SOLVED

Issue with log analytics query - need to add multiple resource group names in the filter.

%3CLINGO-SUB%20id%3D%22lingo-sub-553196%22%20slang%3D%22en-US%22%3EIssue%20with%20log%20analytics%20query%20-%20need%20to%20add%20multiple%20resource%20group%20names%20in%20the%20filter.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-553196%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20written%20a%20Log%20analytics%20query%20to%20trigger%20alert%20for%20last%20heartbeat%20and%20that%20query%20i%20need%20restrict%20only%20to%20few%20resource%20groups.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuery%3A%3C%2FP%3E%3CP%3EHeartbeat%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(1h)%3CBR%20%2F%3E%7C%20where%20SubscriptionId%20!%3D%20%22%22%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20ResourceGroup%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E%22AZ-RG-TST%22%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%7C%20summarize%20LastHeartbeat%20%3D%20arg_max(TimeGenerated%2C%20SubscriptionId%2C%20TenantId%2C%20ResourceGroup)%20by%20Computer%3CBR%20%2F%3E%7C%20where%20isnotempty(Computer)%3CBR%20%2F%3E%7C%20where%20LastHeartbeat%20%26lt%3B%20ago(10m)%3CBR%20%2F%3E%7C%20project%20TenantId%2C%20SubscriptionId%2C%20Computer%2C%20LastHeartbeat%2C%20ResourceGroup%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20please%20help%20me%20to%20add%20multiple%20resource%20group%20names%20in%20the%20filter%20as%20i%20don't%20find%20that%20option.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-553196%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQuery%20Language%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-553499%22%20slang%3D%22en-US%22%3ERe%3A%20Issue%20with%20log%20analytics%20query%20-%20need%20to%20add%20multiple%20resource%20group%20names%20in%20the%20filter.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-553499%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F319881%22%20target%3D%22_blank%22%3E%40Syed_Aman%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20could%20change%20one%20line%20and%20provide%20a%20list%3F%3C%2FP%3E%0A%3CPRE%3E%7C%20where%20ResourceGroup%20in%20(%22AZ-RG-TST%22%2C%20%22AZ-RG-%3F%3F%3F%3F%3F%22%2C%20%22AZ-RG-%3F%3F%3F%3F%3F%22)%0A%3C%2FPRE%3E%0A%3CP%3Eor%3C%2FP%3E%0A%3CPRE%3E%7C%20where%20ResourceGroup%20startswith%20%22AZ-RG%22%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi Team,

 

I have written a Log analytics query to trigger alert for last heartbeat and that query i need restrict only to few resource groups.

 

Query:

Heartbeat
| where TimeGenerated > ago(1h)
| where SubscriptionId != ""

| where ResourceGroup == "AZ-RG-TST"

| summarize LastHeartbeat = arg_max(TimeGenerated, SubscriptionId, TenantId, ResourceGroup) by Computer
| where isnotempty(Computer)
| where LastHeartbeat < ago(10m)
| project TenantId, SubscriptionId, Computer, LastHeartbeat, ResourceGroup

 

Can you please help me to add multiple resource group names in the filter as i don't find that option.

1 Reply
Best Response confirmed by Syed_Aman (Occasional Contributor)
Solution

Hi @Syed_Aman 

 

You could change one line and provide a list?

| where ResourceGroup in ("AZ-RG-TST", "AZ-RG-?????", "AZ-RG-?????")

or

| where ResourceGroup startswith "AZ-RG"