0

I have a DataFactory with diagnostic setting activate and sending logs to a Log Analytics Workspace.

I want to create an alert that fires only once if an event trigger hasn't run after 9AM.

I think some query like this:

let StartTime =startofday(now());
let EndTime =now();
let CheckHour = 9;
ADFTriggerRun
| where ResourceId contains toupper("DataFactory_Name")
| where TriggerName == "Trigger_Name"
| where TimeGenerated > StartTime and TimeGenerated < EndTime
| extend Hour = datetime_part("hour", TimeGenerated)
| where Hour < CheckHour

But I see some problems if I set the following settings to the alert:

  • Number of results less than 0
  • Period = 30 minutes
  • Frequency = 30 minutes

(If the trigger runs correctly) The alert will fire 18 times before 9AM.

(If the trigger doesn't run) The alert will fire 48 times in a day.

Is there some query to avoid this? Maybe with some if condition?

Ed_Ru
  • 92
  • 9

1 Answers1

0

There is no such solution to directly solve this issue.

I suggest you can set up 2 alerts:

Alert 1: To send alert if the trigger doesn't run all the day. You can use your query in your question, just set Period = 1440 minutes, Frequency = 1440 minutes, Number of results less than 0. Then it will only send one alert email if the trigger doesn't run at all.

Alert 2: Use the query below by adding iff() function:

let StartTime =startofday(now());
let EndTime =now();
let CheckHour = 9;
ADFTriggerRun
| where ResourceId contains toupper("DataFactory_Name")
| where TriggerName == "trigger1"
| where TimeGenerated > StartTime and TimeGenerated < EndTime
| extend Hour = datetime_part("hour", TimeGenerated)
| extend isFailed = iff(Hour < CheckHour, "Success","Failed")
| where isFailed == "Failed"

Then set Period = 30 minutes, Frequency = 30 minutes, Number of results Equal to 1. By using this query / setting, you at most receive 2 email alerts if the triggers runs after 9AM(For example, if the trigger runs at 10:07AM, and the alert scans at 10:20AM / 10:50AM, only at these 2 times, it will send alerts; if the trigger runs before 9AM, no alerts will be sent).

Ivan Glasenberg
  • 29,865
  • 2
  • 44
  • 60
  • Thanks @ivan-yang I'll try Alert 2. I don't like Alert 1 because I have to create the alert at 9AM to see the alert fired at 9AM. If for example I modify the severity of the alert at 11AM I'll recive the alert at 11AM – Ed_Ru Mar 23 '21 at 10:18
  • Hi @ivan-yang I studied your solution Alert 2, but it won't alert me if the trigger doesn't run, for example if the file that runs the trigger doesn't arrive one day. – Ed_Ru Mar 23 '21 at 16:35
  • @Ed_Ru, I already mentioned it in the answer. You have to set up both of the 2 alerts. Alert 2 does not work if the trigger does not run one day, so you need to create another alert like alert 1 to do that thing. Otherwise, there're no other ways simple for your purpose. – Ivan Glasenberg Mar 24 '21 at 01:03
  • @Ed_Ru set up 2 alerts should be the only way to do that as far as I know. If the answer is helpful, could you please accept it as answer? Thanks. – Ivan Glasenberg Mar 25 '21 at 01:09