Azure Monitor log alert firing repeatedly for a single Automation runbook completion event

Bipin Kadam 60 Reputation points
2026-06-03T02:44:09.21+00:00

We have an Azure Monitor Log Search Alert configured for an Azure Automation runbook that restarts an Azure App Service twice daily.

This alert has worked correctly for a long time and historically generated one alert notification per runbook execution.

Starting on 01-Jun-2026, the same alert began firing multiple times for a single runbook execution, generating multiple email notifications every ~5 minutes.

Current Setup

Runbook Schedule

Restart web app at 08:00 JST every day

Restart web app at 20:30 JST every day

Alert Query

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.AUTOMATION"
| where Category == "JobLogs"
| where ResultType == "Completed"
| where RunbookName_s == "Restart-MyApp-Runbook"
| project TimeGenerated, RunbookName_s, ResultType, ResourceId, JobId_g

Alert Configuration

Measurement: Table rows

Aggregation: Count

Aggregation granularity: 5 minutes

Threshold: Count >= 1

Evaluation frequency: 5 minutes

Evaluation period: 5 minutes (1 aggregated point)

Action: Send email

Expected Behavior

Historically, one runbook execution generated one alert.

Example:

31-May-2026: Alert fired once around 08:09 JST

Actual Behavior

On 01-Jun-2026, a single runbook execution generated repeated alert notifications at approximately 5-minute intervals.

Example times (JST):

20:34

20:39

20:44

20:49

20:54

20:59

21:04

Each alert firing resulted in multiple email notifications being sent.

Validation Performed

We checked the underlying Log Analytics data and found:

Only one Automation Job ID exists during the relevant time window

Only one completed record exists for that Job ID

Runbook executed only once

This does not appear to be caused by multiple runbook executions or duplicate log records.

Questions

Have there been any recent backend/platform changes in Azure Monitor Scheduled Query Alerts, alert state handling, or Azure Automation logs that could explain this behavior?

Under this configuration, is it expected that a Scheduled Query Alert continues firing every evaluation cycle even when only a single matching log record exists?

Has anyone observed similar behavior with Azure Automation JobLogs and Scheduled Query Rules?

Are there any known issues or recommendations to prevent duplicate alert notifications for a single runbook completion event?

Any guidance would be appreciated. Thanks.

Azure Monitor
Azure Monitor

An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.


2 answers

Sort by: Most helpful
  1. Jerald Felix 15,370 Reputation points Volunteer Moderator
    2026-06-03T04:40:26.99+00:00

    Hello Bipin Kadam,

    Greetings! Thanks for raising this question in Q&A forum.

    The reason this is happening is that your Log Search Alert is configured as a stateless alert. This means Azure Monitor does not remember that it already fired for the same condition so every time it evaluates the query (every 5 minutes) and still finds that one matching log record within the lookback window, it fires the alert again. This behavior may have become more consistent due to recent backend changes in Azure Monitor's Scheduled Query Rules engine around June 2026.

    Here's how you can fix this:

    Step 1: Switch to a Stateful Alert

    Go to your Alert Rule in the Azure Portal and edit it. Under the "Alert logic" section, look for the option "Automatically resolve alerts" and enable it. This makes the alert stateful — once it fires, it won't fire again until the condition clears and re-triggers.

    Step 2: Adjust the Aggregation Granularity and Evaluation Period

    Since your runbook runs twice a day, there's no need to evaluate every 5 minutes. Update the settings like this:

    • Aggregation granularity: 15 or 30 minutes
    • Evaluation frequency: 15 or 30 minutes
    • Evaluation period: 30 minutes

    This reduces the chance of the same log record being caught in multiple evaluation windows.

    Step 3: Add a Time-Based Filter to Your Query

    Narrow the query so it only picks up records from a fresh window. For example, add this line to your KQL query:

    | where TimeGenerated >= ago(6m)
    

    This ensures only very recent records are matched, so once the record ages out of that window, the alert stops firing.

    Step 4: Use the "Mute actions" (Suppress Alerts) Option

    In the Alert Rule, set "Mute actions for" to something like 60 minutes. This prevents repeated notifications even if the alert keeps evaluating as true.

    Step 5: Verify the Fix

    After saving, wait for the next scheduled runbook execution (08:00 or 20:30 JST) and confirm that only one email notification is received.

    To directly answer your questions yes, this is expected behavior for a stateless alert with a short evaluation window. There have been platform-side changes in Azure Monitor's Scheduled Query Rules that can make this more pronounced. The fix is primarily switching to stateful mode and widening your evaluation window.

    If this answer helps you kindly accept the answer which will help others who have similar questions.

    Best Regards,

    Jerald Felix.

    Was this answer helpful?

    1 person found this answer helpful.

  2. Bharath Y P 10,165 Reputation points Microsoft External Staff Moderator
    2026-06-03T05:41:07.92+00:00

    Hello Bipin, it looks like your Scheduled Query Alert is working exactly as it’s designed today—it’s stateless, so as long as the query returns ≥1 row in each 5-minute evaluation window, it will fire again, even if it’s the same runbook completion event. Historically you may have only seen one notification because either the record fell outside subsequent windows, or the platform silently suppressed duplicate firings, but under the current behavior every evaluation cycle that sees that single JobLogs record will trigger the action.

    Here’s what you can do to get back to just one notification per runbook job:

    1. Scope the query to the evaluation window Add an explicit time filter so the query only returns records in the last 5 minutes. For example:
      
         AzureDiagnostics
      
         | where ResourceProvider == "MICROSOFT.AUTOMATION"
      
           and Category == "JobLogs"
      
           and ResultType == "Completed"
      
           and RunbookName_s == "Restart-MyApp-Runbook"
      
           and TimeGenerated > ago(5m)
      
         | summarize Jobs = dcount(JobId_g)
      
      
      Then alert on Jobs >= 1. Because you’re deduplicating by JobId_g and only looking at the recent window, once your runbook’s completion record moves out of that 5-minute bucket, the alert stops firing.
    2. Use distinct count instead of raw row count If you leave the built-in aggregation as “Table rows” + Count >= 1, the rule simply checks “is there at least one row?” each cycle. By switching to a Kusto summarize dcount(JobId_g) you ensure each unique job only counts once.
    3. Consider a metric alert on Total Jobs Azure Automation emits a “Total Jobs” platform metric with dimensions for RunbookName and Status. Metric alerts on “TotalJobs” = 1 for status “Completed” will fire once per job and resolve automatically when the metric drops back below the threshold.
    4. (Optional) Use Alert Processing Rules for suppression If you want to keep your query as-is but suppress duplicate notifications, you can author an Alert Processing Rule to “suppress” actions from firing more than once within a given time span.

    To answer your specific questions:

    • We’re not aware of any Azure Monitor backend change that would retroactively duplicate log records—but Azure Scheduled Query Alerts have always been stateless, and every cycle that returns a match will fire again.
    • Yes, under the default configuration a log alert will keep firing every evaluation interval as long as it sees ≥1 matching record in that period.
    • The root cause in your case is the combination of “table rows” + “count ≥ 1” + no dedup/time filter—so once the same completed log exists in each new time window, you get repeat emails.

    Give the above tweaks a try, and you should see exactly one alert per runbook run.

    Reference list

    1. Troubleshoot log alerts firing when they shouldn’t
    2. Why an alert’s action or notification happens more than once
    3. Monitor runbooks with metric alert
    4. Forward Azure Automation diagnostic logs & sample KQL

    Hope this helps. If the information was useful, please consider accepting the answer and upvoting. Feel free to reach out if you need any further assistance. Thank you.

    Was this answer helpful?


Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.