Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
How to monitor the average value over a certain period
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 7.000000000000001%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOV%3C/text%3E%3C/svg%3E)
Oetze van den Broek
156
Reputation points
We have devices reporting a voltage level each hour. we need a way to monitor the voltage levels and generate alert when a average value is below a certain threshold. We would like to use the Azure Monitor for this.
I've setup a log analytics workspace with all our data. I've transformed the data into 3 colums:
| TimeGenerated | DeviceId | Voltage |
|---|---|---|
| 1 am | dev1 | 13.2 |
| 2 am | dev1 | 13.4 |
| 3 am | dev1 | 13.3 |
| 1 am | dev2 | 13.4 |
| 2 am | dev2 | 13.5 |
| 3 am | dev2 | 13.7 |
the table is simplied.
How can i take the average value per deviceid of the last 24 hours. The value needs to be evaluated each hour.
I've added this to my KQL as last step:
| summarize
AverageVoltage = avg(todouble(Voltage)),
PointCount = count()
by tostring(deviceId)
This summerizes the average value per deviceId. But i don't know how the time range of 24h should be applied.
The question is:
- Should i summerize the value in the kql value?
- What should be the values of the Alert rule.
- What should Aggregation granularity be?
- What should Aggregation type be?
- What should i set the Override query time range in the advanced section be?
I tried the summerize in kql option. But i don't see any option to take the average of the last 24 hours. in the query editor i can set the time range to be 24 hours. but i don't see this option in the alert rule configuration.
Azure Monitor
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 97%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Suchitra Suregaunkar 4,045 Reputation points Microsoft External Staff Moderator2025-12-12T13:46:42.3533333+00:00 Hello Oetze van den Broek
Thank you for posting your query on Microsoft Q&A platform.
You want to alert when the average voltage per device over the last 24 hours falls below a threshold. You are using Log Analytics + Azure Monitor Alerts and need guidance on:
- How to apply the 24‑hour time window
- Whether to use summarize
- Correct alert rule settings
- Whether aggregation granularity/type applies
Below is the correct configuration:
- Correct KQL Query (Average per device over last 24 hours)
Azure Monitor Log Alerts do not perform time-based averaging automatically.
You must apply the 24‑hour window inside the KQL query itself.
YourTable |** where TimeGenerated >= ago(24h)**
|** summarize AverageVoltage = avg(todouble(Voltage)) by DeviceId**
This accurately calculates the 24‑hour average per device. The query output is what Azure Monitor evaluates.
- Log Alert Rule Configuration: Signal type should be Custom log search
Condition:
- Operator: Less than
- Threshold: your expected voltage minimum (example:
12.5) - Set “Number of results > 0” (Alert triggers if any device has average below threshold)
Frequency: Run query every 1 hour (You said you want hourly evaluation)
Override Query Time Range Set to 24 hours.
This ensures Azure Monitor always evaluates the last 24 hours regardless of the query window shown in the portal UI.
- Aggregation granularity and Aggregation type: These settings apply only to Metric Alerts. You are creating a Log Alert, so:
Aggregation granularity → Not used
Aggregation type → Not used
Your KQL summarize already performs the aggregation.
Final Expected Logic Flow is for every hour, Azure runs your query. Query looks at the past 24 hours of data. It calculates avg voltage per device. Alert fires if any device has AverageVoltage < threshold.
Thanks,
Suchitra.
-
Oetze van den Broek 156 Reputation points
2025-12-12T14:26:29.25+00:00 Thanks for the quick response
Where can i "disable" the Aggregation while it's not used?
I've currently set it up as so:
this is the query
MyData | summarize AverageVoltage_24h = avg(todouble(BatteryVoltage)), PointCount = count() by tostring(deviceId)But the preview windows for one device id looks like this:
Which shows a average value constantly of 12.25k
I know that this devices has only data above 13000.
Is the preview correct? Once i remove 2 devices from the data that have 0 values. This value increases. I'ts like the dimensions aren't taken into account in the preview.
Sign in to comment
Sign in to answer