Jan 25 2019
09:06 AM
- last edited on
Apr 07 2022
05:36 PM
by
TechCommunityAP
Jan 25 2019
09:06 AM
- last edited on
Apr 07 2022
05:36 PM
by
TechCommunityAP
Hi All,
I have created ARM templates for creating OMS Log Analytics Searches. I am trying to see if you can help me creating a function in via ARM template. Bascially we want to create/update the Function via ARM template or powershell..Appreciate if you can guide me or point me to any ARM template that has this functionality as reference.
Below is the function i am referring to.
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/functions#create-a-function
Thanks
RC
Jan 30 2019 07:09 AM - edited Jan 30 2019 07:09 AM
SolutionHi,
For creating function you actually use the saved searches API.
https://docs.microsoft.com/en-us/rest/api/loganalytics/savedsearches/createorupdate
There is a slight change in the properties of the call.
"properties": { "category": " Saved Search Test Category", "displayName": "Create or Update Saved Search Test", "query": "* | measure Count() by Computer", "FunctionAlias" : "AllComputers", "version": 2 }
With that you create function.
And it is just Log Analytics now. We do not use OMS anymore.
Feb 12 2019 08:20 AM
Thanks a lot of the information/code.
RC
Feb 20 2019 05:02 AM
Is it not possible to include saved query/functions as part of ARM template?
Basically my objective is to fetch data (In log analytics) from PowerBI using Rest API.
Since we do not want to have complex queries as part of Rest API (for 2 reasons - customization at LA and Rest API limitation of 2KB length), we thought of using saved queries/functions and then call these saved queries from powerBI.
Thanks.
Feb 20 2019 05:12 AM
I am not sure if I understand the question correctly but if you are talking about export to PowerBI feature I do not think why it wouldn't possible to use functions there. In basics that integration is basically executing query at specific period against the API and getting the data.
Feb 20 2019 05:28 AM
Thanks for the response.
My question is 'Is it possible to export the saved queries via ARM template'?
Before our customers use powerBI, they can deploy the ARM template. And after that they can use powerBI to call those functions through RestAPI.
Thanks.
Feb 20 2019 05:48 AM
I do not know if the portal export feature works for these resources but if you have them deployed via ARM template to one environment you can deploy them to another very easily. The ARM template is your export.
Feb 27 2019 01:10 AM
Hi,
I am able to create saved search using ARM template. But I am not able to create function.
The resources part in my json looks like this:
"resources": [ { "type": "Microsoft.OperationalInsights/workspaces", "name": "[parameters('workspaceName')]", "apiVersion": "2015-11-01-preview", "location": "[parameters('location')]", "properties": { "sku": { "Name": "[parameters('sku')]" }, "features": { "searchVersion": 1 } } }, { "apiVersion": "2017-03-15-preview", "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "name": "[concat(parameters('workspaceName'), '/', 'ABTemplateTest')]", "properties": { "category": "ABTemplateTest", "displayName": "GetVaultTest", "query": "AzureBackupReport_CL | where Category == \"AzureBackupReport\" and OperationName == \"Vault\" | where TimeGenerated >= ago(90d) | limit 5", "FunctionAlias" : "getvaultfunctest", "version": 2 } } ]
In the above resource part, without FunctionAlias, it is creating saved search successfully.
But when I include FunctionAlias, it is failing to create.
Can Functions be created via ARM template? If so, how?
Thanks.
Feb 27 2019 01:14 AM
Please provide your error. The template provided is ok.
Feb 27 2019 01:18 AM - edited Feb 27 2019 01:20 AM
Attaching error I got in powershell:
New-AzureRmResourceGroupDeployment : 2:29:43 PM - Resource Microsoft.OperationalInsights/workspaces/savedSearches 'NewTestLAWorkspaceWithFunctionAlias/ABTemplateTest' failed with message '{ "error": { "code": "ResourceNotFound", "message": "The Resource 'Microsoft.OperationalInsights/workspaces/NewTestLAWorkspaceWithFunctionAlias' under resource group 'testrg' was not found." } }' At line:1 char:1 + New-AzureRmResourceGroupDeployment -Name NewTestLA-Template -Resource ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet New-AzureRmResourceGroupDeployment : 2:30:14 PM - Template output evaluation skipped: at least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details. At line:1 char:1 + New-AzureRmResourceGroupDeployment -Name NewTestLA-Template -Resource ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet New-AzureRmResourceGroupDeployment : 2:30:14 PM - Template output evaluation skipped: at least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details. At line:1 char:1 + New-AzureRmResourceGroupDeployment -Name NewTestLA-Template -Resource ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet DeploymentName : NewTestLA-Template ResourceGroupName : testrg ProvisioningState : Failed Timestamp : 2/27/2019 9:00:11 AM Mode : Incremental TemplateLink : Parameters : Name Type Value =============== ========================= ========== workspaceName String NewTestLAWorkspaceWithFunctionAlias location String eastus sku String PerGB2018 Outputs : DeploymentDebugLogLevel :
Just to add further, the exact json without that functionAlias worked for me. It created saved search.
When I add functionAlias, it threw above error. But it created workspace without any savedsearch/function.
Feb 27 2019 01:20 AM
Error is clear. You do not have workspace. This is basic ARM templating but you you need first to create the workspace and than the saved search. One cannot exist without the other. Use dependsOn
Feb 27 2019 01:23 AM
I just want to add that I was able to create new workspace with saved search previously.
Attaching entire json.
{ "$schema": "https://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "workspaceName": { "type": "String", "metadata": { "description": "Specifies the name of the workspace." } }, "location": { "type": "String", "allowedValues": [ "eastus", "westus" ], "defaultValue": "eastus", "metadata": { "description": "Specifies the location in which to create the workspace." } }, "sku": { "type": "String", "allowedValues": [ "Standalone", "PerNode", "PerGB2018" ], "defaultValue": "PerGB2018", "metadata": { "description": "Specifies the service tier of the workspace: Standalone, PerNode, Per-GB" } } }, "resources": [ { "type": "Microsoft.OperationalInsights/workspaces", "name": "[parameters('workspaceName')]", "apiVersion": "2015-11-01-preview", "location": "[parameters('location')]", "properties": { "sku": { "Name": "[parameters('sku')]" }, "features": { "searchVersion": 1 } } }, { "apiVersion": "2017-03-15-preview", "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "name": "[concat(parameters('workspaceName'), '/', 'monitoralerts-cputest')]", "properties": { "category": "BasicMonitorAlertstest", "displayName": "monitoralerts-cputest", "query": "Perf | where ObjectName == \"Processor\" and CounterName == \"% Processor Time\" | summarize avg(CounterValue) by Computer, bin(TimeGenerated, 5m) | where avg_CounterValue > 95 | summarize arg_max(TimeGenerated, *) by Computer", "version": 2 } } ] }
I will anyway try with existing LA workspace and update.
Could you please elaborate on dependsOn? Any example would be great. Thanks.
Feb 27 2019 01:51 AM
Hi
I used the same json and provided existing workspace. It is creating function.
Thanks for the help.
Feb 27 2019 02:25 AM
You can read more about ARM templates here:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authoring-templates
Jun 29 2020 05:24 PM
I can deploy the saved query however when I update the template, I get the following error:
New-AzResourceGroupDeployment : 01:18:36 - Resource Microsoft.OperationalInsights/workspaces/savedSearches
'Sentinel-Workspace140/testarmtemp' failed with message '{
"error": {
"code": "Conflict",
"message": "The remote server returned an error: (409) Conflict."
}
}'
At line:1 char:1
+ New-AzResourceGroupDeployment -TemplateFile .\ARMTemplateforFunction2 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzResourceGroupDeployment], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDep
loymentCmdlet
New-AzResourceGroupDeployment : 01:18:36 - Template output evaluation skipped: at least one resource deployment
operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage
details.
At line:1 char:1
+ New-AzResourceGroupDeployment -TemplateFile .\ARMTemplateforFunction2 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzResourceGroupDeployment], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDep
loymentCmdlet
New-AzResourceGroupDeployment : 01:18:36 - Template output evaluation skipped: at least one resource deployment
operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage
details.
At line:1 char:1
+ New-AzResourceGroupDeployment -TemplateFile .\ARMTemplateforFunction2 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzResourceGroupDeployment], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDep
below is my template:
{
"$schema": "https://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2020-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"name": "Sentinel-Workspace140/testarmtemp",
"properties": {
"category": "ABTemplateTest",
"displayName": "GetVaultTest",
"query": "AzureBackupReport_CL | where Category == \"AzureBackupReport\" and OperationName == \"Vault\" | where TimeGenerated >= ago(90d) | limit 5",
"FunctionAlias" : "getvaultfunctest",
"version": 2
}
}
]
}
Jun 29 2020 11:13 PM
Hi@kay106 The template that you have provided as example works. May be the problem is that you do not apply it to the resource group where the workspace is located or the workspace does not exists.
Jan 30 2019 07:09 AM - edited Jan 30 2019 07:09 AM
SolutionHi,
For creating function you actually use the saved searches API.
https://docs.microsoft.com/en-us/rest/api/loganalytics/savedsearches/createorupdate
There is a slight change in the properties of the call.
"properties": { "category": " Saved Search Test Category", "displayName": "Create or Update Saved Search Test", "query": "* | measure Count() by Computer", "FunctionAlias" : "AllComputers", "version": 2 }
With that you create function.
And it is just Log Analytics now. We do not use OMS anymore.