SOLVED

Computer group created through PowerShell cmdlet not working

%3CLINGO-SUB%20id%3D%22lingo-sub-890105%22%20slang%3D%22en-US%22%3EComputer%20group%20created%20through%20PowerShell%20cmdlet%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-890105%22%20slang%3D%22en-US%22%3E%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EI%20created%20computer%20group%20using%20powershell%20cmdlet%20New-AzOperationalInsightsComputerGroup%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E-------%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%24Query%26nbsp%3B%20%3D%20%22Heartbeat%20%7C%20where%20Computer%20in%20('myserver.adx.com')%20%7C%20distinct%20Computer%22%3CBR%20%2F%3ENew-AzOperationalInsightsComputerGroup%20-ResourceGroupName%20%22MyRG%22%20-WorkspaceName%20%22My%20WN%22%20-SavedSearchId%20%22id12345%22%20-DisplayName%20%22MyDN%22%20-Category%20%22MyCategory%22%20-Query%20%24Query%20-Version%201%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%22%3E-------%3C%2FFONT%3E%3C%2FP%3E%0A%3CDIV%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3ETo%20confirm%20group%20is%20created%20successfully%3CBR%20%2F%3E--------------------%3CBR%20%2F%3E(Get-AzOperationalInsightsSavedSearch%20-ResourceGroupName%20%22MyRG%22%20-WorkspaceName%20%22My%20WN%22).Value.Properties%20%7C%20%3F%7B%24_.category%20-eq%20%22MyCategory%22%26nbsp%3B%20-and%20%24_.DisplayName%20-eq%20%22MyDN%22%7D%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3ECategory%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20MyCategory%3CBR%20%2F%3EDisplayName%20%3A%20MyDN%3CBR%20%2F%3EQuery%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20Heartbeat%20%7C%20where%20Computer%20in%20('myserver.adx.com')%20%7C%20distinct%20Computer%3CBR%20%2F%3EVersion%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%202%3CBR%20%2F%3ETags%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20%7BGroup%7D%3CBR%20%2F%3E--------------------%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3ENow%20I%20go%20to%20log%20analytics%20and%20run%20%3CBR%20%2F%3E--------------------%3CBR%20%2F%3EMyDN%3CBR%20%2F%3E%7C%20project%20Computer%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EMyDN%3CBR%20%2F%3E%7C%20distinct%20Computer%3CBR%20%2F%3E--------------------%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EBoth%20commands%20fail%20with%20%E2%80%9CSyntax%20Error%E2%80%9D%20'distinct'%20operator%3A%20Failed%20to%20resolve%20table%20or%20column%20expression%20named%20'MyDN'%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3Ei%20reached%20out%20to%20support%20and%20was%20told%20that%20i%20need%20a%20%22function%22%20to%20use%20groups%20in%20query%20and%20%22%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3ENew-AzOperationalInsightsComputerGroup%3C%2FFONT%3E%22%20does%20not%20create%20a%20function.%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3Eis%20there%20a%20way%20i%20can%20create%20function%2Fcomputergroup%20through%20powershell%20%3F%3C%2FFONT%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-890105%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPowershell%20and%20Rest%20API%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-891402%22%20slang%3D%22en-US%22%3ERe%3A%20Computer%20group%20created%20through%20PowerShell%20cmdlet%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-891402%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F192811%22%20target%3D%22_blank%22%3E%40Mayank%20Bansal%3C%2FA%3E%20You%20can%20use%20PowerShell%20to%20do%20ARM%20template%20deployment.%20The%20resource%20part%20in%20your%20case%20will%20look%20like%20this%3A%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-javascript%22%3E%3CCODE%3E%7B%0A%20%20%20%20%20%20%22name%22%3A%20%22%5Bconcat(parameters('logAnalyticsWorkspaceName')%2C%20'%2F'%2C%20'id12345'%20)%5D%22%2C%0A%20%20%20%20%20%20%22type%22%3A%20%22Microsoft.OperationalInsights%2Fworkspaces%2FsavedSearches%22%2C%0A%20%20%20%20%20%20%22apiVersion%22%3A%20%222017-03-15-preview%22%2C%0A%20%20%20%20%20%20%22tags%22%3A%20%7B%0A%20%20%20%20%20%20%7D%2C%0A%20%20%20%20%20%20%22properties%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%22query%22%3A%20%22Heartbeat%20%7C%20where%20Computer%20in%20('myserver.adx.com')%20%7C%20distinct%20Computer%22%2C%0A%20%20%20%20%20%20%20%20%22displayName%22%3A%20%22MyDN%22%2C%0A%20%20%20%20%20%20%20%20%22category%22%3A%20%22MyCategory%22%2C%0A%20%20%20%20%20%20%20%20%22FunctionAlias%22%20%3A%20%22MyDN%22%2C%0A%20%20%20%20%20%20%20%20%22Version%22%3A%202%2C%0A%20%20%20%20%20%20%20%20%22ETag%22%3A%20%22*%22%2C%0A%20%20%20%20%20%20%20%20%22Tags%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22Name%22%3A%20%22Group%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22Value%22%3A%20%22Computer%22%0A%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%5D%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3EThe%20tags%20part%20with%20name%20Group%20and%20value%20Computer%20basically%20makes%20the%20function%20also%20Computer%20group.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-909501%22%20slang%3D%22en-US%22%3ERe%3A%20Computer%20group%20created%20through%20PowerShell%20cmdlet%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-909501%22%20slang%3D%22en-US%22%3EThanks%20this%20helped.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1956538%22%20slang%3D%22en-US%22%3ERe%3A%20Computer%20group%20created%20through%20PowerShell%20cmdlet%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1956538%22%20slang%3D%22en-US%22%3E%3CP%3ETo%20assist%20anyone%20else%20arriving%20from%20Google%2FBing%2C%20I'd%20suggest%20using%20the%20more%20fully-featured%20cmdlet%20New-AzOperationalInsightsSavedSearch%20to%20create%20usable%20computer%20groups.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20computer%20group%20saved%20query%20(e.g.%20used%20to%20target%20Azure%20Update%20Management%20deployments)%20needs%20to%20be%20saved%20both%20as%20a%20Function%2C%20and%20also%20have%20a%20tag%20of%20'Group'%20with%20value%20of%20'Computer'.%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3ENew-AzOperationalInsightsComputerGroup%20with%20-Debug%20shows%20it%20creates%20the%20tag%2C%20but%20forgets%20to%20add%20the%20necessary%20functionAlias%20parameter.%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%24Query%26nbsp%3B%3D%26nbsp%3B%22ComputerGroup%26nbsp%3B%7C%26nbsp%3Bwhere%26nbsp%3BGroupSource%26nbsp%3B%3D%3D%26nbsp%3B'ActiveDirectory'%26nbsp%3Band%26nbsp%3BGroup%26nbsp%3B%3D%3D%26nbsp%3B'%24ADGroupName'%26nbsp%3B%7C%26nbsp%3Bdistinct%26nbsp%3BComputer%22%0A%24Tag%26nbsp%3B%3D%26nbsp%3B%40%7B%0A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BGroup%26nbsp%3B%3D%26nbsp%3B'Computer'%0A%7D%0ANew-AzOperationalInsightsSavedSearch%26nbsp%3B-ResourceGroupName%26nbsp%3B%22MyRG%22%26nbsp%3B-WorkspaceName%26nbsp%3B%22MyWN%22%26nbsp%3B-SavedSearchId%26nbsp%3B%22id12345%22%26nbsp%3B-DisplayName%26nbsp%3B%22MyDN%22%26nbsp%3B-Category%26nbsp%3B%22MyCategory%22%26nbsp%3B-Query%26nbsp%3B%24Query%26nbsp%3B-FunctionAlias%26nbsp%3B%22my_ad_group_name%22%26nbsp%3B-Tag%26nbsp%3B%24Tag%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FLINGO-BODY%3E
Microsoft

I created computer group using powershell cmdlet New-AzOperationalInsightsComputerGroup

-------

$Query  = "Heartbeat | where Computer in ('myserver.adx.com') | distinct Computer"
New-AzOperationalInsightsComputerGroup -ResourceGroupName "MyRG" -WorkspaceName "My WN" -SavedSearchId "id12345" -DisplayName "MyDN" -Category "MyCategory" -Query $Query -Version 1

-------

To confirm group is created successfully
--------------------
(Get-AzOperationalInsightsSavedSearch -ResourceGroupName "MyRG" -WorkspaceName "My WN").Value.Properties | ?{$_.category -eq "MyCategory"  -and $_.DisplayName -eq "MyDN"}
Category    : MyCategory
DisplayName : MyDN
Query       : Heartbeat | where Computer in ('myserver.adx.com') | distinct Computer
Version     : 2
Tags        : {Group}
--------------------
Now I go to log analytics and run
--------------------
MyDN
| project Computer
MyDN
| distinct Computer
--------------------
Both commands fail with “Syntax Error” 'distinct' operator: Failed to resolve table or column expression named 'MyDN'
 
i reached out to support and was told that i need a "function" to use groups in query and "New-AzOperationalInsightsComputerGroup" does not create a function.
 
is there a way i can create function/computergroup through powershell ?
3 Replies
best response confirmed by Stanislav Zhelyazkov (MVP)
Solution

Hi@Mayank Bansal You can use PowerShell to do ARM template deployment. The resource part in your case will look like this:

{
      "name": "[concat(parameters('logAnalyticsWorkspaceName'), '/', 'id12345' )]",
      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
      "apiVersion": "2017-03-15-preview",
      "tags": {
      },
      "properties": {
        "query": "Heartbeat | where Computer in ('myserver.adx.com') | distinct Computer",
        "displayName": "MyDN",
        "category": "MyCategory",
        "FunctionAlias" : "MyDN",
        "Version": 2,
        "ETag": "*",
        "Tags": [
            {
                "Name": "Group",
                "Value": "Computer"
            }
        ]
      }
    }

The tags part with name Group and value Computer basically makes the function also Computer group.

Thanks this helped.

To assist anyone else arriving from Google/Bing, I'd suggest using the more fully-featured cmdlet New-AzOperationalInsightsSavedSearch to create usable computer groups.

 

A computer group saved query (e.g. used to target Azure Update Management deployments) needs to be saved both as a Function, and also have a tag of 'Group' with value of 'Computer'.
 
New-AzOperationalInsightsComputerGroup with -Debug shows it creates the tag, but forgets to add the necessary functionAlias parameter.

$Query = "ComputerGroup | where GroupSource == 'ActiveDirectory' and Group == '$ADGroupName' | distinct Computer"
$Tag = @{
    Group = 'Computer'
}
New-AzOperationalInsightsSavedSearch -ResourceGroupName "MyRG" -WorkspaceName "MyWN" -SavedSearchId "id12345" -DisplayName "MyDN" -Category "MyCategory" -Query $Query -FunctionAlias "my_ad_group_name" -Tag $Tag