SOLVED

OMS Log Analytics query Function/alias creation via ARM template

Copper Contributor

Hi All, 

 

I have created ARM templates for creating OMS Log Analytics Searches. I am trying to see if you can help me creating a function in via ARM template. Bascially  we want to create/update the Function via ARM template or powershell..Appreciate if you can guide me or point me to any ARM template that has this functionality as reference. 

Below is the function i am referring to.

https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/functions#create-a-function

 

Thanks 

RC

15 Replies
best response confirmed by Stanislav Zhelyazkov (MVP)
Solution

Hi,

For creating function you actually use the saved searches API.

https://docs.microsoft.com/en-us/rest/api/loganalytics/savedsearches/createorupdate

There is a slight change in the properties of the call.

"properties": {
    "category": " Saved Search Test Category",
    "displayName": "Create or Update Saved Search Test",
    "query": "* | measure Count() by Computer",
"FunctionAlias" : "AllComputers",
    "version": 2
  }

With that you create function.

And it is just Log Analytics now. We do not use OMS anymore.

Thanks a lot of the information/code.

 

RC

Hi @Stanislav Zhelyazkov,

 

Is it not possible to include saved query/functions as part of ARM template?

Basically my objective is to fetch data (In log analytics) from PowerBI using Rest API. 
Since we do not want to have complex queries as part of Rest API (for 2 reasons - customization at LA and Rest API limitation of 2KB length), we thought of using saved queries/functions and then call these saved queries from powerBI. 

Thanks.

I am not sure if I understand the question correctly but if you are talking about export to PowerBI feature I do not think why it wouldn't possible to use functions there. In basics that integration is basically executing query at specific period against the API and getting the data.

Thanks for the response.

 

 

My question is 'Is it possible to export the saved queries via ARM template'?

 

Before our customers use powerBI, they can deploy the ARM template. And after that they can use powerBI to call those functions through RestAPI.

Thanks.

 

 

I do not know if the portal export feature works for these resources but if you have them deployed via ARM template to one environment you can deploy them to another very easily. The ARM template is your export.

Hi,

 

I am able to create saved search using ARM template. But I am not able to create function.

The resources part in my json looks like this:

 

"resources": [
    {
        "type": "Microsoft.OperationalInsights/workspaces",
        "name": "[parameters('workspaceName')]",
        "apiVersion": "2015-11-01-preview",
        "location": "[parameters('location')]",
        "properties": {
            "sku": {
                "Name": "[parameters('sku')]"
            },
            "features": {
                "searchVersion": 1
            }
        }
      },
	  {
		"apiVersion": "2017-03-15-preview",
		"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
		"name": "[concat(parameters('workspaceName'), '/', 'ABTemplateTest')]",
		"properties": {
		"category": "ABTemplateTest",
		"displayName": "GetVaultTest",		
		"query": "AzureBackupReport_CL | where Category == \"AzureBackupReport\" and OperationName == \"Vault\" | where TimeGenerated >= ago(90d) | limit 5",
		"FunctionAlias" : "getvaultfunctest",
		"version": 2
           }
       }

   ]

In the above resource part, without FunctionAlias, it is creating saved search successfully.

But when I include FunctionAlias, it is failing to create.

Can Functions be created via ARM template? If so, how?

Thanks.

 

 

Please provide your error. The template provided is ok.

Attaching error I got in powershell:

New-AzureRmResourceGroupDeployment : 2:29:43 PM - Resource Microsoft.OperationalInsights/workspaces/savedSearches 'NewTestLAWorkspaceWithFunctionAlias/ABTemplateTest' failed with message '{
  "error": {
    "code": "ResourceNotFound",
    "message": "The Resource 'Microsoft.OperationalInsights/workspaces/NewTestLAWorkspaceWithFunctionAlias' under resource group 'testrg' was not found."
  }
}'
At line:1 char:1
+ New-AzureRmResourceGroupDeployment -Name NewTestLA-Template -Resource ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet

New-AzureRmResourceGroupDeployment : 2:30:14 PM - Template output evaluation skipped: at least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details.
At line:1 char:1
+ New-AzureRmResourceGroupDeployment -Name NewTestLA-Template -Resource ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet

New-AzureRmResourceGroupDeployment : 2:30:14 PM - Template output evaluation skipped: at least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details.
At line:1 char:1
+ New-AzureRmResourceGroupDeployment -Name NewTestLA-Template -Resource ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet



DeploymentName          : NewTestLA-Template
ResourceGroupName       : testrg
ProvisioningState       : Failed
Timestamp               : 2/27/2019 9:00:11 AM
Mode                    : Incremental
TemplateLink            :
Parameters              :
                          Name             Type                       Value
                          ===============  =========================  ==========
                          workspaceName    String                     NewTestLAWorkspaceWithFunctionAlias
                          location         String                     eastus
                          sku              String                     PerGB2018

Outputs                 :
DeploymentDebugLogLevel :

 

Just to add further, the exact json without that functionAlias worked for me. It created saved search.
When I add functionAlias, it threw above error. But it created workspace without any savedsearch/function.

Error is clear. You do not have workspace. This is basic ARM templating but you you need first to create the workspace and than the saved search. One cannot exist without the other. Use dependsOn

I just want to add that I was able to create new workspace with saved search previously.

 

Attaching entire json.

{
"$schema": "https://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
    "workspaceName": {
        "type": "String",
        "metadata": {
          "description": "Specifies the name of the workspace."
        }
    },
    "location": {
        "type": "String",
        "allowedValues": [
          "eastus",
          "westus"
        ],
        "defaultValue": "eastus",
        "metadata": {
          "description": "Specifies the location in which to create the workspace."
        }
    },
    "sku": {
        "type": "String",
        "allowedValues": [
          "Standalone",
          "PerNode",
          "PerGB2018"
        ],
        "defaultValue": "PerGB2018",
        "metadata": {
        "description": "Specifies the service tier of the workspace: Standalone, PerNode, Per-GB"
    }
      }
},
"resources": [
    {
        "type": "Microsoft.OperationalInsights/workspaces",
        "name": "[parameters('workspaceName')]",
        "apiVersion": "2015-11-01-preview",
        "location": "[parameters('location')]",
        "properties": {
            "sku": {
                "Name": "[parameters('sku')]"
            },
            "features": {
                "searchVersion": 1
            }
        }
      },
	  {
		"apiVersion": "2017-03-15-preview",
		"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
		"name": "[concat(parameters('workspaceName'), '/', 'monitoralerts-cputest')]",
		"properties": {
		"category": "BasicMonitorAlertstest",
		"displayName": "monitoralerts-cputest",
		"query": "Perf | where ObjectName == \"Processor\" and CounterName == \"% Processor Time\" | summarize avg(CounterValue) by Computer, bin(TimeGenerated, 5m) | where avg_CounterValue > 95 | summarize arg_max(TimeGenerated, *) by Computer",
		"version": 2
           }
       }

   ]
}

I will anyway try with existing LA workspace and update.
Could you please elaborate on dependsOn? Any example would be great. Thanks.

Hi 

I used the same json and provided existing workspace. It is creating function.

Thanks for the help.

I can deploy the saved query however when I update the template, I get the following error:

New-AzResourceGroupDeployment : 01:18:36 - Resource Microsoft.OperationalInsights/workspaces/savedSearches
'Sentinel-Workspace140/testarmtemp' failed with message '{
  "error": {
    "code": "Conflict",
    "message": "The remote server returned an error: (409) Conflict."
  }
}'
At line:1 char:1
+ New-AzResourceGroupDeployment -TemplateFile .\ARMTemplateforFunction2 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzResourceGroupDeployment], Exception
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDep
   loymentCmdlet

New-AzResourceGroupDeployment : 01:18:36 - Template output evaluation skipped: at least one resource deployment
operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage
details.
At line:1 char:1
+ New-AzResourceGroupDeployment -TemplateFile .\ARMTemplateforFunction2 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzResourceGroupDeployment], Exception
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDep
   loymentCmdlet

New-AzResourceGroupDeployment : 01:18:36 - Template output evaluation skipped: at least one resource deployment
operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage
details.
At line:1 char:1
+ New-AzResourceGroupDeployment -TemplateFile .\ARMTemplateforFunction2 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzResourceGroupDeployment], Exception
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDep

 below is my template:

 

{
"$schema": "https://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
 "apiVersion": "2020-03-01-preview",
 "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
 "name": "Sentinel-Workspace140/testarmtemp",
 "properties": {
 "category": "ABTemplateTest",
 "displayName": "GetVaultTest",		
 "query": "AzureBackupReport_CL | where Category == \"AzureBackupReport\" and OperationName == \"Vault\" | where TimeGenerated >= ago(90d) | limit 5",
 "FunctionAlias" : "getvaultfunctest",
 "version": 2
}
}
]
}

Hi@kay106 The template that you have provided as example works. May be the problem is that you do not apply it to the resource group where the workspace is located or the workspace does not exists.

1 best response

Accepted Solutions
best response confirmed by Stanislav Zhelyazkov (MVP)
Solution

Hi,

For creating function you actually use the saved searches API.

https://docs.microsoft.com/en-us/rest/api/loganalytics/savedsearches/createorupdate

There is a slight change in the properties of the call.

"properties": {
    "category": " Saved Search Test Category",
    "displayName": "Create or Update Saved Search Test",
    "query": "* | measure Count() by Computer",
"FunctionAlias" : "AllComputers",
    "version": 2
  }

With that you create function.

And it is just Log Analytics now. We do not use OMS anymore.

View solution in original post