Home

ARM Template for KQL Query Alert

%3CLINGO-SUB%20id%3D%22lingo-sub-714182%22%20slang%3D%22en-US%22%3EARM%20Template%20for%20KQL%20Query%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-714182%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20have%20query%20that%20is%20supposed%20to%20get%20the%20data%20related%20to%20Security%20Updates%20and%20Critical%20Updates%20from%20devices%20connected%20to%20Log%20Analytics%20workspace.%3C%2FP%3E%3CP%3EThis%20query%20works%20fine%20in%20one%20Log%20Analytics%20workspace%20but%20shows%20a%20syntax%20error%20in%20another%20Log%20Analytics%20workspace%20while%20configuring%20an%20alert.%3CBR%20%2F%3E%3CSTRONG%3ESecurity%20Update%20Query%3C%2FSTRONG%3E%3CBR%20%2F%3EUpdate%20%7C%20where%20UpdateState%20%3D%3D%20'Needed'%20and%20Optional%20%3D%3D%20false%20and%20Classification%20%3D%3D%20'Security%20Updates'%20and%20Approved%20!%3D%20false%20%7C%20summarize%20AggregatedValue%20%3D%20count()%20by%20Computer%3CBR%20%2F%3E%3CSTRONG%3ECritical%20Updates%20Query%3C%2FSTRONG%3E%3CBR%20%2F%3EUpdate%20%7C%20where%20UpdateState%20%3D%3D%20'Needed'%20and%20Optional%20%3D%3D%20false%20and%20Classification%20%3D%3D%20'Critical%20Updates'%20and%20Approved%20!%3D%20false%20%7C%20summarize%20count()%20by%20Computer%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ENeed%20help%20in%20finding%20why%20this%20query%20shows%20a%20syntax%20error%20while%20i%20use%20it%20for%20configuring%20an%20alert.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThanks%20in%20Advance%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-714182%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-715288%22%20slang%3D%22en-US%22%3ERe%3A%20ARM%20Template%20for%20KQL%20Query%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-715288%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F364638%22%20target%3D%22_blank%22%3E%40Consultant1350%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBoth%20of%20these%20work%20in%20the%20free%20demo%20workspace%2C%20see%20that%20here%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fportal.loganalytics.io%2FDemo%3Fq%3DH4sIAAAAAAAAA7WPvQ7CMAyE9zyFmQpTnqBD1R2EKrqbxi2R0iZyElARD0%252F6w1IxsDDad%252BfPJ2VFTWQdRrg4hYHgHIlHsQziBY8bMa1aFSZDnkN2JFKkMsBBwckFbQc0k9Ci8TRvS4Pe61Y3OKlzaEPyS7xwju2dFOzWeIL62PfI%252BklQdB1Tl9yqRhMTHBobh7A%252FwHWE0vYuBmIhpCzT5QQzn%252BN%252F7LFF%252FdLjy9dv46%252F9nXsBAAA%253D%26amp%3Btimespan%3DP7D%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EGo%20to%20Log%20Analytics%20and%20Run%20Query%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20%3CSTRONG%3Eerror%3C%2FSTRONG%3E%20do%20you%20get%20and%20which%20of%20the%20two%20queries%20gets%20the%20error%3F%26nbsp%3B%20Do%20they%20work%20as%20a%20query%20but%20one%20fails%20when%20put%20into%20an%20Alert%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-718050%22%20slang%3D%22en-US%22%3ERe%3A%20ARM%20Template%20for%20KQL%20Query%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-718050%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EHi%2C%3C%2FP%3E%3CP%3EThanks%20for%20your%20response.%20I%20am%20getting%20a%20Syntax%20error%20while%20trying%20to%20execute%20this%20query%20from%20the%20Logs%20to%20get%20the%20data%20and%20also%20while%20configuring%20an%20alert%20using%20this%20query.%3CBR%20%2F%3EPlease%20find%20the%20screenshot%20attached%20for%20the%20reference.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-718109%22%20slang%3D%22en-US%22%3ERe%3A%20ARM%20Template%20for%20KQL%20Query%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-718109%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F364638%22%20target%3D%22_blank%22%3E%40Consultant1350%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20normally%20get%20that%20error%20if%20the%20table%20doesn't%20exist%20-%20so%20do%20you%20definitely%20you%20have%20%3CSTRONG%3EUpdate%3C%2FSTRONG%3E%20in%20that%20workplace%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EUpdate%0A%7C%20limit%2010%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20621px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F120484i5BF4432F045177C9%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Annotation%202019-06-24%20200251.jpg%22%20title%3D%22Annotation%202019-06-24%20200251.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Consultant1350
New Contributor

Hi,

I have query that is supposed to get the data related to Security Updates and Critical Updates from devices connected to Log Analytics workspace.

This query works fine in one Log Analytics workspace but shows a syntax error in another Log Analytics workspace while configuring an alert.
Security Update Query
Update | where UpdateState == 'Needed' and Optional == false and Classification == 'Security Updates' and Approved != false | summarize AggregatedValue = count() by Computer
Critical Updates Query
Update | where UpdateState == 'Needed' and Optional == false and Classification == 'Critical Updates' and Approved != false | summarize count() by Computer


Need help in finding why this query shows a syntax error while i use it for configuring an alert.


Thanks in Advance

 

3 Replies

@Consultant1350 

 

Both of these work in the free demo workspace, see that here:

 

Go to Log Analytics and Run Query

 

What error do you get and which of the two queries gets the error?  Do they work as a query but one fails when put into an Alert?

@Clive Watson 
Hi,

Thanks for your response. I am getting a Syntax error while trying to execute this query from the Logs to get the data and also while configuring an alert using this query.
Please find the screenshot attached for the reference.

@Consultant1350 

 

You normally get that error if the table doesn't exist - so do you definitely you have Update in that workplace?  

Update
| limit 10

 

 

Annotation 2019-06-24 200251.jpg