Skip to content

Scheduled Query Rules (to allow log limit alerts) #1243

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Ryan-Palmer wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Scheduled Query Rules (to allow log limit alerts) #1243

Ryan-Palmer wants to merge 3 commits into from
+301 −1

Conversation

@Ryan-Palmer
Copy link
Contributor

@Ryan-Palmer Ryan-Palmer commented Jan 19, 2026

This PR closes #1168

The changes in this PR are as follows:

  • Added ScheduledQueryRule resource

I have read the contributing guidelines and have completed the following:

  • Tested my code end-to-end against a live Azure subscription.
  • Updated the documentation in the docs folder for the affected changes.
  • Written unit tests against the modified code that I have made.
  • Updated the release notes with a new entry for this PR.
  • Checked the coding standards outlined in the contributions guide and ensured my code adheres to them.

If I haven't completed any of the tasks above, I include the reasons why here:

Once I get a thumbs up for the PR then I'll add the tests and docs.

Below is a minimal example configuration that includes the new features, which can be used to deploy to Azure:

open Farmer
open Farmer.Builders
open Farmer.Arm

let loggingName = "logging-workspace"

let logging = logAnalytics {
    name loggingName
}

let adminAlertAction = actionGroup {
  name "admin-alert"
  short_name "admin-alert"
  enabled true
  add_email_receivers [
  ]
  add_sms_receivers [
  ]
}

let scheduledQuery = scheduledQueryRule {
    name "Daily log data limit reached"
    description "Notify admins if log data limit reached"
    severity SeverityLevel.Two
    depends_on [
        (logging :> IBuilder).ResourceId
        (adminAlertAction :> IBuilder).ResourceId
    ]
    enabled true
    scopes [
        (logging :> IBuilder).ResourceId
    ]
    evaluation_frequency "PT5M"
    window_size "PT5M"
    criteria [
        {
            Query = @"_LogOperation | where Category =~ 'Ingestion' | where Detail contains 'OverQuota'"
            MetricMeasureColumn = None
            ResourceIdColumn = Some "_ResourceId"
            Dimensions = None
            Operator = Some ConditionOperator.GreaterThan
            Threshold = Some 0
            TimeAggregation = Some TimeAggregation.Count
            FailingPeriods = Some {
                MinFailingPeriodsToAlert = 1
                NumberOfEvaluationPeriods = 1
            }
        }
    ]
    auto_mitigate false
    check_workspace_alerts_storage_configured false
    actions {
        ActionGroups = [
            adminAlertAction.ActionGroupId
        ]
    }
}

let deployment = arm {
    location Location.UKSouth
    add_resource logging
    add_resource adminAlertAction
    add_resource scheduledQuery
}

deployment
|> Deploy.execute "test-scheduled-alert" Deploy.NoParameters
|> printfn "%A"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support Log Search Alerts

1 participant

@Ryan-Palmer