I am attempting to deploy a Custom log search based alert in Azure that is looking for the omission of an event in a time period e.g. alert if this particular query returns no results in the time window.
When generating the alert manually in the portal we can see it fire. When generating the same alert via ARM templates the alert does not fire (both alerts are using the same Action Groups). Unfortunately the portal 'export ARM templates' does not show differences and suggests the same ARM (using API Version 2021-02-01-preview for both). Note: The ARM used to deploy actually uses API Version 2020-05-01-preview as currently recommended by the microsoft documentation.
Comparing the two does raise some questions. The manually created alert renders as 'Edit alert rule' and when configuring the condition the graph is at the top followed by search query and alert logic (Number of Results Equal to 0). The ARM created alert renders as 'Edit alert rule (preview)' and when configuring the condition the graph is at the bottom after the query, measurement (Table rows Count 1 day), split by dimensions, and alert logic (Equal to 0).
Additionally the 'final alert query' differs.
Manually created:
customEvents
| where name like 'MyCustomEvent' and timestamp >= now(-24h)
| count
ARM created:
customEvents
| where name like 'MyCustomEvent' and timestamp >= now(-24h)
| where timestamp > ago(1d)
| summarize AggregatedValue = count() by bin(timestamp, 1d)
In both cases the last line(s) is added by the tool and the first two come from our actual custom query. Executing these two queries directly results in different behaviour. The first obviously returns a count row with zero in it. The second (ARM Created) returns no results at all. If there were results to be returned the second query returns them in day groupings (due to the bin(timestamp, 1d) call).
Because of that my suspicion is that zero based alerts in the 'new' style shown from the ARM deployed version do not actually function - because no rows are returned not a row with a value of 0 to match the threshold?
Should ARM deployed alerts with a zero threshold be deployed at a different API version? are there other things to check?
