Private Preview – Dynamic Log Alerts! – Donnie's Azure, Automation, Monitoring, and Management Blog

Let’s face it—manually setting alert thresholds in Azure Monitor can feel like trying to hit a moving target while blindfolded. Just when you think you’ve nailed the perfect threshold, your application’s behavior decides to take a detour, leaving you drowning in false positives or, worse, missing critical alerts. Azure Monitor’s dynamic thresholds for log search alerts are here to save the day!

Why Dynamic Thresholds Are a Game-Changer

Dynamic thresholds in Azure Monitor analyze historical data to establish expected performance patterns, automatically adjusting alert thresholds as your application’s behavior changes.

Automatic Calibration – Say goodbye to manual tuning. Dynamic thresholds adjust themselves based on your system’s historical data
Intelligent Learning – By understanding patterns and trends—be it daily spikes or weekly lulls—dynamic thresholds adapt to your application’s changing situations.
Scalable Alerts – Dynamic thresholds allow for a single alert rule to handle multiple dimensions, defining specific alert bands for each combination.

It’s still in Private Preview (boo!), but it won’t be long before we get our hands on it in public preview!

So what does it look like? Here is a sample ARM template that sets a dynamic threshold on CPU percentage – notice the new criterionType of DynamicThresholdCriterion.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "scheduledqueryrules_PerfDemoRule_name": {
      "defaultValue": "PerfDemoRule",
      "type": "String"
    },
    "workspaces_PerfDemoWorkspace_externalid": {
      "defaultValue": "/subscriptions/XXXX-XXXX-XXXX-XXXX/resourceGroups/XXXX/providers/Microsoft.OperationalInsights/workspaces/PerfDemoWorkspace",
      "type": "String"
    }
  },
  "resources": [
    {
      "type": "microsoft.insights/scheduledqueryrules",
      "apiVersion": "2024-01-01-preview",
      "name": "[parameters('scheduledqueryrules_PerfDemoRule_name')]",
      "location": "eastus2",
      "properties": {
        "displayName": "[parameters('scheduledqueryrules_PerfDemoRule_name')]",
        "severity": 3,
        "enabled": true,
        "evaluationFrequency": "PT5M",
        "scopes": [
          "[parameters('workspaces_PerfDemoWorkspace_externalid')]"
        ],
        "targetResourceTypes": [
          "Microsoft.Compute/virtualMachines"
        ],
        "criteria": {
          "allOf": [
            {
              "criterionType": "DynamicThresholdCriterion",
              "metricName": "Percentage CPU",
              "timeAggregation": "Average",
              "dimensions": [
                {
                  "name": "Computer",
                  "operator": "Include",
                  "values": [ "*" ]
                }
              ],
              "alertSensitivity": "Medium"
            }
          ]
        }
      }
    }
  ]
}