Actionable alerts
This tile breaks down alerts by severity to provide a simple proxy metric for actionability. This query analyzes Azure alert events using the SQL Analytics feature, and classifies them into actionable and non-actionable categories based on alert severity.
It groups alerts using a simple severity-based rule, treating Sev1 and Sev2 alerts as likely to require action and Sev3 and Sev4 alerts as noise candidates.
By comparing high-severity alerts to lower-severity noise, you can easily understand whether your alerting strategy is focused on issues that are likely to require intervention, or dominated by alerts that rarely demand action.
Configuration
Configure the following in the tile editor:
- Data source: Select Azure.
- Data stream: Select Alerts.
- Objects: Select the monitored objects you want to track alerts for.
- Parameters:
- Monitor condition: Select Fired.
- Severity: Leave blank to capture every severity level.
- Enable SQL Analytics from the toolbar, then configure the following:
- SQL > Query: Enter the following query to classify fired alerts into actionable and non-actionable categories based on severity, and count how many fall into each group.
SELECT CASE WHEN "properties.essentials.severity" IN ('Sev1', 'Sev2') THEN 'Actionable' WHEN "properties.essentials.severity" IN ('Sev3', 'Sev4') THEN 'Non-actionable' ELSE 'Unknown' END AS actionability, COUNT(*) AS alert_count FROM dataset1 GROUP BY 1 ORDER BY alert_count DESC; - Click Execute.
- SQL > Query: Enter the following query to classify fired alerts into actionable and non-actionable categories based on severity, and count how many fall into each group.
- Visualization:
- Type: Select Bar.
- Mapping:
- X-Axis: Select Actionability.
- Y-Axis: Select Alert Count.
- Type > Layout: Select Horizontal.
- Click Save.