Computer group created through PowerShell cmdlet not working

I created computer group using powershell cmdlet New-AzOperationalInsightsComputerGroup

-------

$Query = "Heartbeat | where Computer in ('myserver.adx.com') | distinct Computer"
New-AzOperationalInsightsComputerGroup -ResourceGroupName "MyRG" -WorkspaceName "My WN" -SavedSearchId "id12345" -DisplayName "MyDN" -Category "MyCategory" -Query $Query -Version 1

-------

To confirm group is created successfully
--------------------
(Get-AzOperationalInsightsSavedSearch -ResourceGroupName "MyRG" -WorkspaceName "My WN").Value.Properties | ?{$_.category -eq "MyCategory" -and $_.DisplayName -eq "MyDN"}

Category    : MyCategory
DisplayName : MyDN
Query       : Heartbeat | where Computer in ('myserver.adx.com') | distinct Computer
Version     : 2
Tags        : {Group}
--------------------

Now I go to log analytics and run
--------------------
MyDN
| project Computer

MyDN
| distinct Computer
--------------------

Both commands fail with “Syntax Error” 'distinct' operator: Failed to resolve table or column expression named 'MyDN'

i reached out to support and was told that i need a "function" to use groups in query and "New-AzOperationalInsightsComputerGroup" does not create a function.

is there a way i can create function/computergroup through powershell ?

azure monitor

Powershell and Rest API

Stanislav_Zhelyazkov

Oct 03, 2019

HiMayank Bansal You can use PowerShell to do ARM template deployment. The resource part in your case will look like this:

{
      "name": "[concat(parameters('logAnalyticsWorkspaceName'), '/', 'id12345' )]",
      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
      "apiVersion": "2017-03-15-preview",
      "tags": {
      },
      "properties": {
        "query": "Heartbeat | where Computer in ('myserver.adx.com') | distinct Computer",
        "displayName": "MyDN",
        "category": "MyCategory",
        "FunctionAlias" : "MyDN",
        "Version": 2,
        "ETag": "*",
        "Tags": [
            {
                "Name": "Group",
                "Value": "Computer"
            }
        ]
      }
    }

The tags part with name Group and value Computer basically makes the function also Computer group.

3 Replies

robwesterby
Copper Contributor
Dec 04, 2020
To assist anyone else arriving from Google/Bing, I'd suggest using the more fully-featured cmdlet New-AzOperationalInsightsSavedSearch to create usable computer groups.

A computer group saved query (e.g. used to target Azure Update Management deployments) needs to be saved both as a Function, and also have a tag of 'Group' with value of 'Computer'.

New-AzOperationalInsightsComputerGroup with -Debug shows it creates the tag, but forgets to add the necessary functionAlias parameter.
$Query = "ComputerGroup | where GroupSource == 'ActiveDirectory' and Group == '$ADGroupName' | distinct Computer" $Tag = @{ Group = 'Computer' } New-AzOperationalInsightsSavedSearch -ResourceGroupName "MyRG" -WorkspaceName "MyWN" -SavedSearchId "id12345" -DisplayName "MyDN" -Category "MyCategory" -Query $Query -FunctionAlias "my_ad_group_name" -Tag $Tag