是否有用于为日志分析创建 OMS 警报的 ARM 模板解决方案
Posted
技术标签:
【中文标题】是否有用于为日志分析创建 OMS 警报的 ARM 模板解决方案【英文标题】:Is there an ARM template solution to create OMS alerts for Log analytics 【发布时间】:2018-12-03 08:51:53 【问题描述】:我正在尝试通过 ARM 模板创建一个带有警报的 oms 工作区。 我已经创建了一个 OMS 工作区,对于警报部分,我遵循了以下 tutorial。 经过一番挣扎,为什么我的警报不会部署,我在以下注释的相同教程的命令中看到了。
“操作”方案已更改,此外警报位于 Azure Monitor 中:)这里是 link。
当我试图阅读文档并变得更聪明时,我却陷入了无休止的参考链接循环:
教程中提供的链接说Beginning May 14, 2018, all alerts in an Azure public cloud instance of Log Analytics workspace began to extend into Azure. 一段时间后我发现关注link。我以为我终于找到了如何解释新警报的地方。但这是为了应用洞察力,而不是日志分析。
我的问题是:有没有人可以帮助我尝试了解新警报计划的工作原理或尝试引导我走向正确的方向。
【问题讨论】:
【参考方案1】:我不是 OMS 专家,但这是我们一直在使用的:
"apiVersion": "2017-03-15-preview",
"name": "[concat(variables('namespace'), '/', variables('savedSearches').Search[copyIndex()].Name)]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"copy":
"name": "SavedSearchCopy",
"count": "[length(variables('savedSearches').Search)]"
,
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', variables('namespace'))]",
"ActionGroupCopy"
],
"properties":
"category": "Alerts",
"displayName": "[variables('savedSearches').Search[copyIndex()].DisplayName]",
"query": "[variables('savedSearches').Search[copyIndex()].Query]"
,
"name": "[tolower(concat(variables('namespace'), '/', variables('savedSearches').Search[copyIndex()].Name, '/', variables('savedSearches').Search[copyIndex()].Schedule.Name))]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/",
"apiVersion": "2017-03-03-preview",
"copy":
"name": "ScheduleCopy",
"count": "[length(variables('savedSearches').Search)]"
,
"dependsOn": [
"SavedSearchCopy"
],
"properties":
"interval": "5",
"queryTimeSpan": "10",
"enabled": true
,
"name": "[tolower(concat(variables('namespace'), '/', variables('savedSearches').Search[copyIndex()].Name, '/', variables('savedSearches').Search[copyIndex()].Schedule.Name, '/', variables('savedSearches').Search[copyIndex()].Alert.Name, '-', if(contains(variables('savedSearches').Search[copyIndex()].Alert, 'MetricsTrigger'), 'Total', 'Consecutive')))]",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches/schedules/actions",
"copy":
"name": "ActionCopy",
"count": "[length(variables('savedSearches').Search)]"
,
"apiVersion": "2017-03-15-preview",
"dependsOn": [
"SavedSearchCopy"
],
"properties":
"Type": "Alert",
"Name": "[variables('savedSearches').Search[copyIndex()].Alert.Name]",
"Description": "[variables('savedSearches').Search[copyIndex()].Alert.Description]",
"Severity": "warning",
"Threshold": "[variables('savedSearches').Search[copyIndex()].Alert.Threshold]",
"Throttling":
"DurationInMinutes": 60
,
"AzNsNotification":
"GroupIds": [
"[resourceId('microsoft.insights/actionGroups', 'xxx')]"
]
,
"type": "Microsoft.Insights/actionGroups",
"apiVersion": "2018-03-01",
"name": "[variables('actionGroups')[copyIndex()].Name]",
"copy":
"name": "ActionGroupCopy",
"count": "[length(variables('actionGroups'))]"
,
"location": "Global",
"properties":
"groupShortName": "[variables('actionGroups')[copyIndex()].Name]",
"enabled": true,
"emailReceivers": [
"name": "[variables('actionGroups')[copyIndex()].EmailName]",
"emailAddress": "[variables('actionGroups')[copyIndex()].EmailAddress]"
]
,
这是一个保存的搜索变量示例,我们用它来映射所有内容:
"savedSearches":
"Search": [
"Name": "HighCPU",
"DisplayName": "CPU Above 90%",
"Query": "Perf | where CounterName == \"% Processor Time\" and InstanceName ==\"_Total\" | summarize AggregatedValue = avg(CounterValue) by Computer, bin(TimeGenerated, 1m)",
"Schedule":
"Name": "HighCPUSchedule"
,
"Alert":
"Name": "HighCPUAlert",
"Description": "Alert for High CPU",
"Threshold":
"Operator": "gt",
"Value": 90,
"MetricsTrigger":
"Value": 2,
"Operator": "gt",
"TriggerCondition": "Consecutive"
,
...
]
【讨论】:
以上是关于是否有用于为日志分析创建 OMS 警报的 ARM 模板解决方案的主要内容,如果未能解决你的问题,请参考以下文章