Different data in OMS

Copper Contributor

Recently I tried to export the data from OMS by using four different approaches:

1. Get-AzureRmOperationalInsightsSearchResults
2. Invoke-AzureRmOperationalInsightsQuery
3. Invoke-RestMethod
4. Invoke-WebRequest
 
In every case except the first one (Get-AzureRmOperationalInsightsSearchResults) there are no data regarding "id" or "__metadata" columns. By using approach number 2, 3 and 4 I get the below data:
"TenantId, SourceSystem,, TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, ParameterXml, EventData, EventID, RenderedDescription, AzureDeploymentID, Role, EventCategory, UserName, Message, MG, ManagementGroupName, Type"
 
Unfortunately those 2 columns are not visible in OMS Web View, but they are stored in OMS and there are exporting with no problems by using the the first case scenario. Bellow there is an example of those 2 columns exported by using Get-AzureRmOperationalInsightsSearchResults cmdlet:
"id": "1a2c0cbe-a1b7-4ca2-1b32-83a1bc3a5bfe",
             "__metadata": {
               "Type": "Event",
               "TimeGenerated": "2018-05-16T11:05:24.233Z"
 
In this scenario (Get-AzureRmOperationalInsightsSearchResults) I get slightly different data (bold text below and above): 
"TenantId, SourceSystem, TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, ParameterXml, EventData, EventID, RenderedDescription, EventCategory, UserName, MG, ManagementGroupName, Type, id": "c143b539-b17c-4a12-9cb4-25b78a3a21af", __metadata": {"Type": "Event","TimeGenerated": "2018-05-16T11:05:47.22Z""
 
The case is however to export that data by using approach number 2, 3 or 4, because only this way I can use a new query language and I need those 2 types of data to assure compatibility with already gathered data.
 
 
2 Replies
Hi,

You can see more details on using PowerShell for Log Analytics queries here: https://dev.loganalytics.io/documentation/Tools/PowerShell-Cmdlets

Thanks,
Meir

Hi Meir,

 

Thanks for Your answer.

I tried all of that already but with no effect.

 

Regards,

Bartłomiej