Share via

Log Search Alert Rule Not Firing

Shivansh Agarwal 45 Reputation points
2025-11-21T10:32:29.3433333+00:00

I have an alert setup to fire when these conditions are satisfied-

call for a resource is received in last 4 days but not received in last 2 days.

query:

let resourcesReceivedInLast2Days = customEvents
    | where timestamp > ago (2d)
    | distinct resourceId;
customEvents
| where timestamp > ago(4d)
| where resourceId !in (resourcesReceivedInLast2Days) 
| distinct resourceId
| extend error = "Call not received for resource "
| project resourceId, error

My query is giving result when I run it in while editing alert rule.

Other config:

signal name = custom log search
query type = aggregate
measure = table rows
aggregation type = count
aggregation granularity = 2 days
operator = greater than or equal to
threashold:1
frequency of evaluation = 1d
In advance options
no of violations = 1
evaluation period = 2d
override query time range = 2d

Alert is being triggered when I set threshold as 0. My hunch is I am evaluating the query based on last 4 days but azure monitor provides query time range as max 2 days.

If this is some limitation from azure then please suggest some work around.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
Answer accepted by question author
  1. Suchitra Suregaunkar 3,545 Reputation points Microsoft External Staff Moderator
    2025-11-24T11:57:38.4+00:00

    Hello Shivansh Agarwal

    Thank you for posting your query on Microsoft Q&A platform.

    The maximum query time range for log alerts is 2 days. This is a platform limitation documented under Azure Monitor service limits

    Log search alerts have a maximum query time range of 48 hours.

    User's image

    As a workaround you can set OverrideQueryTimeRange and WindowSize in PowerShell or CLI for scheduled query rules. Scheduled Query Alerts with OverrideQueryTimeRange.

    Reference: https://learn.microsoft.com/en-us/powershell/module/az.monitor/update-azscheduledqueryrule?view=azps-15.0.0

    https://learn.microsoft.com/en-us/cli/azure/monitor/scheduled-query?view=azure-cli-latest

    Use Logic Apps or Functions for Stateful Comparison: If the platform enforces 2-day limits, Microsoft recommends aggregating data externally and triggering alerts via Logic Apps or Functions.

    Reference: https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/best-practices-alerts

    Dynamic Thresholds for Longer Patterns: Dynamic thresholds use historical data (10+ days) to detect anomalies without manually coding multi-day logic.

    Reference: https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-dynamic-thresholds

    Metric Alerts for Rolling Windows: Metric alerts support longer evaluation periods and can be configured for multi-day checks.

    Reference: https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-types#metric-alerts

    Kindly let us know if the solution provided worked for you.

    If you need any further assistance, please feel free to reach out.

    Thanks,

    Suchitra.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.