Forum Discussion
Azure Backup Report
I think you need to add the filter later:
let Events = AzureDiagnostics | where Category == "AzureBackupReport"; Events | where OperationName == "Job" | where TimeGenerated > ago(30d) | project BackupItemUniqueId_s , JobStatus_s , JobStartDateTime_s | join kind=inner ( Events | where OperationName == "BackupItem" | distinct BackupItemUniqueId_s, BackupItemFriendlyName_s | project BackupItemUniqueId_s, BackupItemFriendlyName_s ) on BackupItemUniqueId_s | where BackupItemFriendlyName_s in ("CH-DCVM10","FAKEVM0001","FAKE1111") | summarize count() by BackupItemFriendlyName_s, JobStatus_s, JobStartDateTime_s
10k is the query limit (and while its possible to get 500k with the api); most people will want a short report of the data - I doubt you'll want to read 10k rows?
You could swap
| project Computer, HostName, OperatingSystemFullName
to something like this, the important part is the summarize which allows you to group your returned values. So rather than getting many rows for each "BackupFriendlyName_s" they are grouped together, I used count() so you can see how many are as well. You may need to experiment to find a method that works for you.
| summarize count() by BackupItemFriendlyName_s, JobFailureCode_s, Resource, JobStatus_s
CliveWatson Dear Sir,
Yes, we have more than 15000 servers in the cloud. those all need to be generated in a single backup report. so need to get more than 10000. we are using the below query to get the result
let Events = AzureDiagnostics
| where Category == "AzureBackupReport"; Events
| extend JobOperationSubType_s = columnifexists("JobOperationSubType_s", "")
| where OperationName == "Job" and JobOperation_s == "Backup" and JobOperationSubType_s != "Log" and JobOperationSubType_s != "Recovery point_Log"
| distinct JobUniqueId_g, BackupItemUniqueId_s, JobStatus_s, Resource, JobFailureCode_s, JobStartDateTime_s
| project BackupItemUniqueId_s, JobStatus_s, Resource, JobFailureCode_s, JobStartDateTime_s
| join kind=leftouter ( Events
| where OperationName == "BackupItem"
| distinct BackupItemUniqueId_s, BackupItemFriendlyName_s
| project BackupItemUniqueId_s , BackupItemFriendlyName_s ) on BackupItemUniqueId_s
| project BackupItemFriendlyName_s, BackupItemUniqueId_s, JobStatus_s, Resource, JobFailureCode_s, JobStartDateTime_s
| extend Vault= Resource
| extend dt = todatetime(JobStartDateTime_s)
| summarize count() by BackupItemFriendlyName_s, JobStatus_s, Vault, BackupItemUniqueId_s, JobFailureCode_s, NewDateTime=dt, JobStartDateTime_s
below warring, we are getting while running the above query.
Completed. Showing partial results from the last 24 hours.
00:06.0
10,000+ records
Showing the first 10,000 results. Learn more on how to narrow down the result set.
=============================================================
Also, we are trying the get the computer name, hostname name, and OS version but not able to get it Please help with this.
let Events = AzureDiagnostics
| project Computer, HostName, OperatingSystemFullName
| where Category == "AzureBackupReport"; Events
| extend JobOperationSubType_s = columnifexists("JobOperationSubType_s", "")
| where OperationName == "Job" and JobOperation_s == "Backup" and JobOperationSubType_s != "Log" and JobOperationSubType_s != "Recovery point_Log"
| distinct JobUniqueId_g, BackupItemUniqueId_s, JobStatus_s, Resource, JobFailureCode_s, JobStartDateTime_s
| project BackupItemUniqueId_s, JobStatus_s, Resource, JobFailureCode_s, JobStartDateTime_s
| join kind=leftouter ( Events
| where OperationName == "BackupItem"
| distinct BackupItemUniqueId_s, BackupItemFriendlyName_s
| project BackupItemUniqueId_s , BackupItemFriendlyName_s ) on BackupItemUniqueId_s
| project BackupItemFriendlyName_s, BackupItemUniqueId_s, JobStatus_s, Resource, JobFailureCode_s, JobStartDateTime_s
| extend Vault= Resource
| extend dt = todatetime(JobStartDateTime_s)
| summarize count() by BackupItemFriendlyName_s, JobStatus_s, Vault, BackupItemUniqueId_s, JobFailureCode_s, NewDateTime=dt, JobStartDateTime_s, HostName, OperatingSystemFullName
'project' operator: Failed to resolve scalar expression named 'HostName' If issue persists, please open a support ticket. Request id: 43b5c644-ee20-470a-a741-dcc74036e6af
the below error getting when I try to get the Computer, HostName, OperatingSystemFullName (OS version )
this is the most needed for me. Please help me with this.
CliveWatson Dear Sir, Recently we have changed the Destination table from Azure diagnostics to Resource specific, now we cannot get the result Resource specific. We need to join the Azure diagnostics and Resource specific in a single report. Kindly help with this.
below is one working for AzureDiagnostics, not Resource specificlet Events = AzureDiagnostics
| where Category == "AzureBackupReport"; Events
| extend JobOperationSubType_s = columnifexists("JobOperationSubType_s", "")
| where OperationName == "Job" and JobOperation_s == "Backup" and JobStatus_s == "Failed" and JobOperationSubType_s != "Log" and JobOperationSubType_s != "Recovery point_Log"
| distinct JobUniqueId_g, BackupItemUniqueId_s, JobStatus_s, Resource, JobFailureCode_s, JobStartDateTime_s
| project BackupItemUniqueId_s, JobStatus_s, Resource, JobFailureCode_s, JobStartDateTime_s
| join kind=leftouter ( Events
| where OperationName == "BackupItem"
| distinct BackupItemUniqueId_s, BackupItemFriendlyName_s
| project BackupItemUniqueId_s , BackupItemFriendlyName_s ) on BackupItemUniqueId_s
| project BackupItemFriendlyName_s, BackupItemUniqueId_s, JobStatus_s, Resource, JobFailureCode_s, JobStartDateTime_s
| extend Vault= Resource
| extend dt = todatetime(JobStartDateTime_s)
| summarize count() by BackupItemFriendlyName_s, JobStatus_s,JobFailureCode_s, Vault, BackupItemUniqueId_s, NewDateTime=dt, JobStartDateTime_sSo for #1 we could add a test for Backups that start with A-M or N thru Z). I'm assuming there will be a range of names, you may need to spilt further A-E, F-M etc...? You can then run these as parallel queries in your Logic App.
let Events = AzureDiagnostics | where Category == "AzureBackupReport"; Events | extend JobOperationSubType_s = columnifexists("JobOperationSubType_s", "") | where OperationName == "Job" and JobOperation_s == "Backup" and JobOperationSubType_s != "Log" and JobOperationSubType_s != "Recovery point_Log" | distinct JobUniqueId_g, BackupItemUniqueId_s, JobStatus_s, Resource, JobFailureCode_s, JobStartDateTime_s | project BackupItemUniqueId_s, JobStatus_s, Resource, JobFailureCode_s, JobStartDateTime_s | join kind=leftouter ( Events | where OperationName == "BackupItem" | distinct BackupItemUniqueId_s, BackupItemFriendlyName_s | project BackupItemUniqueId_s , BackupItemFriendlyName_s ) on BackupItemUniqueId_s // add name filter (starts with A thru M) | where BackupItemFriendlyName_s matches regex @"\A([A-Ma-m])" //| where BackupItemFriendlyName_s matches regex @"\A([N-Zn-z])" | project BackupItemFriendlyName_s, BackupItemUniqueId_s, JobStatus_s, Resource, JobFailureCode_s, JobStartDateTime_s | extend Vault= Resource | extend dt = todatetime(JobStartDateTime_s) | summarize count() by BackupItemFriendlyName_s, JobStatus_s, Vault, BackupItemUniqueId_s, JobFailureCode_s, NewDateTime=dt, JobStartDateTime_s //, HostName =Resource1, FQDNFor #2, is that because you don't have a Heartbeat table? In a previous reply I asked you which Tables you do have, Heartbeat and VMconnection contain the data you are after, but you don't seem to have them, AzureDiagnostics doesn't have this detail so we do need to correlate with another source, there are 100s of tables, so you need to tell me which ones you have that have OS info. If you do have Heartbeat maybe I've joined on the wrong value?
I do think we are replicating much of what is available in the UI https://docs.microsoft.com/en-gb/azure/backup/configure-reports or could be done as a Workbook, if the primary goal to have a schedule report still? If not users can go to the UI or Workbooks anytime to see the status?CliveWatson Dear Sir, Really thank you for helping me with this.
#1
- As you have exceed a hard limit of 10,000 are you able to accept a solution that shows maybe the report in two groups (Servers A-M, N-Z) etc ?
Yes, if it's possible. I have not tried it and not sure
- Could we show the report filtered by Country, Region or ResourceGroup or some other divider to get us below 10k?
Yes, if it's possible. I have not tried it and not sure
- Are all 15k servers are backed up each time - is that right?
Yes, all servers are backing up at a different time but within 24 hours.
#2
Heartbeat not working for me.
We can answer #2 with this script, which uses HeartBeat data to get the OS info
let Events = AzureDiagnostics //| project Computer, HostName, OperatingSystemFullName | where Category == "AzureBackupReport"; Events | extend JobOperationSubType_s = columnifexists("JobOperationSubType_s", "") | where OperationName == "Job" and JobOperation_s == "Backup" and JobOperationSubType_s != "Log" and JobOperationSubType_s != "Recovery point_Log" | distinct JobUniqueId_g, BackupItemUniqueId_s, JobStatus_s, Resource, JobFailureCode_s, JobStartDateTime_s | project BackupItemUniqueId_s, JobStatus_s, Resource, JobFailureCode_s, JobStartDateTime_s | join kind=leftouter ( Events | where OperationName == "BackupItem" | distinct BackupItemUniqueId_s, BackupItemFriendlyName_s | project BackupItemUniqueId_s , BackupItemFriendlyName_s ) on BackupItemUniqueId_s //| project BackupItemFriendlyName_s, BackupItemUniqueId_s, JobStatus_s, Resource, JobFailureCode_s, JobStartDateTime_s | extend Vault= Resource | extend dt = todatetime(JobStartDateTime_s) // join to Heartbeat to get some OS details | join (Heartbeat | project Resource, OSType, FQDN=Computer, ComputerIP, OSMajorVersion, OSMinorVersion ) on $left.BackupItemFriendlyName_s == $right.Resource | summarize count() by BackupItemFriendlyName_s, JobStatus_s, Vault, BackupItemUniqueId_s, JobFailureCode_s, NewDateTime=dt, JobStartDateTime_s, HostName =Resource1, FQDNfor #1
1. As you have exceed a hard limit of 10,000 are you able to accept a solution that shows maybe the report in two groups (Servers A-M, N-Z) etc ?
2. Could we show the report filtered by Country, Region or ResourceGroup or some other divider to get us below 10k?
3. Are all 15k servers are backed up each time - is that right?