Alert rule types

Log Analytics alert rules are of two types which are as follows:

• Number of results: When selected, this will create a single alert for all records that conform to the search query and alert rule arguments. An alert will be generated if the number of records returned by the search query is either Greater than or Less than the value you specify.
• Metric measurements: When selected, this will create a distinct alert for each record in the search query results, with values that conform to the defined metric measurement threshold. The metric measurement alert rule type is composed of the following properties:
  • Aggregate Value: This is the threshold that must be exceeded by each aggregate value in the records returned by the search query in order for it to be a threshold breach. You can look for results that are Greater than or Less than the specified value in order to be considered a breach.
  • Trigger alert based on: This is the number of breaches required in order for an alert to be created. You can look for a number of Total breaches or Consecutive breaches in order for an alert to be generated.

For instance, the following query can be used with a Metric Measurement alert rule type to create an alert for each computer object in a query with a value that exceeds an 80% threshold:

Perf 
| where CounterName == "% Processor Time" and ObjectName == "Processor" and InstanceName == "_Total"
| summarize AggregatedValue = avg (CounterValue) by Computer, bin (TimeGenerated, 5m)

To specify that the values of interest are those above the 80% threshold, we specify Greater than 80 in the Aggregate Value field for the Metric measurement alert rule: