Announcing the OMS Alerting Public Preview!

What are OMS Alerts?

You asked for it (a lot!), so here it is – OMS Alerts!  Operations Management Suite (OMS) can trigger an alert if a search finds a specific set of results.  If this occurs, OMS can send an email with the results to a list of user-defined recipients or execute an Automation runbook (or both!).  With this Automation integration, it is easy to set up “auto-remediation” for common actions, such as restarting a service that has stopped.

Alerts are completely based off of search records ingested into OMS.  This makes them very lightweight and easy to manage. 

Wait.  What’s OMS?

Operations Management Suite (OMS) is a simplified IT Management Solution that provides Log Analytics, Automation, Backup and Site Recovery.  It also seamlessly integrates with your existing management solutions to provide a single pane of glass view.  To learn more about OMS visit microsoft.com/oms

Alerting sounds great.  How do I start using it?

Here are the steps you’ll need to take to enable the Alerting Public Preview:

1. Enable “Alerting” in Settings -> Preview Features.  In OMS Settings you’ll notice a new tab called “PREVIEW FEATURES”, click this.  At the moment there are only two preview features: “Alerting” and “Alert Remediation”.  Enable both of these features.

FYI: If you choose to disable the Alerting feature, the alert rules you create will continue to be executed in the background.  In order to stop receiving alerts, you should delete all alert rules THEN disable the feature.

2.       Create your search.  Craft a search query for which you would like to be alerted on.  In this example, I’m going to look for all Event log errors

 

3.       Click the “New Alert” button in the search taskbar. 

4.       Fill out the required fields.  Here’s a breakdown of all the required fields and what they mean:

Name: The name for your alert rule.

Saved Search: By default, we will just use the current query in the search box, but if you prefer, you can choose from any of your existing Saved Searches.

 

 

Schedule: How often OMS will execute the search to check for the alert.  For example, if I create a new alert at 11:00 and the schedule is set to 15 minutes, OMS will check for the alert at 11:15, 11:30, etc.

 

Threshold (“Generate alert when…”): The number of results required to trigger the alert.  For example, if my threshold is set to “Greater than 500”, I will get an alert if the search returns 501+ results.

 

 

Time window:  This is the search time window when OMS checks for the alert.  If my time window is 30 minutes long, and OMS checks for the alert at 11:00, this means OMS will search for all results from 10:30-11:00.  You’ll notice when you change the time window, we execute the search to help you set the above threshold.

 

5. Choose your actions.  When the alert triggers, you can send an email to specified recipients, execute an Automation runbook, or do both.  In this example, I’m just going to send myself an email with the results.


6. Manage your Alert rules in Settings.  All Alert rules are managed in Settings underneath the “ALERTS” tab.   At the moment, you can only delete newly created rules.

 

You said I could execute an Automation runbook when the alert fires.  How do I do this?

This is very easy to do.  In the “Actions” section of the “Create new alert rule” pane, underneath the option “Enable remediation” simply choose “Yes”. 

If you have already integrated your Azure Automation account, you will see a list of all published runbooks.  Choose the runbook you would like to execute.  When the runbook is called, the top 5000 results will be passed as a JSON object inside the runbook.  For more information about parsing JSON in Automation runbooks, check out this blog post.

You will need to link your Azure subscription in order to use the Automation features.  You can learn more about that here.

 

 

Where can I view alerts that have fired?

All generated alerts are ingested back into search as if they were any other log record.  To view your alert history, simply visit search and execute the query “Type=Alert SourceSystem=OMS”.  This allows you to use filtering, time controls and all the other search functionality you’ve already learned.

 

 

We will be updating the “Alert Management” solution over the coming months to include visibility into your OMS alerts.

 

Since this is a preview, are there any limitations I should know about?

A few: 

Workspaces are limited to 10 alerting rules.  We will increase this limit to 10,000 by the time we make this feature generally available.

 

The minimum Schedule interval is 5 minutes. We will have even more granular scheduling windows by general availability.  

 

You cannot edit an Alert rule.  We wanted to get this feature out to you quickly, so at the moment there is no ability to edit a newly created alert rule.  For now, you will need to delete and recreate the alert.  Of course, we are looking to light up this capability quickly.

 

As with any Preview, part of what we are looking to do is ensure reliability of the alerting service.  It’s possible the service may go down as we expect to onboard many new customers in a short period of time.  We recommend using caution if you plan to use OMS Alerting for mission critical scenarios.

 

Looks really cool.  How can I let you know if there are any issues (or give you excessive compliments)?

If you’ve been paying attention to OMS, then you know we live and die with the wonderful feedback our customers provide.  There are lots of ways to do this.  Here are the most common methods:

Email: scdata@microsoft.com This is the best place to report issues.

Alerting customer panel:  We will be putting together a small cohort to test bleeding edge capabilites before they are enabled for all customers.  If interested, please fill out this survey.

UserVoice: Post ideas for new OMS features to work on.  Visit the OMS UserVoice page.

OMS Forums: Good general discussion of OMS.  Visit the OMS Forums.

Monthly survey: if you are an OMS customer, you know we send out a survey every month via email asking our customers about the features we’re working on next. 

We hope you enjoy this exciting new feature.  We know we have lots of work to do before we can take this out of “Preview”, so we are looking to you, our loyal customer base, to let us know exactly what you want next.  Over the next several months, you will see us light up new alerting capabilities like webhook support, more granular schedules and alert throttling.