You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-monitor/platform/alerts-action-rules.md
+66-5
Original file line number
Diff line number
Diff line change
@@ -23,7 +23,7 @@ Action rules allow you to define actions (or the suppression of actions) at any
23
23
24
24
Action rules work by decoupling the triggering of actions and notifications from the underlying alert rule, thereby allowing for flexibility and control over how the actions are actually triggered for your alert instances at scale.
25
25
26
-
## How do you configure an action rule?
26
+
## Configuring an action rule
27
27
28
28
You can access the feature by selecting ‘Manage actions’ from the landing page for Alerts in Azure Monitor, and subsequently selecting ‘Action Rules (Preview)’. Else, you can go directly to the feature by selection the ‘Action Rules (preview)’ that’s present on the dashboard of the landing page for Alerts.
29
29
@@ -33,6 +33,10 @@ Select ‘+ New Action Rule’ to create a new action rule.
33
33
34
34
35
35
36
+
Alternatively, you can also choose to create an action rule while configuring an alert rule.
37
+
38
+
39
+
36
40
You should now see the action rule creation flow open, and the following elements have to be configured.
@@ -111,10 +115,7 @@ Lastly, configure the following details for the action rule
111
115
* Alert Context (payload) contains 'Computer-01'
112
116
* Suppression set to 'From now (Always)'
113
117
114
-
> [!Note]
115
-
> Log alerts created with the ['number of results'](https://docs.microsoft.com/azure-monitor/platform/alerts-unified-log) option generate **a single alert instance** with the entirety of the search results (which could be across multiple computers for example). In this scenario, if an action rule uses the 'Alert Context (payload)' filter, it will act on the alert instance as long as there is a match. In scenario 2 as described above, if the search results for the log alert generated contains both 'Computer-01' and 'Computer-02', the entire notification is suppressed (there is no notification generated for 'Computer-02' at all). To best leverage log alerts with action rules, it is advised to create log alerts with the ['metric measurement'](https://docs.microsoft.com/azure-monitor/platform/alerts-unified-log) option. In this scenario, separate alert instances are generated based on the Group Field defined. In scenario 2 as described above, if the log alert is created with the metric measurement option, separate alert instances are generated for 'Computer-01' and 'Computer-02'. With the action rule described in the scenario, only the notification for 'Computer-01' would be suppressed while the notification for 'Computer-02' will continue to fire as normal.
116
-
117
-
**Scenario 3:** Contoso has defined [a metric alert at a subscription level](https://docs.microsoft.comazure/azure-monitor/platform/alerts-metric-overview#monitoring-at-scale-using-metric-alerts-in-azure-monitor), but wants to define the actions that trigger for alerts separately for their resource group 'ContosoRG'.
118
+
**Scenario 3:** Contoso has defined [a metric alert on a subscription](https://docs.microsoft.comazure/azure-monitor/platform/alerts-metric-overview#monitoring-at-scale-using-metric-alerts-in-azure-monitor), but wants to define the actions that trigger for alerts separately for their resource group 'ContosoRG'.
118
119
119
120
**Solution:** Create an action rule with
120
121
* Scope = 'ContosoRG'
@@ -128,3 +129,63 @@ You can view and manage your action rules from the list view as shown below.
128
129
129
130
130
131
From here, you can enable/disable/delete action rules at scale by selecting the checkbox next to them. Clicking on any action rule opens up its configuration page, allowing you to update its definition and enable/disable it.
132
+
133
+
## Best practices
134
+
135
+
Log alerts created with the ['number of results'](https://docs.microsoft.com/azure-monitor/platform/alerts-unified-log) option generate **a single alert instance** with the entirety of the search results (which could be across multiple computers for example). In this scenario, if an action rule uses the 'Alert Context (payload)' filter, it will act on the alert instance as long as there is a match. In scenario 2 as described above, if the search results for the log alert generated contains both 'Computer-01' and 'Computer-02', the entire notification is suppressed (there is no notification generated for 'Computer-02' at all).
136
+
137
+
138
+
139
+
To best leverage log alerts with action rules, it is advised to create log alerts with the ['metric measurement'](https://docs.microsoft.com/azure-monitor/platform/alerts-unified-log) option. In this scenario, separate alert instances are generated based on the Group Field defined. In scenario 2 as described above, if the log alert is created with the metric measurement option, separate alert instances are generated for 'Computer-01' and 'Computer-02'. With the action rule described in the scenario, only the notification for 'Computer-01' would be suppressed while the notification for 'Computer-02' will continue to fire as normal.
140
+
141
+
142
+
143
+
## FAQ
144
+
145
+
* Q. While configuring an action rule, I would like to see all the possible overlapping action rules so that I avoid duplicate notifications. Is it possible to do so?
146
+
147
+
A. Once you define a scope while configuring an action rule, you can see a list of action rules which overlap on the same scope (if any). This overlap could either be one of the following:
148
+
* An exact match: For example, the action rule you are defining and the overlapping action rule are on the same subscription.
149
+
* A subset: For example, the action rule you are defining is on a subscription, and the overlapping action rule is on a resource group within the subscription.
150
+
* A superset: For example, the action rule you are defining is on a resource group, and the overlapping action rule is on the subscription that contains the resource group.
151
+
* An intersection: For example, the action rule you are defining is on 'VM1' and 'VM2', and the overlapping action rule is on 'VM2' and 'VM3'.
* Q. While configuring an alert rule, is it possible to know if there are already action rules defined that might act on the alert rule I am defining?
156
+
157
+
A. Once you define the target resource for your alert rule, you can see the list of action rules which act on the same scope (if any) by clicking on 'View configured actions' under the 'Actions' section. This list is populated based on following scenarios for the scope:
158
+
* An exact match: For example, the alert rule you are defining and the action rule are on the same subscription.
159
+
* A subset: For example, the alert rule you are defining is on a subscription, and the action rule is on a resource group within the subscription.
160
+
* A superset: For example, the alert rule you are defining is on a resource group, and the action rule is on the subscription that contains the resource group.
161
+
* An intersection: For example, the alert rule you are defining is on 'VM1' and 'VM2', and the action rule is on 'VM2' and 'VM3'.
* Q. Can I see the alerts that have been suppressed by an action rule?
168
+
169
+
A. In the [alerts list page](https://docs.microsoft.com/azure/azure-monitor/platform/alerts-managing-alert-instances), there is an additional column that can be chosen called 'Suppression Status'. If the notification for an alert instance was suppressed, it would show so in the list.
* Q. If there's an action rule with an action group and another with suppression active on the same scope, what happens?
174
+
175
+
A. **Suppression always takes precedence on the same scope**.
176
+
177
+
* Q. If I have an action rule 'AR1' defined for 'VM1' and 'VM2' with action group 'AG1' and action rule 'AR2' defined for 'VM2' and 'VM3' with action group 'AG1', what happens?
178
+
179
+
A. For every alert on 'VM1' and 'VM3', action group 'AG1' would be triggered once. For every alert on 'VM2', action group 'AG1' would be triggered twice (**action rules do not de-duplicate actions**).
180
+
181
+
* Q. If I have an action rule 'AR1' defined for 'VM1' and 'VM2' with action group 'AG1' and action rule 'AR2' defined for 'VM2' and 'VM3' with suppression, what happens?
182
+
183
+
A. For every alert on 'VM1', action group 'AG1' would be triggered once. Actions and notifications for every alert on 'VM2' and 'VM3' will be suppressed.
184
+
185
+
* Q. If I have an action rule 'AR1' defined for 'VM1' with action group 'AG1', and alert rule 'rule1' on 'VM1' with action group 'AG2', what happens?
186
+
187
+
A. For every alert on 'VM1', action group 'AG1' would be triggered once. Whenever alert rule 'rule1' is triggered, it will also trigger 'AG2' additionally. (**action groups defined within action rules and alert rules operate independently, with no de-duplication**)
188
+
189
+
## Next steps
190
+
191
+
-[Learn more about alerts in Azure](https://docs.microsoft.com/azure/azure-monitor/platform/alerts-overview)
0 commit comments