alert rule's evaluation period matches the time frame in your query.and thatHowever, if we use the Ago command in the query, it will check for a maximum of 2 days for the evolution time. Beyond 2 days, the evolution cannot occur.but the query you gave me contains anago()and has a range of3 daysso it won't be able to work -
Pranay Reddy Madireddy 1,690 Reputation points Microsoft Vendor
2025-02-05T21:59:26.1666667+00:00 Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
I apologize for any confusion. You're right that using ago(3d) in a query for an alert rule is causing problems because the alert rule only evaluates for the past 48 hours. This mismatch is likely what's causing the issues.
Since the alert evaluation period is capped at 48 hours, you'll need to modify the logic to fit within this limit. For example, you can set the alert to evaluate every 24 hours and adjust the query to check for events in the past 2 days.
You can modify the query to look for events within the past 2 days (48 hours) and ensure that the alert condition is triggered if no events are found during this period. This will align with the evaluation period constraints.
customEvents
| where name == "MyEventName"
| where timestamp >= ago(2d)
| summarize EventCount = count()
| where EventCount == 0
If you need to track the lack of events over 3 days, you can use an Azure Logic App or Azure Function. These can be set to run daily and check for events during the 3-day period, regardless of the alert rule’s timing.
You can use Azure Monitor along with other tools or scripts to check for the 3-day condition and trigger an alert or notification. By modifying the query and incorporating additional Azure services if needed, you can set up the desired monitoring without being limited by the alert rule's evaluation period.
If you have any further queries, do let us know.
If the answer is helpful, please and "Upvote it".
-
Pranay Reddy Madireddy 1,690 Reputation points Microsoft Vendor
2025-02-07T02:08:53.98+00:00 Hi Quentin Levasseur
If you had a chance to see my comment to your question. If it was helpful, please click "Upvote" and ''accept answer'' on my post let us know Thank you...! -
Pranay Reddy Madireddy 1,690 Reputation points Microsoft Vendor
2025-02-07T21:49:02.4266667+00:00 Hi Quentin Levasseur
We haven't heard back from you. Please reply if you have any questions in this matter and we will gladly continue the discussion.
Sign in to comment
Sign in to answer