Forum Discussion
OMS Log Analytics query Function/alias creation via ARM template
Hi All,
I have created ARM templates for creating OMS Log Analytics Searches. I am trying to see if you can help me creating a function in via ARM template. Bascially we want to create/update the Function via ARM template or powershell..Appreciate if you can guide me or point me to any ARM template that has this functionality as reference.
Below is the function i am referring to.
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/functions#create-a-function
Thanks
RC
Hi,
For creating function you actually use the saved searches API.
https://docs.microsoft.com/en-us/rest/api/loganalytics/savedsearches/createorupdate
There is a slight change in the properties of the call.
"properties": { "category": " Saved Search Test Category", "displayName": "Create or Update Saved Search Test", "query": "* | measure Count() by Computer", "FunctionAlias" : "AllComputers", "version": 2 }With that you create function.
And it is just Log Analytics now. We do not use OMS anymore.
15 Replies
Hi,
For creating function you actually use the saved searches API.
https://docs.microsoft.com/en-us/rest/api/loganalytics/savedsearches/createorupdate
There is a slight change in the properties of the call.
"properties": { "category": " Saved Search Test Category", "displayName": "Create or Update Saved Search Test", "query": "* | measure Count() by Computer", "FunctionAlias" : "AllComputers", "version": 2 }With that you create function.
And it is just Log Analytics now. We do not use OMS anymore.
Vino55Microsoft
Hi,
I am able to create saved search using ARM template. But I am not able to create function.
The resources part in my json looks like this:
"resources": [ { "type": "Microsoft.OperationalInsights/workspaces", "name": "[parameters('workspaceName')]", "apiVersion": "2015-11-01-preview", "location": "[parameters('location')]", "properties": { "sku": { "Name": "[parameters('sku')]" }, "features": { "searchVersion": 1 } } }, { "apiVersion": "2017-03-15-preview", "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "name": "[concat(parameters('workspaceName'), '/', 'ABTemplateTest')]", "properties": { "category": "ABTemplateTest", "displayName": "GetVaultTest", "query": "AzureBackupReport_CL | where Category == \"AzureBackupReport\" and OperationName == \"Vault\" | where TimeGenerated >= ago(90d) | limit 5", "FunctionAlias" : "getvaultfunctest", "version": 2 } } ]In the above resource part, without FunctionAlias, it is creating saved search successfully.
But when I include FunctionAlias, it is failing to create.
Can Functions be created via ARM template? If so, how?Thanks.
Please provide your error. The template provided is ok.
- Vino55
Is it not possible to include saved query/functions as part of ARM template?
Basically my objective is to fetch data (In log analytics) from PowerBI using Rest API.
Since we do not want to have complex queries as part of Rest API (for 2 reasons - customization at LA and Rest API limitation of 2KB length), we thought of using saved queries/functions and then call these saved queries from powerBI.
Thanks.I am not sure if I understand the question correctly but if you are talking about export to PowerBI feature I do not think why it wouldn't possible to use functions there. In basics that integration is basically executing query at specific period against the API and getting the data.
Thanks a lot of the information/code.
RC
