Share via

Azure Monitor log alert firing repeatedly every 5 minutes for a single Automation runbook completion event

Amol Garse 0 Reputation points
2026-06-02T12:54:38.0333333+00:00

Description

We have an Azure Monitor log alert configured for an Azure Automation runbook that restarts an Azure App Service twice daily. This alert has been working correctly till now since its creation and was sending a single email notification per successful run.

Starting on 01-JUNE-2026, the same alert began firing multiple times for what appears to be a single runbook execution. On 01-JUNE-2026, the alert fired repeatedly at exact 5-minute intervals, even though the underlying runbook executed only once and Log Analytics shows only one matching completed job log record.

This issue is generating multiple false-positive email notifications for a production/important operational alert. Alert noise is impacting monitoring reliability and operational response.

Current alert set up -

Created Automation Account in Azure and created runbook under it.

========================

Runbook:

 

param(

  [string]$ResourceGroupName = "RG_MyApp",

  [string]$WebAppName = "MyPOCApp"

)

Connect-AzAccount -Identity

$current = Get-AzContext

Write-Output ("Using account: " + $current.Account.Id)

Restart-AzWebApp -ResourceGroupName $ResourceGroupName -Name $WebAppName

Write-Output "Restart command submitted for web app '$WebAppName' in resource group '$ResourceGroupName'."

 

================================

 

This runbook has 2 Schedules:

1. Restart web app at 08:00 AM JST every day.

2. Restart web app at 08:30 PM JST every day.

 

===============================

 

There is a Log search alert rule in azure. It linked to Automation Account.

Condition: 

Signal Name: Custom log search

Query type: Aggregated log search

 

Search query: 

AzureDiagnostics 

| where ResourceProvider == "MICROSOFT.AUTOMATION"

    and Category == "JobLogs"

    and ResultType == "Completed" 

    and RunbookName_s  == "Restart-MyApp-Runbook"

| project TimeGenerated, RunbookName_s, ResultType, _ResourceId, JobId_g

 

  Split by dimensions is not configured.

**Measurement**

Measure: Table rows

Aggregation type: Count

Aggregation granularity: 5 mint

 

**Alert logic:**

Threshold type: Static

Operator: Greater than or equal to 

Threshold value: 1

Frequency of evaluation: 5 mints



**Advance options -** 

Number of violations: 1

Evaluation period: 5 mint   - (1 aggregated points)

Override query time range: None(5 mints)

Action:

send email

Current issue / Observed behavior:

Historically, the alert triggered once per scheduled runbook completion.

Example of expected behavior:

31-May-2026: one alert fired around 8:09 AM JST

Unexpected behavior:

01-Jun-2026: multiple alert firings for the same runbook execution, at exact 5-minute intervals.

Each time multiple alert fired so multiple emails being sent (e.g., 7 or 6 alert emails).

All below times are in JST

8:34 PM

8:39 PM

8:44 PM

8:49 PM

8:54 PM

8:59 PM

9:04 PM

These repeated firings appear to correspond to the alert evaluation cycle rather than multiple runbook executions. This has started from 01-June-2026

Validation already performed:

We validated the underlying data in Log Analytics and found the following:

Only one actual job ID exists in the relevant time window

Only one completed record exists for that job ID

Runbook ran only once during relevant time window

Question:

Are there any recent backend/platform-side change or issue in Azure Monitor Scheduled Query Alert evaluation, alert state handling, or repeated firing behavior, which is causing this issue?

Is there any known Azure Monitor issue that can cause duplicate alert instances while the underlying log record exists only once?

Has anyone observed similar behavior with Automation JobLogs and Scheduled Query Rules?

  1. Any other reason for this duplicate alert issue.
Azure Monitor
Azure Monitor

An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bharath Y P 9,215 Reputation points Microsoft External Staff Moderator
    2026-06-03T05:35:19.1133333+00:00

    Hello Amol, it turns out nothing magical changed on the Azure side on 01-June-2026 – this is expected behavior when you use a Log Alert with a 5-minute lookback and static threshold of >=1 without any de-duplication logic. Here’s what’s happening and how you can fix it:

    1. What’s happening under the covers
      • Your query (AzureDiagnostics | where …) runs every 5 minutes and looks back over the previous 5 minutes.
      • A single record that lands exactly at the start of the window (for example at 8:34 PM) will show up in multiple overlapping windows (8:29–8:34, 8:34–8:39, 8:39–8:44, etc.) until it “ages out.”
      • Because your alert is stateless (it simply fires whenever count ≥ 1) you get an email each evaluation period that still returns that same record.
    2. How to stop the repeated firings Option A – Add a strict time filter so you only pick up new runs: ­ ­- Modify your query to explicitly filter for events in the current interval, for example:
      AzureDiagnostics | where ResourceProvider=="MICROSOFT.AUTOMATION" and Category=="JobLogs" and ResultType=="Completed" and RunbookName_s=="Restart-MyApp-Runbook" and TimeGenerated >= ago(5m) // <- only this interval
      ­ ­- Leave your frequency at 5 minutes and lookback at 5 minutes. Now once the job falls outside that window, it won’t trigger again. Option B – Group by JobId and only alert on the first occurrence: ­ ­- Summarize by JobId_g then count, and trigger when count == 1. ­ ­- That way you only fire once per JobId, regardless of how many windows it spans. Option C – Switch to a stateful Metric Alert on the “Total Jobs” metric: ­ ­- Azure Automation emits a TotalJobs metric you can filter by RunbookName and Status=Completed. ­ ­- Metric Alerts are stateful, so once they fire they won’t fire again until the condition clears and re-triggers. Option D – Use the alert’s advanced settings to reduce noise: ­ ­- Enable “Automatically resolve alerts” so only one alert is active at a time. ­ ­- Increase “Number of violations” or “Evaluation period” so you only fire after 2+ consecutive windows.
    3. No known platform outage or backend change
      • We checked service health – no Log Analytics or Monitor outages on or after 01-June-2026.
      • This is simply how stateless log alerts work when your matching record overlaps multiple evaluation windows.

    Give one of those options a try (adding the TimeGenerated filter is the quickest). That should restore you to a single email per run.

    — Reference docs —

    1. Troubleshoot duplicate log alert firings
    2. Limit log alert query to time window
    3. Use Metric Alert on Automation runbook metrics
    4. De-duplication patterns in Kusto queries (summarize by JobId)

    Was this answer helpful?

    1 person found this answer helpful.
  2. Jerald Felix 13,255 Reputation points Volunteer Moderator
    2026-06-03T05:41:54.69+00:00

    Hello Amol Garse,

    Greetings! Thanks for raising this question in Q&A forum.

    The reason this is happening is actually not a platform bug or a recent Azure outage — it is the expected behavior of a stateless log alert with a 5-minute lookback window. When your runbook completes and writes a single log record, that same record keeps appearing in every overlapping 5-minute evaluation window until it "ages out." Since your alert simply fires whenever it finds count ≥ 1, it sends an email on every evaluation cycle that still sees that record — which is why you see emails at exactly 8:34, 8:39, 8:44 PM and so on.

    Here is how you can fix this with a few easy options:

    Option 1 (Quickest Fix) — Add a strict time filter to your query

    Update your KQL query to only look at events from the very current interval by adding | where TimeGenerated >= ago(5m) like this:

    AzureDiagnostics
| where ResourceProvider == "MICROSOFT.AUTOMATION"
    and Category == "JobLogs"
    and ResultType == "Completed"
    and RunbookName_s == "Restart-MyApp-Runbook"
    and TimeGenerated >= ago(5m)
| project TimeGenerated, RunbookName_s, ResultType, _ResourceId, JobId_g

    This ensures once the job record is older than 5 minutes, it no longer matches the query and the alert stops firing.

    Option 2 — De-duplicate by Job ID

    Modify the query to group results by JobId_g and alert only on the first unique occurrence. Add a summarize line like this:

    | summarize Count=count() by JobId_g
| where Count == 1

    This way even if the same record appears in multiple windows, you only ever alert once per unique job.

    Option 3 — Enable "Automatically Resolve Alerts" (Stateful Mode)

    Go to your Alert Rule in the Azure Portal, click Edit, scroll to the advanced settings, and turn on "Automatically resolve alerts". This makes the alert stateful — once it fires, it won't fire again until the condition clears and then retriggers fresh.

    Option 4 — Use the "Mute Actions" setting

    In your Alert Rule, set "Mute actions for" to 60 minutes. This is a quick safeguard that suppresses repeat notifications even if the alert keeps evaluating as true.

    Option 5 — Switch to a Metric Alert (Best Long-Term Option)

    Azure Automation natively emits a TotalJobs metric that you can filter by RunbookName and Status = Completed. Metric alerts are stateful by design and will only fire once per event — no more duplicate emails. Go to Azure Monitor → Alerts → Create → Select signal type as Metric and choose Total Jobs from your Automation Account.

    To directly answer your questions — there was no platform outage or backend change on 01-June-2026. This is simply how stateless log search alerts behave when the matching log record spans multiple overlapping evaluation windows. The fix is to either restrict the time window in your query (Option 1) or switch to stateful alert behavior (Option 3 or 5).

    If this answer helps you kindly accept the answer which will help others who have similar questions.

    Best Regards,

    Jerald Felix.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.