Forum Discussion
OMS Log Analytics query Function/alias creation via ARM template
Hi,
For creating function you actually use the saved searches API.
https://docs.microsoft.com/en-us/rest/api/loganalytics/savedsearches/createorupdate
There is a slight change in the properties of the call.
"properties": { "category": " Saved Search Test Category", "displayName": "Create or Update Saved Search Test", "query": "* | measure Count() by Computer", "FunctionAlias" : "AllComputers", "version": 2 }With that you create function.
And it is just Log Analytics now. We do not use OMS anymore.
Error is clear. You do not have workspace. This is basic ARM templating but you you need first to create the workspace and than the saved search. One cannot exist without the other. Use dependsOn
MicrosoftHi
I used the same json and provided existing workspace. It is creating function.
Thanks for the help.
You can read more about ARM templates here:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authoring-templates
I can deploy the saved query however when I update the template, I get the following error:
New-AzResourceGroupDeployment : 01:18:36 - Resource Microsoft.OperationalInsights/workspaces/savedSearches 'Sentinel-Workspace140/testarmtemp' failed with message '{ "error": { "code": "Conflict", "message": "The remote server returned an error: (409) Conflict." } }' At line:1 char:1 + New-AzResourceGroupDeployment -TemplateFile .\ARMTemplateforFunction2 ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [New-AzResourceGroupDeployment], Exception + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDep loymentCmdlet New-AzResourceGroupDeployment : 01:18:36 - Template output evaluation skipped: at least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details. At line:1 char:1 + New-AzResourceGroupDeployment -TemplateFile .\ARMTemplateforFunction2 ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [New-AzResourceGroupDeployment], Exception + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDep loymentCmdlet New-AzResourceGroupDeployment : 01:18:36 - Template output evaluation skipped: at least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details. At line:1 char:1 + New-AzResourceGroupDeployment -TemplateFile .\ARMTemplateforFunction2 ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [New-AzResourceGroupDeployment], Exception + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDepbelow is my template:
{ "$schema": "https://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [ { "apiVersion": "2020-03-01-preview", "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "name": "Sentinel-Workspace140/testarmtemp", "properties": { "category": "ABTemplateTest", "displayName": "GetVaultTest", "query": "AzureBackupReport_CL | where Category == \"AzureBackupReport\" and OperationName == \"Vault\" | where TimeGenerated >= ago(90d) | limit 5", "FunctionAlias" : "getvaultfunctest", "version": 2 } } ] }Hikay106 The template that you have provided as example works. May be the problem is that you do not apply it to the resource group where the workspace is located or the workspace does not exists.
