Microsoft Azure Operational Insights Preview Series – Alert Management (Part 9)

So far:

• Microsoft Azure Operational Insights Preview Series – System Update Assessment (Part 1)
• Microsoft Azure Operational Insights Preview Series – Malware Assessment (Part 2)
• Microsoft Azure Operational Insights Preview Series – Log Management (Part 3)
• Microsoft Azure Operational Insights Preview Series – Capacity Planning (Part 4)
• Microsoft Azure Operational Insights Preview Series – Change Tracking (Part 5)
• Microsoft Azure Operational Insights Preview Series – Time Matters in Dashboard (Part 6)
• Microsoft Azure Operational Insights Preview Series – SQL Assessment (Part 7)
• Microsoft Azure Operational Insights Preview Series – Connecting Directly with Microsoft Monitoring Agent (Part 8)

For more than a couple of weeks there is a new Intelligence Pack in Azure Operational Insights – Alert Management. I would have blogged earlier but initially the IP was not working for my account but the Azure Operational Insights team managed to fix it for less than a week. Of course once I had my Alert Management working I was occupied with other tasks. In short better late than never.

After adding the Alert Management Intelligence Pack quite quickly you will start to see your SCOM alerts in Operational Insights:

Digging  deeper in the tile we will see more graphics:

And of course if you click on a tile here you will be redirected to a search query:

So far so good. The first obvious choice is to create query that will show critical alerts in your environment for the last 24 hours:

Type:Alert AlertState=New AlertSeverity=Error TimeRaised>NOW-1DAY | Select AlertName, SourceDisplayName, TimeRaised | sort TimeRaised desc

Than take that query and create dashboard for the query:

After that you can use the Windows Phone app for Azure Operational Insights and by simply clicking on the tike you will always know what are the last alerts in your environment remotely.

Second good scenario is to get specific alert and find out the reason why it was raised. Let’s take the following alerts:

As I can see I have two alerts that are for web sites down on the same server. From the description I can see the exact same server and from the time frame bar I can see they’ve happened on “2014-11-27T13:35:20.11Z”.

From the query results I copy the time and the server name and put them in notepad.

Than I narrow down the time bar:

To become something like this:

Than I replace the query with:

Type=ConfigurationChange Computer:”Server.contoso.com”

I get 101 results so I will narrow down the results by adding more filters to the query:

Type=ConfigurationChange Computer:”Server.contoso.com” ConfigChangeType:”Software”

This gives me only 14 results and I can see that during that time someone had installed/removed some Lync Services.

Now I can take this result and contact my Lync administrators and get them fired . Just kidding of course but such scenario can be real and Azure Operational Insights is a good partner in resolving IT mysteries.