SOLVED
Home

Computer Groups with new query language?

%3CLINGO-SUB%20id%3D%22lingo-sub-114238%22%20slang%3D%22en-US%22%3EComputer%20Groups%20with%20new%20query%20language%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-114238%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20trying%20to%20set%20up%20computer%20groups%20in%20my%20OMS%20environment%2C%20but%20running%20into%20some%20issues.%20Has%20anyone%20used%20computer%20groups%20successfully%20with%20the%20new%20query%20language%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20see%20the%20created%20computer%20groups%20in%20settings%2C%20and%20can%20view%20members%20of%20the%20group%20from%20there.%20I%20created%20the%20group%20with%20a%20query%20that%20looks%20like%20this%3A%20Heartbeat%20%7C%20where%20Computer%20has%20%22dev%22%20%7C%20distinct%20Computer%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20only%20blog%20I%20can%20find%20on%20using%20computer%20groups%20in%20queries%20is%20here%2C%20and%20it%20uses%20the%20older%20query%20language%3A%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fmsoms%2F2016%2F04%2F04%2Fcomputer-groups-in-oms%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fmsoms%2F2016%2F04%2F04%2Fcomputer-groups-in-oms%2F%3C%2FA%3E%3C%2FP%3E%3CP%3Elike%20this%3A%20Type%3APerf%20ObjectName%3DProcessor%20Computer%20IN%20%24ComputerGroups%5BMy%20Crepe%20Computers%5D%20%7C%20measure%20avg(CounterValue)%20by%20Computer%20interval%201HOUR%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20try%20to%20use%20this%20format%20in%20the%20Legacy%20language%20converter%2C%20I%20get%20an%20error%20saying%20%22no%20viable%20alternative%20at%20input%20'Heartbeat(Computerin'%22%20(note%20that%20in%20my%20query%20there%20ARE%20spaces%20between%20Computer%2C%20in%2C%20and%20heartbeat).%20If%20I%20try%20the%20regular%20search%20window%20with%20'Heartbeat%20%7C%20where%20(Computer%20in%20%24ComputerGroups%5Bmygroupname%5D'%20I%20get%20the%20error%20'%3CSPAN%20class%3D%22query-error%22%3EA%20recognition%20error%20occurred.%20Token%3A%20%22in%22.'%20Finally%2C%20if%20I%20add%20ComputerGroups%20to%20the%20filter%20window%2C%20every%20query%20I%20try%20leaves%20the%20computergroup%20fields%20with%20no%20entries%2C%20so%20the%20filter%20is%20greyed%20out.%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22query-error%22%3EHas%20anyone%20worked%20with%20computer%20groups%20in%20the%20new%20OMS%3F%20Are%20they%20broken%2C%20or%20am%20I%20missing%20something%3F%20I've%20scoured%20the%20language%20documentation%20and%20can't%20find%20anything%20there...%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-114238%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOMS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQuery%20Language%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-126592%22%20slang%3D%22en-US%22%3ERe%3A%20Computer%20Groups%20with%20new%20query%20language%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-126592%22%20slang%3D%22en-US%22%3EHappy%20to%20hear%20that%20it%20is%20working.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-126591%22%20slang%3D%22en-US%22%3ERe%3A%20Computer%20Groups%20with%20new%20query%20language%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-126591%22%20slang%3D%22en-US%22%3E%3CP%3EI%20believe%20I%20have%20spotted%20the%20issue%2C%20the%20capital%20P%20was%20issue%20number%201%20%3A)%3C%2Fimg%3E%20issue%20number%202%20is%20that%20the%20search%20save%20was%20a%20legacy%20format%3A%26nbsp%3BType%3DHeartbeat%20OSType%3DLinux%20Computer%3Dregex(%22%40p%7B1%7D%5B0-9%5D*%22)%20%7C%20Distinct%26nbsp%3B%20Computer%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20had%20to%20save%20the%20search%20using%20the%20new%20format%3A%3CBR%20%2F%3EHeartbeat%20%7C%20where%20OSType%20%3D%3D%20%22Linux%22%20and%20Computer%20matches%20regex%20%22%5E.%2Bp%7B1%7D%5B0-9%5D*%24%22%20%7C%20distinct%20Computer%3CBR%20%2F%3E%3CBR%20%2F%3Eafter%20I%20had%20saved%20the%20search%20I%20was%20then%20able%20to%20use%20your%20search%20and%20it%20worked.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EPerf%20%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20Computer%20in%20(MyComputers())%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3Ethank%20you%20very%20much%20for%20your%20assistance%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-126571%22%20slang%3D%22en-US%22%3ERe%3A%20Computer%20Groups%20with%20new%20query%20language%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-126571%22%20slang%3D%22en-US%22%3EPerf%20type%20is%20with%20capital%20P%20so%20it%20will%20be%20Perf%20%7C%20where%20Computer%20in%20(MyComputers)%20The%20language%20is%20casesensitive.%20Let%20me%20know%20if%20that%20fixes%20it.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-126568%22%20slang%3D%22en-US%22%3ERe%3A%20Computer%20Groups%20with%20new%20query%20language%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-126568%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Stanislav%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20followed%20your%20example%20but%20I%20still%20can't%20get%20computer%20groups%20to%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20350px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F23933iD4DCFAAE5BA3138B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22OMs_v1.JPG%22%20title%3D%22OMs_v1.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20saved%20the%20search%20and%20can%20see%20the%20group%20under%20Computer%20Groups%20%26gt%3B%20Saved%20Groups%20but%20I%20am%20unable%20to%20reference%20the%20group%20in%20a%20search%20query.%20We%20had%20this%20working%20in%20the%20legacy%20log%20analytics%20but%20it%20didn't%20get%20converted%20during%20the%20log%20analytics%20upgrade.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-114967%22%20slang%3D%22en-US%22%3ERe%3A%20Computer%20Groups%20with%20new%20query%20language%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-114967%22%20slang%3D%22en-US%22%3E%3CP%3EExample%3A%3C%2FP%3E%3CPRE%3EHeartbeat%20%7C%20where%20Computer%20contains%20%22SRV%22%20%7C%20distinct%20Computer%20%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20will%20create%20function%20out%20of%20this%20query%20and%20save%20with%20it%20with%20alias%20MyComputers%20for%20example.%20Than%20in%20a%20new%20query%20you%20can%20refer%20to%20it%20in%20this%20way%20for%20example%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3EPerf%20%7C%20where%20Computer%20in%20(MyComputers)%20%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20it%20does%20not%20work%20right%20away%20in%20the%20Analytics%20Portal%20try%20refreshing%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-114947%22%20slang%3D%22en-US%22%3ERe%3A%20Computer%20Groups%20with%20new%20query%20language%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-114947%22%20slang%3D%22en-US%22%3E%3CP%3EPlease%20refer%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Flog-analytics%2Flog-analytics-computer-groups%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Edocumentation%3C%2FA%3E.%26nbsp%3B%20Please%20refer%20to%20the%20%22Notes%22%20section%20that%20refers%20to%20the%20new%20query%20language.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-114731%22%20slang%3D%22en-US%22%3ERe%3A%20Computer%20Groups%20with%20new%20query%20language%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-114731%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20you%20use%20that%20computer%20group%20in%20a%20query%3F%20That's%20the%20part%20that%20is%20failing%20for%20me.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-114596%22%20slang%3D%22en-US%22%3ERe%3A%20Computer%20Groups%20with%20new%20query%20language%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-114596%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20able%20to%20get%20this%20to%20work%20in%20my%20subscription%3A%3CBR%20%2F%3E%3CSTRONG%3EHeartbeat%20%7C%20where%20Computer%20contains%20%22%3CEM%3E%3CNAME%3E%3C%2FNAME%3E%3C%2FEM%3E%22%20%7C%20distinct%20Computer%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20then%20saved%20the%20query%2C%20made%20a%20function%20of%20it%2C%20and%20used%20it%20to%20create%20a%20computer%20group.%3C%2FP%3E%0A%3CBLOCKQUOTE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I'm trying to set up computer groups in my OMS environment, but running into some issues. Has anyone used computer groups successfully with the new query language?

 

I see the created computer groups in settings, and can view members of the group from there. I created the group with a query that looks like this: Heartbeat | where Computer has "dev" | distinct Computer

 

The only blog I can find on using computer groups in queries is here, and it uses the older query language: https://blogs.technet.microsoft.com/msoms/2016/04/04/computer-groups-in-oms/

like this: Type:Perf ObjectName=Processor Computer IN $ComputerGroups[My Crepe Computers] | measure avg(CounterValue) by Computer interval 1HOUR

 

When I try to use this format in the Legacy language converter, I get an error saying "no viable alternative at input 'Heartbeat(Computerin'" (note that in my query there ARE spaces between Computer, in, and heartbeat). If I try the regular search window with 'Heartbeat | where (Computer in $ComputerGroups[mygroupname]' I get the error 'A recognition error occurred. Token: "in".' Finally, if I add ComputerGroups to the filter window, every query I try leaves the computergroup fields with no entries, so the filter is greyed out.

 

Has anyone worked with computer groups in the new OMS? Are they broken, or am I missing something? I've scoured the language documentation and can't find anything there...

8 Replies
Highlighted

I was able to get this to work in my subscription:
Heartbeat | where Computer contains "<name>" | distinct Computer

 

I then saved the query, made a function of it, and used it to create a computer group.

 


 

Highlighted

Can you use that computer group in a query? That's the part that is failing for me.

Highlighted

Please refer to the documentation.  Please refer to the "Notes" section that refers to the new query language.

Highlighted
Solution

Example:

Heartbeat | where Computer contains "SRV" | distinct Computer 

 

You will create function out of this query and save with it with alias MyComputers for example. Than in a new query you can refer to it in this way for example:

 

Perf | where Computer in (MyComputers) 

 

If it does not work right away in the Analytics Portal try refreshing it.

Highlighted

Hi Stanislav,

 

I have followed your example but I still can't get computer groups to work.

 

OMs_v1.JPG

 

I have saved the search and can see the group under Computer Groups > Saved Groups but I am unable to reference the group in a search query. We had this working in the legacy log analytics but it didn't get converted during the log analytics upgrade.

 

Highlighted
Perf type is with capital P so it will be Perf | where Computer in (MyComputers) The language is casesensitive. Let me know if that fixes it.
Highlighted

I believe I have spotted the issue, the capital P was issue number 1 :) issue number 2 is that the search save was a legacy format: Type=Heartbeat OSType=Linux Computer=regex("@p{1}[0-9]*") | Distinct  Computer

 

I had to save the search using the new format:
Heartbeat | where OSType == "Linux" and Computer matches regex "^.+p{1}[0-9]*$" | distinct Computer

after I had saved the search I was then able to use your search and it worked.

 

Perf | where Computer in (MyComputers())
 
 
thank you very much for your assistance :) 




Highlighted
Happy to hear that it is working.