Share via

Extracting VM Names from Azure Monitor Alert Payload in Logic App Emails

Dilshad 0 Reputation points
2025-08-04T05:17:37.9333333+00:00

Using an Azure Logic App to send email notifications for VM backup events (success/failure) monitored via Azure Monitor Alerts. The VM backups are configured through an Azure Recovery Services Vault, with logs sent to a Log Analytics Workspace.

Setup:

  • VM backup jobs send logs to Log Analytics.
  • Alert Rules are based on a query from the AddonAzureBackupJobs table.
  • Alerts trigger a Logic App that sends an email using Outlook.

Log Analytics Query:

AddonAzureBackupJobs
| where JobStatus == "Completed"
| where JobOperation == "Backup"
| where TimeGenerated > ago(2000m)
| extend VMName = tostring(split(BackupItemUniqueId, ";")[4])
| summarize LastSuccess = max(TimeGenerated) by VMName
| project VMName, LastSuccess

This query returns a list of VM names and timestamps.

Email Logic App Expression: 

concat('Backup was successful for the following VMs:\n', join(coalesce(triggerBody()?['data']?['alertContext']?['properties']?['VMList'], json('[]')), '\n'))

Problem:

The email is triggered correctly, but the list of VM names does not appear in the email body. It seems that the alert payload doesn’t include the VMList property, or it's not passed in the expected format.

Question:

What modifications are necessary to pass the list of VM names from the Log Analytics query into the alert payload so that the Logic App can access and display the names in the email body? Should the query, alert rule, or Logic App expression be adjusted to achieve this?

Goal:

Receive email alerts from a Logic App that include a list of VM names that had a successful or failed backup.

Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Burlachenko 13,330 Reputation points Volunteer Moderator
    2025-08-04T08:37:55.25+00:00

    Dilshad hi,

    hanks for posting this, really interesting scenario ))

    so u're almost there but the alert context isn't playing nice with the vm list. here's what's happening: when azure monitor triggers the alert, it doesn't automatically include the query results in the payload. that's why triggerBody()?['data']?['alertContext']?['properties']?['VMList'] comes up empty.

    u need to tweak the alert rule to include custom properties. in the alert rule definition under 'custom properties', add this json snippet

    { "VMList": "[concat('VM: ', tostring(split(BackupItemUniqueId, ';')[4]))]" }

    then in your logic app, modify the expression to grab this custom property instead

    concat('backup was successful for these vms: \n', join(coalesce(triggerBody()?['data']?['alertContext']?['customProperties']?['VMList'], json('[]')), '\n')

    check the microsoft docs on custom alert properties here https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-common-schema-definitions

    sometimes the payload structure changes based on alert type. if this doesn't work immediately, try outputting the entire triggerBody() to see where exactly the data sits. u can do this with a compose action in logic apps and check the raw output ))

    when dealing with json payloads, always assume the structure might be nested differently than u expect. tools like postman or even the 'peek code' feature in logic apps are lifesavers for debugging.

    aha and one more thing! if u're working with multiple vms, consider adding a 'foreach' loop in the logic app to process each vm individually. makes the emails cleaner and easier to read.

    let me know if u hit any snags

    Alex

    and "yes" if you would follow me at Q&A - personaly thx.
P.S. If my answer help to you, please Accept my answer

    https://ctrlaltdel.blog/

  2. Michele Ariis 2,520 Reputation points MVP
    2025-08-04T08:39:17.1133333+00:00

    Hi, In Log Alerts v2, the alert payload does not include the query results anymore. The property properties.VMList doesn’t exist. Instead, the payload provides links like LinkToSearchResultsAPI or LinkToFilteredSearchResultsAPI, which you can use to fetch the actual data.

    Quick solution (no need to change your query):

    Keep your query as it is. It’s best if VMName is the first column.

    Make sure your Action Group uses the Common Alert Schema (it does by default).

    In your Logic App:

    Add an HTTP GET action that calls the LinkToFilteredSearchResultsAPI from the alert payload.

    Use a Managed Identity and assign the Log Analytics Reader role to the Logic App.

    Add a Parse JSON step to read the API response.

    Then, extract the first column from the result (the VM names) and use it to build the email body.

    Alternative if you don’t want to call the API:

    You can use the “Run query and list results” connector in the Logic App to re-run the same KQL, possibly filtering by the alert timestamp.

    What doesn’t work (and why you don’t see any data):

    Trying to access properties.VMList, or using static custom properties in the alert rule, won’t help — they don’t contain query results in v2 alerts.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.