Why is my payload empty when sending alert with log analytics using logic app to slack

Question

Why is my payload empty when sending alert with log analytics using logic app to slack

Sai Kumar 0

I have setup an alert in azure using log analytics and this is my KQL

ContainerAppConsoleLogs_CL
| where Log_s has "[E]"
| where TimeGenerated > ago(5m)
| extend ErrorType = extract(@"^\[E\](.*?){", 1, Log_s)
| summarize
    Count = count(),
    SampleLog = any(Log_s),
    StartTime = min(TimeGenerated),
    EndTime = max(TimeGenerated)
    by ErrorType, Source = "ConsoleLogs"
| extend
    AlertDescription = ErrorType,
    ErrorTypeText = strcat("*Error Type:*\n", ErrorType),
    SampleLogText = strcat("*Sample Log:*\n", replace_string(tostring(SampleLog), "\"", "\\\""))  // escape quotes
| extend SlackPayload = strcat("{",
    "\"text\": \"🚨 *Error Report*\",",
    "\"blocks\": [",
        "{",
            "\"type\": \"section\",",
            "\"fields\": [",
                "{ \"type\": \"mrkdwn\", \"text\": \"", ErrorTypeText, "\" },",
                "{ \"type\": \"mrkdwn\", \"text\": \"", SampleLogText, "\" }",
            "]",
        "}",
    "]",
"}")
| project AlertDescription, ErrorType, SampleLog, Source, Count, SlackPayload

I setup a logic app connected it with one of our slack channels. It was triggering a message but the payload is arriving as empty in slack. I setup the post message v2 to fetch the parameters such as the error log and the alert type.
User's image

It is coming empty handed into slack channel. No details on logs. Can anyone please help me on this.

Praveen Kumar Gudipudi 170 Reputation points Microsoft External Staff

2025-04-29T21:28:34.47+00:00

Hello Sai Kumar,

If your logic app triggered by alert, please share us the RAW output of http trigger.

If you're triggering logic app manually, it is expected that you will not receive payload.

Sai Kumar 0

{
    "headers": {
        "Expect": "100-continue",
        "Host": "prod-51.southeastasia.logic.azure.com",
        "Max-Forwards": "10",
        "User-Agent": "IcMBroadcaster/1.0",
        "X-CorrelationContext": "RkkKACgAAAACAAAAEADmpEgnz7OiTqN3ABkB6igXAQAQAB8dYuDzjfNAlEbN9phCTy0=",
        "X-ARR-LOG-ID": "5e7d80dc-4fda-496f-8ada-bd0b18a5f06f",
        "CLIENT-IP": "107.45.211.70:20992”,
        "DISGUISED-HOST": "prod-51.southeastasia.logic.azure.com",
        "X-SITE-DEPLOYMENT-ID": "flowfe-prod-sg-rp00-app-01__b52b",
        "WAS-DEFAULT-HOSTNAME": "flowfe-prod-sg-rp00-app-01.flow-prod-sg-rp00-ase-01.p.azurewebsites.net",
        "X-Forwarded-Proto": "https",
        "X-AppService-Proto": "https",
        "X-ARR-SSL": "2048|256|CN=Microsoft Azure RSA TLS Issuing CA 08, O=Microsoft Corporation, C=US|CN=southeastasia.logic.azure.com, O=Microsoft Corporation, L=Redmond, S=WA, C=US",
        "X-Forwarded-TlsVersion": "1.3",
        "X-Forwarded-For": "104.42.215.69:50283",         "X-Original-URL": "/workflows/7f7315592aa34d359bcc9f09eb87ba68/triggers/When_a_HTTP_request_is_received/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_HTTP_request_is_received%2Frun&sv=1.0&sig=mnTCjyQjF_NG35j7Gz8Zf49BbkpdcaSCxqmZl4zn1rs",
        "X-WAWS-Unencoded-URL": "/workflows/7f7315592aa34d359bcc9f09eb87ba68/triggers/When_a_HTTP_request_is_received/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_HTTP_request_is_received%2Frun&sv=1.0&sig=mnTCjyQjF_NG35j7Gz8Zf49BbkpdcaSCxqmZl4zn1rs",
        "Content-Length": "10936",
        "Content-Type": "application/json; charset=utf-8"
    },
    "body": {
        "schemaId": "azureMonitorCommonAlertSchema",
        "data": {
            "essentials": {
                "alertId": "/subscriptions/f54c8335-2b2f-4664-a602-a0c374434b29/providers/Microsoft.AlertsManagement/alerts/8eb692cb-51a8-9aef-4a19-b9afed56001d",
                "alertRule": "Errors in console logs",
                "targetResourceType": "microsoft.operationalinsights/workspaces",
                "alertRuleID": "/subscriptions/f54c8335-2b2f-4664-a602-a0c374434b29/resourceGroups/org-prod-infra/providers/microsoft.insights/scheduledqueryrules/Errors in console logs",
                "severity": "Sev2",
                "signalType": "Log",
                "monitorCondition": "Fired",
                "targetResourceGroup": "org-prod-infra",
                "monitoringService": "Log Alerts V2",
                "alertTargetIDs": [
                    "/subscriptions/f54c8335-2b2f-4664-a602-a0c374434b29/resourcegroups/org-prod-infra/providers/microsoft.operationalinsights/workspaces/loganalytics-prod-infra"
                ],
                "configurationItems": [
                    "/subscriptions/f54c8335-2b2f-4664-a602-a0c374434b29/resourceGroups/org-prod-infra/providers/Microsoft.OperationalInsights/workspaces/loganalytics-prod-infra"
                ],
                "originAlertId": "5d6d5f96-952d-42c0-93c0-2e943fbcc036",
                "firedDateTime": "2025-04-29T04:03:34.091726Z",
                "description": "Error in application logs",
                "essentialsVersion": "1.0",
                "alertContextVersion": "1.0",
                "investigationLink": "https://portal.azure.com/#view/Microsoft_Azure_Monitoring_Alerts/Investigation.ReactView/alertId/%2fsubscriptions%2ff54c8335-2b2f-4664-a602-a0c374434b29%2fresourceGroups%2forg-prod-infra%2fproviders%2fMicrosoft.AlertsManagement%2falerts%2f8eb692cb-51a8-9aef-4a19-b9afed56001d"
            },
            "alertContext": {
                "properties": {},
                "conditionType": "LogQueryCriteria",
                "condition": {
                    "windowSize": "PT1M",
                    "allOf": [
                        {
                            "searchQuery": "ContainerAppConsoleLogs_CL \n| where Log_s has \"[E]\" \n| where TimeGenerated > ago(6h)\n| extend ErrorType = extract(@\"^\\[E\\](.*?){\", 1, Log_s)\n| where not(Log_s has \"Twitter API error\" or Log_s has \"Error refreshing token\" or Log_s has \"failed to refresh token\" or Log_s has \"axios\")\n| summarize\n    Count = count(),\n    SampleLog = any(Log_s),\n    StartTime = min(TimeGenerated),\n    EndTime = max(TimeGenerated)\n    by ErrorType, Source = \"ConsoleLogs\"\n| project\n    AlertDescription = strcat(\"Error Type: \", ErrorType, \"\\nSample Log: \", SampleLog),\n    ErrorType,\n    SampleLog,\n    Source = \"ConsoleLogs\",\n    Count,\n    SlackPayload = strcat(\"{\\\"text\\\": \\\"🚨 Error Report\\\", \\\"blocks\\\": [{\\\"type\\\": \\\"section\\\", \\\"fields\\\": [{\\\"type\\\": \\\"mrkdwn\\\", \\\"text\\\": \\\"*Error Type:*\\n\", ErrorType, \"\\\"}, {\\\"type\\\": \\\"mrkdwn\\\", \\\"text\\\": \\\"*Sample Log:*\\n\", SampleLog, \"\\\"}]}]}\")\n| extend ErrorType = iif(isnull(ErrorType), \"NoError\", ErrorType)\n\n",
                            "metricMeasureColumn": null,
                            "targetResourceTypes": "['Microsoft.OperationalInsights/workspaces']",
                            "operator": "GreaterThan",
                            "threshold": "0",
                            "timeAggregation": "Count",
                            "dimensions": [
                                {
                                    "name": "AlertDescription",
                                    "value": "Error Type: Max retry attempts reached: \nSample Log: [E]Max retry attempts reached: {\"error\":\"duplicate key value violates unique constraint \\\"memories_pkey\\\"\",\"totalAttempts\":3}"
                                },
                                {
                                    "name": "SlackPayload",
                                    "value": "{\"text\": \"🚨 Error Report\", \"blocks\": [{\"type\": \"section\", \"fields\": [{\"type\": \"mrkdwn\", \"text\": \"*Error Type:*\nMax retry attempts reached: \"}, {\"type\": \"mrkdwn\", \"text\": \"*Sample Log:*\n[E]Max retry attempts reached: {\"error\":\"duplicate key value violates unique constraint \\\"memories_pkey\\\"\",\"totalAttempts\":3}\"}]}]}"
                                }
                            ],
                            "metricValue": 1,
                            "failingPeriods": {
                                "numberOfEvaluationPeriods": 1,
                                "minFailingPeriodsToAlert": 1
                            },
                            "linkToSearchResultsUI": "https://portal.azure.com#@b1dc1597-3c0c-4159-85c3-83ff2a880d59/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/source/Alerts.EmailLinks/scope/%7B%22resources%22%3A%5B%7B%22resourceId%22%3A%22%2Fsubscriptions%2Ff54c8335-2b2f-4664-a602-a0c374434b29%2FresourceGroups%2Forg-prod-infra%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Floganalytics-prod-infra%22%7D%5D%7D/q/eJyNk8%2BO2jAQxu%2F7FCOfHBRWKWIrFal%2FEEVVpVW16nIqoStvMiwuiR3ZRkC3fZFe9rqP10fo2Akkizg0OSSe%2BXnmmy%2FORCsnpEIzrqqJVlYXeK0f7N3kGi5%2BwXaFBoECdxZWwgKbTxesTcxkiZ%2BQNguHObwDntOLoyAfJIOrfjLsD97MkuEoGYyGV5dJfX2LoA%2BvVxFVwZ1DlcPUGG1m%2BwrhrQ8ZkTn%2BgX1P59N0wS9776NHFsOruNYRHbsr7XhH2mwrnUMD45vPgL4iA2262kMbMLg0aFdSPYDTa1Sn1FLIgoZx%2BkCex8ROasu8GLspS2HkT7wAuiZ6oxzNkfknj%2BIQvBVlFXylhFD7WvUh54Rx3kjKlVLxF542zFTlB0LsTogA3O9bE2O41RuTeZp1vigjqZXRPzBzYcu4QOM%2Bos2MrJzUinDrTCYcb4zytUZAzncqs1TVs3grQvI42kHqEX45ebM8qyxunWuwQmTrG7EvtMg7uh5T5uh8pGwEKfv79Oe57gZfsdKGwjGF7wudra1H5h4nITVuaW6asoaWEov8DFSadb5tmLZTr%2BNHL1WnjrDfMfxPlY5xdZXWm1BlQXc4UGf%2BCimXXFq1KQp%2BDEe07YsOy66k6B8%3D/prettify/1/timespan/2025-04-27T04%3a02%3a45.0000000Z%2f2025-04-29T04%3a02%3a45.0000000Z",
                            "linkToFilteredSearchResultsUI": "https://portal.azure.com#@b1dc1597-3c0c-4159-85c3-83ff2a880d59/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/source/Alerts.EmailLinks/scope/%7B%22resources%22%3A%5B%7B%22resourceId%22%3A%22%2Fsubscriptions%2Ff54c8335-2b2f-4664-a602-a0c374434b29%2FresourceGroups%2Forg-prod-infra%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Floganalytics-prod-infra%22%7D%5D%7D/q/eJzFU8Fu00AQvecrRnupXblVCC0SlgqNQoSQSlXRnKhLtbUnzZL1rtldNwmhP8KFK5%2FHJzBrO4kTSsWN5JDszNvZN2%2FeDLRyXCg0%2FaIYaGW1xDN9Z28GZ9D5BrMJGgQK3FiYcAvsanjNNomRyPEt0mXuMINXEGT0x1Ew6HV7xwfdo4Pey1H3KO724qPjw279%2BRjCAbyYhFQF5w5VBkNjtBktCoQTHzI8dcEp%2B5RcDZPr4HD%2FdbhkETyLah7h%2BnWlXdCiNpoJ59BA%2F%2BIdoK%2FIQJs29%2BoZMDg2aCdC3YHTU1S7qDEXkppxeoV8HMbnQlvmydgyz7kRX7ED9BnoUjnqI%2FW%2FQRhVwUueF5WulOBqUbNe5Rw3zgtJuVyoYEvTBjNU2QrB5zuICnC72IgYwaUuTerRrDVRRlQLoz9j6qorfYnGvUGbGlE4oRXBrTMpd0EjlK8VAynfqswSVffipaiS69ZWVNfg7c6b46PMoo1yDUzydHrBF1LzrMVrmTBH%2FkhYDAn79eP7z%2Fo1%2BICFNhSOKHwrdTq1HnLl4USkhlvqm7qsQWOBMnsElJtpNmswm5f2W3rsJ2pXEfYQwb9UaQlXV9loU1W5pi%2F7y1YIMQ6EVaWUwToc0rVzXR3blMLVejhNupHNg91Jh3ByAqd77Sm%2F53OyuzML4LRDeeEsHXk6wSyGTnvitP9PYZes3ryYZWUhBU0NYYoLuOeyRLgXWlLEQqnEFzqn5AHadkELQ6phro1Ae1PQhYSxiDntuOw3b7D4%2BcMeLU%2B26avtkqanZSU46f2nPUijxhzV2Kt5eWBjDJ%2BubbGdrofps6vKW3boPKVG5YynKrUt0fmv0tb22%2FsN/prettify/1/timespan/2025-04-27T04%3a02%3a45.0000000Z%2f2025-04-29T04%3a02%3a45.0000000Z",
                            "linkToSearchResultsAPI": "https://api.loganalytics.io/v1/workspaces/7a28570e-97fb-4c6a-81b0-9daf1ea53cd6/query?query=ContainerAppConsoleLogs_CL%20%0A%7C%20where%20Log_s%20has%20%22%5BE%5D%22%20%0A%7C%20where%20TimeGenerated%20%3E%20%28datetime%282025-04-29T04%3A02%3A45.0000000Z%29%20-%206h%29%0A%7C%20extend%20ErrorType%20%3D%20extract%28%40%22%5E%5C%5BE%5C%5D%28.%2A%3F%29%7B%22%2C%201%2C%20Log_s%29%0A%7C%20where%20not%28Log_s%20has%20%22Twitter%20API%20error%22%20or%20Log_s%20has%20%22Error%20refreshing%20token%22%20or%20Log_s%20has%20%22failed%20to%20refresh%20token%22%20or%20Log_s%20has%20%22axios%22%29%0A%7C%20summarize%0A%20%20%20%20Count%20%3D%20count%28%29%2C%0A%20%20%20%20SampleLog%20%3D%20any%28Log_s%29%2C%0A%20%20%20%20StartTime%20%3D%20min%28TimeGenerated%29%2C%0A%20%20%20%20EndTime%20%3D%20max%28TimeGenerated%29%0A%20%20%20%20by%20ErrorType%2C%20Source%20%3D%20%22ConsoleLogs%22%0A%7C%20project%0A%20%20%20%20AlertDescription%20%3D%20strcat%28%22Error%20Type%3A%20%22%2C%20ErrorType%2C%20%22%5CnSample%20Log%3A%20%22%2C%20SampleLog%29%2C%0A%20%20%20%20ErrorType%2C%0A%20%20%20%20SampleLog%2C%0A%20%20%20%20Source%20%3D%20%22ConsoleLogs%22%2C%0A%20%20%20%20Count%2C%0A%20%20%20%20SlackPayload%20%3D%20strcat%28%22%7B%5C%22text%5C%22%3A%20%5C%22%F0%9F%9A%A8%20Error%20Report%5C%22%2C%20%5C%22blocks%5C%22%3A%20%5B%7B%5C%22type%5C%22%3A%20%5C%22section%5C%22%2C%20%5C%22fields%5C%22%3A%20%5B%7B%5C%22type%5C%22%3A%20%5C%22mrkdwn%5C%22%2C%20%5C%22text%5C%22%3A%20%5C%22%2AError%20Type%3A%2A%5Cn%22%2C%20ErrorType%2C%20%22%5C%22%7D%2C%20%7B%5C%22type%5C%22%3A%20%5C%22mrkdwn%5C%22%2C%20%5C%22text%5C%22%3A%20%5C%22%2ASample%20Log%3A%2A%5Cn%22%2C%20SampleLog%2C%20%22%5C%22%7D%5D%7D%5D%7D%22%29%0A%7C%20extend%20ErrorType%20%3D%20iif%28isnull%28ErrorType%29%2C%20%22NoError%22%2C%20ErrorType%29&timespan=2025-04-27T04%3a02%3a45.0000000Z%2f2025-04-29T04%3a02%3a45.0000000Z",
                            "linkToFilteredSearchResultsAPI": "https://api.loganalytics.io/v1/workspaces/7a28570e-97fb-4c6a-81b0-9daf1ea53cd6/query?query=ContainerAppConsoleLogs_CL%20%0A%7C%20where%20Log_s%20has%20%22%5BE%5D%22%20%0A%7C%20where%20TimeGenerated%20%3E%20%28datetime%282025-04-29T04%3A02%3A45.0000000Z%29%20-%206h%29%0A%7C%20extend%20ErrorType%20%3D%20extract%28%40%22%5E%5C%5BE%5C%5D%28.%2A%3F%29%7B%22%2C%201%2C%20Log_s%29%0A%7C%20where%20not%28Log_s%20has%20%22Twitter%20API%20error%22%20or%20Log_s%20has%20%22Error%20refreshing%20token%22%20or%20Log_s%20has%20%22failed%20to%20refresh%20token%22%20or%20Log_s%20has%20%22axios%22%29%0A%7C%20summarize%0A%20%20%20%20Count%20%3D%20count%28%29%2C%0A%20%20%20%20SampleLog%20%3D%20any%28Log_s%29%2C%0A%20%20%20%20StartTime%20%3D%20min%28TimeGenerated%29%2C%0A%20%20%20%20EndTime%20%3D%20max%28TimeGenerated%29%0A%20%20%20%20by%20ErrorType%2C%20Source%20%3D%20%22ConsoleLogs%22%0A%7C%20project%0A%20%20%20%20AlertDescription%20%3D%20strcat%28%22Error%20Type%3A%20%22%2C%20ErrorType%2C%20%22%5CnSample%20Log%3A%20%22%2C%20SampleLog%29%2C%0A%20%20%20%20ErrorType%2C%0A%20%20%20%20SampleLog%2C%0A%20%20%20%20Source%20%3D%20%22ConsoleLogs%22%2C%0A%20%20%20%20Count%2C%0A%20%20%20%20SlackPayload%20%3D%20strcat%28%22%7B%5C%22text%5C%22%3A%20%5C%22%F0%9F%9A%A8%20Error%20Report%5C%22%2C%20%5C%22blocks%5C%22%3A%20%5B%7B%5C%22type%5C%22%3A%20%5C%22section%5C%22%2C%20%5C%22fields%5C%22%3A%20%5B%7B%5C%22type%5C%22%3A%20%5C%22mrkdwn%5C%22%2C%20%5C%22text%5C%22%3A%20%5C%22%2AError%20Type%3A%2A%5Cn%22%2C%20ErrorType%2C%20%22%5C%22%7D%2C%20%7B%5C%22type%5C%22%3A%20%5C%22mrkdwn%5C%22%2C%20%5C%22text%5C%22%3A%20%5C%22%2ASample%20Log%3A%2A%5Cn%22%2C%20SampleLog%2C%20%22%5C%22%7D%5D%7D%5D%7D%22%29%0A%7C%20extend%20ErrorType%20%3D%20iif%28isnull%28ErrorType%29%2C%20%22NoError%22%2C%20ErrorType%29%7C%20where%20tostring%28AlertDescription%29%20%3D%3D%20%40%27Error%20Type%3A%20Max%20retry%20attempts%20reached%3A%20%0ASample%20Log%3A%20%5BE%5DMax%20retry%20attempts%20reached%3A%20%7B%22error%22%3A%22duplicate%20key%20value%20violates%20unique%20constraint%20%5C%22memories_pkey%5C%22%22%2C%22totalAttempts%22%3A3%7D%27%20and%20tostring%28SlackPayload%29%20%3D%3D%20%40%27%7B%22text%22%3A%20%22%F0%9F%9A%A8%20Error%20Report%22%2C%20%22blocks%22%3A%20%5B%7B%22type%22%3A%20%22section%22%2C%20%22fields%22%3A%20%5B%7B%22type%22%3A%20%22mrkdwn%22%2C%20%22text%22%3A%20%22%2AError%20Type%3A%2A%0AMax%20retry%20attempts%20reached%3A%20%22%7D%2C%20%7B%22type%22%3A%20%22mrkdwn%22%2C%20%22text%22%3A%20%22%2ASample%20Log%3A%2A%0A%5BE%5DMax%20retry%20attempts%20reached%3A%20%7B%22error%22%3A%22duplicate%20key%20value%20violates%20unique%20constraint%20%5C%22memories_pkey%5C%22%22%2C%22totalAttempts%22%3A3%7D%22%7D%5D%7D%5D%7D%27&timespan=2025-04-27T04%3a02%3a45.0000000Z%2f2025-04-29T04%3a02%3a45.0000000Z",
                            "event": null
                        }
                    ],
                    "windowStartTime": "2025-04-27T04:02:45Z",
                    "windowEndTime": "2025-04-29T04:02:45Z"
                }
            },
            "customProperties": {}
        }
    }
}

Praveen Kumar Gudipudi 170 Reputation points Microsoft External Staff

2025-04-30T16:59:50.1033333+00:00

Hello Sai Kumar,

Could you please respond to my private message to proceed further on this issue.
Praveen Kumar Gudipudi 170 Reputation points Microsoft External Staff

2025-05-01T11:06:54.6266667+00:00

Hello Sai Kumar,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.
Praveen Kumar Gudipudi 170 Reputation points Microsoft External Staff

2025-05-02T19:41:43.9366667+00:00

Hello Sai Kumar,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.

Here is the reference link on How to access & Data Privacy policy of private messages in Microsoft QnA.

Your answer

Praveen Kumar Gudipudi 170 Reputation points Microsoft External Staff

2025-04-29T21:28:34.47+00:00

Hello Sai Kumar,

If your logic app triggered by alert, please share us the RAW output of http trigger.

If you're triggering logic app manually, it is expected that you will not receive payload.
Praveen Kumar Gudipudi 170 Reputation points Microsoft External Staff

2025-04-30T16:59:50.1033333+00:00

Hello Sai Kumar,

Could you please respond to my private message to proceed further on this issue.
Praveen Kumar Gudipudi 170 Reputation points Microsoft External Staff

2025-05-01T11:06:54.6266667+00:00

Hello Sai Kumar,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.
Praveen Kumar Gudipudi 170 Reputation points Microsoft External Staff

2025-05-02T19:41:43.9366667+00:00

Hello Sai Kumar,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.

Here is the reference link on How to access & Data Privacy policy of private messages in Microsoft QnA.

Share via

Why is my payload empty when sending alert with log analytics using logic app to slack

Your answer