操作规则(预览版)Action rules (preview)

操作规则可帮助你在任何 Azure 资源管理器范围(Azure 订阅、资源组或目标资源)定义或消除操作。Action rules help you define or suppress actions at any Azure Resource Manager scope (Azure subscription, resource group, or target resource). 它们包含各种筛选器,可帮助你将应用范围缩减到要处理的特定警报实例子集。They have various filters that help you narrow down the specific subset of alert instances that you want to act on.

为何以及何时应使用操作规则?Why and when should you use action rules?

消除警报Suppression of alerts

在许多情况下,消除警报生成的通知会有好处。There are many scenarios where it's useful to suppress the notifications that alerts generate. 这些情况包括计划内维护时段消除警报通知,以及在非营业时间消除警报通知。These scenarios range from suppression during a planned maintenance window to suppression during nonbusiness hours. 例如,由于 ContosoVM 正在接受计划内维护,负责 ContosoVM 的团队希望在本周末消除警报通知。For example, the team responsible for ContosoVM wants to suppress alert notifications for the upcoming weekend, because ContosoVM is undergoing planned maintenance.

尽管该团队可以手动禁用针对 ContosoVM 配置的每条警报规则(并在维护后重新启用),则此过程并不简单。Although the team can disable each alert rule that's configured on ContosoVM manually (and enable it again after maintenance), it's not a simple process. 操作规则可以帮助你灵活配置消除时段,从而大规模地定义警报消除。Action rules help you define alert suppression at scale with the ability to flexibly configure the period of suppression. 在前面的示例中,该团队可以针对 ContosoVM 定义一条操作规则,以便在周末消除所有警报通知。In the previous example, the team can define one action rule on ContosoVM that suppresses all alert notifications for the weekend.

大规模操作Actions at scale

尽管警报规则可帮助你定义生成警报时触发的操作组,但客户往往会在其整个操作范围内使用一个通用的操作组。Although alert rules help you define the action group that triggers when the alert is generated, customers often have a common action group across their scope of operations. 例如,负责资源组 ContosoRG 的团队也许可以针对 ContosoRG 中定义的所有警报规则定义同一个操作组。For example, a team responsible for the resource group ContosoRG will probably define the same action group for all alert rules defined within ContosoRG.

操作规则可以帮助简化此过程。Action rules help you simplify this process. 通过大规模定义操作,针对配置范围内生成的任何警报触发操作组。By defining actions at scale, an action group can be triggered for any alert that's generated on the configured scope. 在前面的示例中,该团队可以针对 ContosoRG 定义一个操作规则,用于针对其中生成的所有警报触发同一个操作组。In the previous example, the team can define one action rule on ContosoRG that will trigger the same action group for all alerts generated within it.

备注

操作规则目前不适用于服务运行状况警报。Action rules currently do not apply to Service Health alerts.

配置操作规则Configuring an action rule

在 Azure Monitor 中的“警报”登陆页上选择“管理操作”可以访问该功能。 You can access the feature by selecting Manage actions from the Alerts landing page in Azure Monitor. 然后选择“操作规则(预览版)”。 Then select Action Rules (Preview). 在警报登陆页的仪表板中选择“操作规则(预览版)”可以访问操作规则。 You can access them by selecting Action Rules (preview) from the dashboard of the landing page for Alerts.

Azure Monitor 登陆页中的操作规则

选择“+ 新建操作规则”。 Select + New Action Rule.

添加新的操作规则

或者,也可以在配置警报规则时创建操作规则。Alternatively, you can also choose to create an action rule while configuring an alert rule.

添加新的操作规则

此时应会看到用于创建操作规则的流程页。You should now see the flow page for creating action rules. 配置以下元素:Configure the following elements:

新建操作规则的流程

作用域Scope

首先选择范围(Azure 订阅、资源组或目标资源)。First choose the scope (Azure subscription, resource group, or target resource). 还可以多重选择单个订阅中的范围组合。You can also multiple-select a combination of scopes within a single subscription.

操作规则范围

筛选条件Filter criteria

此外,可以定义筛选器,以将范围进一步缩小为所定义范围内的特定警报子集。You can additionally define filter(s) to further narrow down to a specific subset of the alerts on the defined scope.

可用的筛选器包括:The available filters are:

  • 严重性:用于选择一个或多个警报严重性的选项。Severity: The option to select one or more alert severities. 严重性 = Sev1 表示该操作规则适用于设置为 Sev1 的所有警报。Severity = Sev1 means that the action rule is applicable for all alerts set to Sev1.
  • 监视服务:根据原始监视服务进行筛选。Monitor Service: A filter based on the originating monitoring service. 此筛选器也是多选的。This filter is also multiple-select. 例如,监视服务 =“Application Insights” 表示该操作规则适用于所有基于 Application Insights 的警报。For example, Monitor Service = “Application Insights” means that the action rule is applicable for all Application Insights-based alerts.
  • 资源类型:根据特定的资源类型进行筛选。Resource Type: A filter based on a specific resource type. 此筛选器也是多选的。This filter is also multiple-select. 例如,资源类型 =“虚拟机” 表示该操作规则适用于所有虚拟机。For example, Resource Type = “Virtual Machines” means that the action rule is applicable for all virtual machines.
  • 警报规则 ID:用于使用警报规则的资源管理器 ID 筛选特定警报规则的选项。Alert Rule ID: An option to filter for specific alert rules by using the Resource Manager ID of the alert rule.
  • 监视条件:使用“已触发”或“已解决”作为监视条件来筛选警报实例。 Monitor Condition: A filter for alert instances with either Fired or Resolved as the monitor condition.
  • 说明:针对定义为警报规则的一部分的说明定义字符串匹配项的 regex(正则表达式)匹配。Description: A regex (regular expression) match that defines a string match against the description, defined as part of the alert rule. 例如, “说明”包含“prod” 将匹配其说明中包含字符串“prod”的所有警报。For example, Description contains 'prod' will match all alerts that contain the string "prod" in their descriptions.
  • 警报上下文(有效负载) :针对警报有效负载的警报上下文字段定义字符串匹配的 regex 匹配。Alert Context (payload): A regex match that defines a string match against the alert context fields of an alert's payload. 例如, “警报上下文(有效负载)”包含“computer-01” 将匹配其负载包含字符串“computer-01”的所有警报。For example, Alert context (payload) contains 'Computer-01' will match all alerts whose payloads contain the string "Computer-01."

这些筛选器相互结合应用。These filters are applied in conjunction to one another. 例如,如果设置“资源类型”=“虚拟机”,“严重性”=“Sev0”,则只会在 VM 上筛选所有的“Sev0”警报。For example, if I set 'Resource type' = 'Virtual Machines' and 'Severity' = 'Sev0', then I have filtered for all 'Sev0' alerts on only my VMs.

操作规则筛选器

消除或操作组配置Suppression or action group configuration

接下来,针对警报消除或操作组支持配置操作规则。Next configure the action rule for either alert suppression or action group support. 不能同时选择两者。You cannot choose both. 该配置将作用于与前面定义的范围和筛选器匹配的所有警报实例。The configuration acts on all alert instances matching the previously defined scope and filters.

消除Suppression

如果选择“消除”,请配置消除操作和通知的持续时间。 If you select suppression, configure the duration for the suppression of actions and notifications. 选择以下选项之一:Choose one of the following options:

  • 从现在起(始终) :无限期消除所有通知。From now (Always): Suppresses all notifications indefinitely.
  • 在计划时间:在有限的持续时间内消除通知。At a scheduled time: Suppresses notifications within a bounded duration.
  • 重复:按每日、每周或每月重复计划消除通知。With a recurrence: Suppresses notifications on a recurring daily, weekly, or monthly schedule.

操作规则 - 消除

操作组Action group

如果在切换选项中选择“操作组”,请添加现有的操作组或新建一个操作组。 If you select Action group in the toggle, either add an existing action group or create a new one.

备注

只能将一个操作组关联到一个操作规则。You can associate only one action group with an action rule.

通过选择操作组来添加或创建新的操作规则

操作规则详细信息Action rule details

最后,配置操作规则的以下详细信息Lastly, configure the following details for the action rule

  • NameName
  • 该规则要保存到的资源组Resource Group in which it will be saved
  • 说明Description

示例方案Example scenarios

方案 1:根据严重性消除警报Scenario 1: Suppression of alerts based on severity

Contoso 希望在每个周末消除其订阅 ContosoSub 中所有 VM 上的所有 Sev4 警报的通知。Contoso wants to suppress notifications for all Sev4 alerts on all VMs within the subscription ContosoSub every weekend.

解决方案: 使用以下设置创建一个操作规则:Solution: Create an action rule with:

  • 范围 = ContosoSubScope = ContosoSub
  • 筛选器Filters
    • 严重性 = Sev4Severity = Sev4
    • 资源类型 = 虚拟机Resource Type = Virtual Machines
  • 消除重复周期设置为“每周”,并选中“星期六”和“星期日” Suppression with recurrence set to weekly, and Saturday and Sunday checked

方案 2:根据警报上下文(有效负载)消除警报Scenario 2: Suppression of alerts based on alert context (payload)

Contoso 希望无限期消除针对“ContosoSub”中“Computer-01”生成的所有日志警报的通知,因为该计算机即将接受维护。Contoso wants to suppress notifications for all log alerts generated for 'Computer-01' in 'ContosoSub' indefinitely as it's going through maintenance.

解决方案: 使用以下设置创建一个操作规则Solution: Create an action rule with

  • 范围 =“ContosoSub”Scope = 'ContosoSub'
  • 筛选器Filters
    • 监视服务 =“Log Analytics”Monitor Service = 'Log Analytics'
    • 警报上下文(有效负载)包含“Computer-01”Alert Context (payload) contains 'Computer-01'
  • 消除时间设置为“从现在起(始终)”Suppression set to 'From now (Always)'

方案 3:在资源组中定义的操作组Scenario 3: Action group defined at a resource group

Contoso 在订阅级别定义了一个指标警报,但想要定义专用针对其资源组“ContosoRG”生成的警报触发的操作。Contoso has defined a metric alert at a subscription level, but wants to define the actions that trigger specifically for alerts generated from their resource group 'ContosoRG'.

解决方案: 使用以下设置创建一个操作规则:Solution: Create an action rule with:

  • 范围 = ContosoRGScope = ContosoRG
  • 无筛选器No filters
  • 操作组设置为 ContosoActionGroupAction group set to ContosoActionGroup

备注

在操作规则和警报规则中定义的操作组会独立运行,不会进行任何重复数据删除Action groups defined within action rules and alert rules operate independently, with no de-duplication. 在上述方案中,如果为警报规则定义了某个操作组,该操作组将结合操作规则中定义的操作组一起触发。In the scenario described above, if there's an action group defined for the alert rule, it will trigger in conjunction with the action group defined in the action rule.

管理操作规则Managing your action rules

可以通过如下所示的列表视图查看和管理操作规则。You can view and manage your action rules from the list view as shown below.

操作规则列表视图

在此处,可以通过选中相应的复选框,大规模启用、禁用或删除操作规则。From here, you can enable, disable, or delete action rules at scale by selecting the check box next to them. 选择某个操作规则会打开其配置页。When you select an action rule, its configuration page opens. 此页可帮助你更新该操作规则的定义,以及启用或禁用该规则。The page helps you update the action rule's definition and enable or disable it.

最佳实践Best practices

结合“结果数”选项创建的日志警报会使用整个搜索结果生成单个警报实例(可能跨多台计算机)。Log alerts that you create with the number of results option generate a single alert instance by using the whole search result (which might span across multiple computers). 在此方案中,如果操作规则使用“警报上下文(有效负载)”筛选器,则只要有匹配项,该规则就会作用于警报实例。 In this scenario, if an action rule uses the Alert Context (payload) filter, it acts on the alert instance as long as there's a match. 在上述方案 2 中,如果生成的日志警报的搜索结果包含 Computer-01Computer-02,则会消除整个通知。In Scenario 2, described previously, if the search results for the generated log alert contain both Computer-01 and Computer-02, the entire notification is suppressed. 完全不会为 Computer-02 生成通知。There's no notification generated for Computer-02 at all.

操作规则和日志警报(结果数)

若要充分利用日志警报和操作规则,请使用“指标度量”选项创建日志警报。To best use log alerts with action rules, create log alerts with the metric measurement option. 此选项会根据定义的组字段生成单独的警报实例。Separate alert instances are generated by this option, based on its defined group field. 然后,在方案 2 中,将为 Computer-01Computer-02 生成单独的警报实例。Then, in Scenario 2, separate alert instances are generated for Computer-01 and Computer-02. 由于该方案中所述的操作规则,只会消除 Computer-01 的通知。Due to the action rule described in the scenario, only the notification for Computer-01 is suppressed. Computer-02 的通知会继续照常激发。The notification for Computer-02 continues to fire as normal.

操作规则和日志警报(结果数)

常见问题FAQ

在配置操作规则时,我希望看到所有可能重叠的操作规则,以避免收到重复通知。While I'm configuring an action rule, I'd like to see all the possible overlapping action rules, so that I avoid duplicate notifications. 可以做到这一点吗?Is it possible to do that?

在配置操作规则时定义范围后,可以看到在同一范围重叠的操作规则列表(如果有)。After you define a scope as you configure an action rule, you can see a list of action rules that overlap on the same scope (if any). 这种重叠可能属于以下情况之一:This overlap can be one of the following options:

  • 完全匹配:例如,你定义的操作规则和重叠的操作规则在同一订阅中。An exact match: For example, the action rule you're defining and the overlapping action rule are on the same subscription.

  • 子集:例如,你定义的操作规则在某个订阅中,而重叠的操作规则在该订阅的某个资源组中。A subset: For example, the action rule you're defining is on a subscription, and the overlapping action rule is on a resource group within the subscription.

  • 超集:例如,你定义的操作规则在某个资源组中,而重叠的操作规则在包含该资源组的订阅中。A superset: For example, the action rule you're defining is on a resource group, and the overlapping action rule is on the subscription that contains the resource group.

  • 交集:例如,你定义的操作规则在 VM1VM2 中,而重叠的操作规则在 VM2VM3 中。An intersection: For example, the action rule you're defining is on VM1 and VM2, and the overlapping action rule is on VM2 and VM3.

    重叠的操作规则

在配置警报规则时,能够知道是否已存在可能作用于我所定义的警报规则的任何操作规则吗?While I'm configuring an alert rule, is it possible to know if there are already action rules defined that might act on the alert rule I'm defining?

为警报规则定义目标资源后,可以选择“操作”部分下的“查看配置的操作”,来查看在同一范围发生作用的操作列表(如果有)。 After you define the target resource for your alert rule, you can see the list of action rules that act on the same scope (if any) by selecting View configured actions under the Actions section. 此列表是根据以下范围方案填充的:This list is populated based on the following scenarios for the scope:

  • 完全匹配:例如,你定义的警报规则和操作规则在同一订阅中。An exact match: For example, the alert rule you're defining and the action rule are on the same subscription.
  • 子集:例如,你定义的警报规则在某个订阅中,而操作规则在该订阅的某个资源组中。A subset: For example, the alert rule you're defining is on a subscription, and the action rule is on a resource group within the subscription.
  • 超集:例如,你定义的警报规则在某个资源组中,而操作规则在包含该资源组的订阅中。A superset: For example, the alert rule you're defining is on a resource group, and the action rule is on the subscription that contains the resource group.
  • 交集:例如,你定义的警报规则在 VM1VM2 中,而操作规则在 VM2VM3 中。An intersection: For example, the alert rule you're defining is on VM1 and VM2, and the action rule is on VM2 and VM3.

重叠的操作规则

是否可以看到操作规则消除的警报?Can I see the alerts that have been suppressed by an action rule?

警报列表页中,可以选择一个名为“消除状态”的附加列。 In the alerts list page, you can choose an additional column called Suppression Status. 如果消除了某个警报实例的通知,该实例会在列表中显示该状态。If the notification for an alert instance was suppressed, it would show that status in the list.

消除的警报实例

如果某个操作规则包含操作组,而同一范围的另一个操作规则启用了通知消除,会发生什么情况?If there's an action rule with an action group and another with suppression active on the same scope, what happens?

在同一范围内,消除操作始终优先。Suppression always takes precedence on the same scope.

如果在两个不同的操作规则中监视资源,会发生什么情况?What happens if I have a resource that's monitored in two separate action rules? 我会收到一条还是两条通知?Do I get one or two notifications? 以此方案中的 VM2 为例:For example, VM2 in the following scenario:

  "action rule AR1 defined for VM1 and VM2 with action group AG1
  action rule AR2 defined for VM2 and VM3 with action group AG1"

对于 VM1 和 VM3 上的每条警报,操作组 AG1 将触发一次。For every alert on VM1 and VM3, action group AG1 would be triggered once. 对于 VM2 上的每条警报,操作组 AG1 会触发两次,因为操作规则不会删除重复的操作。For every alert on VM2, action group AG1 would be triggered twice, because action rules don't deduplicate actions.

如果在两个不同的操作规则监视资源,其中一个规则请求操作,而另一个规则请求消除,会发生什么情况?What happens if I have a resource monitored in two separate action rules and one calls for action while another for suppression? 以此方案中的 VM2 为例:For example, VM2 in the following scenario:

  "action rule AR1 defined for VM1 and VM2 with action group AG1 
  action rule AR2 defined for VM2 and VM3 with suppression"

对于 VM1 上的每条警报,操作组 AG1 将触发一次。For every alert on VM1, action group AG1 would be triggered once. 对于 VM2 和 VM3 上的每条警报,将消除操作和通知。Actions and notifications for every alert on VM2 and VM3 will be suppressed.

如果为调用不同操作组的同一个资源定义了警报规则和操作规则,会发生什么情况?What happens if I have an alert rule and an action rule defined for the same resource calling different action groups? 以此方案中的 VM1 为例:For example, VM1 in the following scenario:

  "alert rule rule1 on VM1 with action group AG2
  action rule AR1 defined for VM1 with action group AG1" 

对于 VM1 上的每条警报,操作组 AG1 将触发一次。For every alert on VM1, action group AG1 would be triggered once. 每当触发警报规则“rule1”时,会一并触发 AG2。Whenever alert rule "rule1" is triggered, it will also trigger AG2 additionally. 在操作规则和警报规则中定义的操作组会独立运行,不会进行任何重复数据删除。Action groups defined within action rules and alert rules operate independently, with no deduplication.

后续步骤Next steps