SOLVED

log analytics API returning empty Table collection

%3CLINGO-SUB%20id%3D%22lingo-sub-737936%22%20slang%3D%22en-US%22%3Elog%20analytics%20API%20returning%20empty%20Table%20collection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-737936%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20using%20Client%20Credentials%20to%20query%20Office%20365%20Audit%20data%20stored%20in%20Log%20Analytics.%20The%20AppID%20principal%20has%20Log%20Analytics%20Reader%20permissions%20to%20both%20the%20Log%20Analytics%20workspace%20and%20the%20Office%20365%20Audit%20Solution%20through%20IAM.%20(As%20detailed%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdev.loganalytics.io%2Fdocumentation%2F1-Tutorials%2FDirect-API%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdev.loganalytics.io%2Fdocumentation%2F1-Tutorials%2FDirect-API%3C%2FA%3E)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20I%20Invoke%20a%20rest%20request%20against%20the%20endpoint%2C%20I%20get%20an%20HTTP%20200%20response%2C%20so%20authentication%20is%20working%20fine%2C%20bu%20the%20Content%20payload%20is%20empty%20and%20just%20returns%20%7B%22tables%22%3A%5B%5D%7D%2C%20without%20any%20results.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20happens%20regardless%20of%20query%2C%20all%20of%20which%20work%20fine%20when%20testing%20the%20query%20through%20the%20Log%20Explorer%20interface%20in%20the%20workspace.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20thought%20this%20might%20be%20permissions%20related%2C%20but%20still%20no%20change%20despite%20adding%20the%20App%20permissions%20to%20both%20workspace%20and%20solution.%20Any%20thoughts%20welcome%20as%20my%20Bing-fu%20hasn't%20helped.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPaul.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-737936%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPowershell%20and%20Rest%20API%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-737979%22%20slang%3D%22en-US%22%3ERe%3A%20log%20analytics%20API%20returning%20empty%20Table%20collection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-737979%22%20slang%3D%22en-US%22%3E%3CP%3EAfter%20much%20bashing%20of%20the%20head%20against%20the%20desk%2C%20it%20would%20seem%20that%20not%20all%20the%20queries%20that%20work%20in%20the%20Log%20Analytics%20web%20engine%20work%20through%20the%20API.%20My%20previous%20errors%20were%20being%20masked%20by%20the%20JSON%20not%20converting%20properly%20and%20being%20left%20out%20of%20the%20body.%20Fiddler%20ftw!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20I%20use%20%22search%20Operation%20%3D%3D%20'desired%20op'%22%20and%20pass%20it%20into%20the%20body%20of%20the%20POST%20then%20that%20works%20ok%20and%20results%20are%20returned.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1011267%22%20slang%3D%22en-US%22%3ERe%3A%20log%20analytics%20API%20returning%20empty%20Table%20collection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1011267%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46%22%20target%3D%22_blank%22%3E%40Paul%20Hunt%20-%20Cimares%3C%2FA%3E%26nbsp%3BI%20got%20the%20same%2C%20trying%20simple%20query%20'Heartbeat%7C%26nbsp%3Blimit%26nbsp%3B50'%20which%20gets%20me%20empty%20table.%20How%20do%20I%20pass%26nbsp%3B%3CSPAN%3E%22search%20Operation%20%3D%3D%20'desired%20op'%22%26nbsp%3B%20into%20the%20body%20%3F%20Thnx%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
MVP

I'm using Client Credentials to query Office 365 Audit data stored in Log Analytics. The AppID principal has Log Analytics Reader permissions to both the Log Analytics workspace and the Office 365 Audit Solution through IAM. (As detailed here: https://dev.loganalytics.io/documentation/1-Tutorials/Direct-API)

 

When I Invoke a rest request against the endpoint, I get an HTTP 200 response, so authentication is working fine, bu the Content payload is empty and just returns {"tables":[]}, without any results.

 

This happens regardless of query, all of which work fine when testing the query through the Log Explorer interface in the workspace.

I thought this might be permissions related, but still no change despite adding the App permissions to both workspace and solution. Any thoughts welcome as my Bing-fu hasn't helped.

 

Paul.

2 Replies
Highlighted
Solution

After much bashing of the head against the desk, it would seem that not all the queries that work in the Log Analytics web engine work through the API. My previous errors were being masked by the JSON not converting properly and being left out of the body. Fiddler ftw!

 

If I use "search Operation == 'desired op'" and pass it into the body of the POST then that works ok and results are returned.

Highlighted

@Paul Hunt - Cimares I got the same, trying simple query 'Heartbeat| limit 50' which gets me empty table. How do I pass "search Operation == 'desired op'"  into the body ? Thnx