Azure Logic Apps: How to be notified if a logic app action connection breaks or fails

Question

I want to build a logic app that tells me when any of the logic apps in my environment fail or a connection is broken. (both manual triggers of logic apps and automated)

The closest KQL i've found to achieve this is:

SentinelHealth 
| where TimeGenerated > ago(7d)
| where SentinelResourceType == "Automation rule"
| mv-expand TriggeredPlaybooks = ExtendedProperties.TriggeredPlaybooks
| extend runId = tostring(TriggeredPlaybooks.RunId)
| join (AzureDiagnostics 
    | where OperationName == "Microsoft.Logic/workflows/workflowRunCompleted"
    | extend IncidentNumber = toint(extract(@"[a-f0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}\_(\d+)", 1, correlation_clientTrackingId_s))
    | project
        IncidentNumber,
        resource_runId_s,
        playbookName = resource_workflowName_s,
        playbookRunStatus = status_s)
    on $left.runId == $right.resource_runId_s
| project
    RecordId,
    TimeGenerated,
    AutomationRuleName= SentinelResourceName,
    AutomationRuleStatus = Status,
    Description,
    workflowRunId = runId,
    playbookName,
    playbookRunStatus,
    IncidentNumber

KQL source

This is my workflow right now: Query runs and outputs to a html table which gets emailed to me.

The issue is I know there are several logic apps in my environment that have failing actions or actions that are disconnected, that are not captured by my logic app + kql.

How would you tackle the problem of detecting and notifying when a logic app fails (both completely and when a particular action fails)

Answer 1

If there are logic applications which are not appearing in your logs, make sure that you are sending their diagnostics settings to your Log Analytics workspace:

Go to Logic apps > Monitoring - Diagnostics > Diagnostic Settings:

Ensure that you are forwarding settings to the correct Log Analytics workspace:

Then you should be able to query the logs using this basic KQL:

AzureDiagnostics
| where OperationName endswith "workflowRunCompleted"
| summarize FailedRuns=countif(status_s == "Failed"), SuccessfulRuns=countif(status_s  == "Succeeded") by LogicApp=resource_workflowName_s, ResourceGroup=resource_resourceGroupName_s
| extend PercentageFailed = round(todouble(FailedRuns) / todouble(SuccessfulRuns)*100, 2)

You can adjust this as per your needs. Change line 2 to | where OperationName contains "Microsoft.Logic/workflows for all logic app events being collected.

Another reason the logic apps may not be appearing is if they have not been run in the Timeframe you are querying.

Answer 2

Azure Logic Apps: How to be notified if a logic app act connection breaks or fails

One way is to check like below:

Another way is by adding parallel action after every action like below to get alerted:

If failed alert else if true then next action like below:

For the above steps to work you need to add in code like below:

runAfter to failed

Output:

So, like this for every action you need to add parallel action( i have done only for action parsejson for understanding of how to do) and for that action you need to change runafter to failed then you will get alert.

Also refer this SO-Thread1 and SO-Thread2

Answer 3

the following KQL can show you the logic app, trigger from sentinel incident, action in logic app and event of that action.

AzureDiagnostics 
    | where OperationName contains "Microsoft.Logic/workflows"
    | extend OperationType = tostring(split(OperationName,'/')[2])
    | extend LogicApp = tostring(split(ResourceId,'/')[8])
    | extend IncidentNumber = toint(extract(@"[a-f0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}\_(\d+)", 1, correlation_clientTrackingId_s))
    | summarize Resource = strcat_array(make_set(Resource),', '),
     status_s = strcat_array(make_set(status_s),', ')  by LogicApp, IncidentNumber, OperationType, Level

This will output the exact information on logic app runs - however, im noticing not all logic apps appear here.