Jan 31 2018
02:06 AM
- last edited on
Apr 07 2022
04:53 PM
by
TechCommunityAP
Jan 31 2018
02:06 AM
- last edited on
Apr 07 2022
04:53 PM
by
TechCommunityAP
Hi, I am trying to create a search query for when a Public IP is assigned to a NIC, and then create an alert off that. I can find the part which identifies the assignment, but I need to use "inverted commas" within my search, but I can't...
My query:
Jan 31 2018 04:01 PM
SolutionHi,
Please check out info on strings in KQL here. Since it looks like all your quotes are " and not 's, you can encompass your search terms in ' ... 's, and then use "s within that search unescaped. Backslashes can be escaped via \\.
If that doesn't work, can you please provide a sample (anonymized) of the properties field of one of these entries? I can try and put the right search expression together based on that.
Thanks,
-Evgeny
Feb 01 2018 03:16 AM
Hi, thanks for the reply, but I'm still having issues with the syntax. Below is a snippet of the properties output (minus my subscription ID). I just need to get the 'provisioning succeeded' part out like i mentioned.
{ "requestbody": "{\"name\":\"myvm512\",\"id\":\"/subscriptions/<subscriptionid>/resourceGroups/Env5/providers/Microsoft.Network/networkInterfaces/myvm512\",\"etag\":\"W/\\\"23269d7b-24d6-4ab3-a9ea-1e382f0e84d5\\\"\",\"location\":\"westeurope\",\"properties\":{\"provisioningState\":\"Succeeded\",\"resourceGuid\":\"887448c7-9f48-4c8a-872f-060dea18d987\",\"ipConfigurations\":[{\"name\":\"ipconfig1\",\"id\":\"/subscriptions/<subscriptionid>/resourceGroups/Env5/providers/Microsoft.Network/networkInterfaces/myvm512/ipConfigurations/ipconfig1\",\"etag\":\"W/\\\"23269d7b-24d6-4ab3-a9ea-1e382f0e84d5\\\"\",\"properties\":{\"provisioningState\":\"Succeeded\",\"privateIPAddress\":\"10.0.0.4\",\"privateIPAllocationMethod\":\"Dynamic\",\"subnet\":{\"name\":\"default\",\"id\":\"/subscriptions/<subscriptionid>/resourceGroups/Env5/providers/Microsoft.Network/virtualNetworks/Env5-vnet/subnets/default\",\"etag\":\"W/\\\"f0820dc1-7a9b-4b0d-a309-beb20fcbc63a\\\"\",\"properties\":{\"provisioningState\":\"Succeeded\",\"addressPrefix\":\"10.0.0.0/24\",\"ipConfigurations\":[{\"id\":\"/subscriptions/<subscriptionid>/resourceGroups/Env5/providers/Microsoft.Network/networkInterfaces/myvm512/ipConfigurations/ipconfig1\"}]}},\"primary\":true,\"privateIPAddressVersion\":\"IPv4\",\"loadBalancerBackendAddressPools\":[],\"applicationGatewayBackendAddressPools\":[],\"loadBalancerInboundNatRules\":[],\"publicIPAddress\":{\"id\":\"/subscriptions/<subscriptionid>/resourceGroups/Env5/providers/Microsoft.Network/publicIPAddresses/MyVM\",\"sku\":{\"name\":\"Basic\"},\"zones\":[]}}}],\"dnsSettings\":{\"dnsServers\":[],\"appliedDnsServers\":[]},\"enableAcceleratedNetworking\":false,\"enableIPForwarding\":false,\"networkSecurityGroup\":{\"id\":\"/subscriptions/<subscriptionid>/resourceGroups/Env5/providers/Microsoft.Network/networkSecurityGroups/MyVM-nsg\",\"etag\":\"W/\\\"0ca6ca01-0e79-47aa-a2a0-fa291e89b843\\\"\"},\"primary\":true,\"virtualMachine\":{\"id\":\"/subscriptions/<subscriptionid>/resourceGroups/Env5/providers/Microsoft.Compute/virtualMachines/MyVM\"},\"macAddress\":null,\"migrationPhase\":null},\"type\":\"Microsoft.Network/networkInterfaces\"}" }
Feb 01 2018 04:16 AM
I have found the correct syntax to use after the advice above and understanding more from the query language reference. PS: I also had written the wrong query string in the question above, it should have been:
\"provisioningState\":\"Succeeded"\
Anyway, here is the answer to look for the above string in the properties of a result:
AzureActivity | sort by TimeGenerated desc nulls last | where OperationName == "Microsoft.Network/networkInterfaces/write" and ActivityStatus == "Started" | where Properties contains '\\"provisioningState\\":\\"Succeeded\\"'
Feb 05 2018 02:02 AM
Jan 31 2018 04:01 PM
SolutionHi,
Please check out info on strings in KQL here. Since it looks like all your quotes are " and not 's, you can encompass your search terms in ' ... 's, and then use "s within that search unescaped. Backslashes can be escaped via \\.
If that doesn't work, can you please provide a sample (anonymized) of the properties field of one of these entries? I can try and put the right search expression together based on that.
Thanks,
-Evgeny