Why can't I create an azure alert rule with a specific KQL query

Question

Why can't I create an azure alert rule with a specific KQL query

Alexander Andro Jae Diaz 0

1

I was tasked to create an alert rule for a specific VM using custom log search and with query from the client's parameter sheet:

Event
| where EventLog == "System"
| where EventLevelName == "Critical"
| where Computer == "testVM1"
| where TimeGenerated > ago(1m)

with 1 minute aggregation granularity and 1 minute frequency evaluation based from the client's parameter sheet. As expected, upon creation it threw an error:

Error: Failed to create alert rule test. One-minute frequency is not supported for this query. Either switch to five-minute frequency or adapt the query.

I also found out that there are certain limitations in creating alert rules with 1 minute frequency. I just can't understand how and why is the query not acceptable? can someone explain it to me step by step?

1 answer

Your answer

Answer 1

Clive Watson 7,556 MVP

Hi, You have answers on this on Stackoverflow and the details (as you mention) are listed here: https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-troubleshoot-log#one-minute-frequency-isnt-supported-for-this-query
if 1min is mandatory for you you'll have to modify the query until it succeeds but there is nothing obvious in what you are doing. You would normally to best practise move the time filter to the first line, worth a try https://learn.microsoft.com/en-us/kusto/query/best-practices?view=microsoft-fabric e.g.

Event | where TimeGenerated > ago(1m) | where EventLog == "System" | where EventLevelName == "Critical" | where Computer == "testVM1"

I'd also consider summarizing the data to reduce the return results, even if it just a test (example final line):

| summarize count() by Computer

Alexander Andro Jae Diaz 0 Reputation points

2025-04-25T00:44:59.08+00:00

Hello Clive, thanks for the reply. I tried what you suggested and even changed the region of my test but still can't create the rule. What baffles me is that the client showed us the rule on their primary region and was able to create it. Could they have created the rule before an update? What I noticed though is when they opened the specific alert rule it has an x beside the condition pane but will ultimately disappear just waiting a few seconds. They are insisting they were able to create it before. I am out of options why we can't create it but they can.
Alexander Andro Jae Diaz 0 Reputation points

2025-04-28T01:03:38.5566667+00:00

Hi Clive, thanks for the reply. I tried the above but still can't create the alert rule saying one minute frequency is still not valid for the query. Is this some kind of update issue? where client created this before and now that it is still showing in their environment but with updates it is not creatable anymore.

Share via

Why can't I create an azure alert rule with a specific KQL query

1 answer

Your answer