Query with SCCM ComputerGroup

%3CLINGO-SUB%20id%3D%22lingo-sub-144668%22%20slang%3D%22en-US%22%3EQuery%20with%20SCCM%20ComputerGroup%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-144668%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20following%20documentation%20provides%20some%20example%20queries%20using%20Computer%20Groups%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Flog-analytics%2Flog-analytics-computer-groups%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EComputer%20groups%20in%20Log%20Analytics%20log%20searches%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20am%20attempting%20to%20run%20a%20query%20using%20some%20computer%20groups%20imported%20from%20SCCM.%20I%20have%20confirmed%20that%20the%20groups%20are%20available%20through%20%3CSTRONG%3ESettings%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EComputer%20Groups%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3ESCCM%3C%2FSTRONG%3E.%20However%2C%20my%20query%20isn't%20providing%20any%20results.%20These%20are%20a%20couple%20of%20the%20queries%20I%20am%20attempting%20to%20process%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3Elet%20WaaSGroup%20%3D%20ComputerGroup%20%7C%20where%20GroupSource%20%3D%3D%20%22SCCM%22%20and%20Group%20%3D%3D%20%22Collection%20001%22%20%7C%20distinct%20Computer%3B%0AWaaSDeploymentStatus%20%7C%20where%20Computer%20in%20(WaaSGroup)%20%7C%20where%20DeploymentStatus%3D%3D%22Failed%22%3C%2FPRE%3E%0A%3CPRE%3Elet%20DriverGroup%20%3D%20ComputerGroup%20%7C%20where%20GroupSource%20%3D%3D%20%22SCCM%22%20and%20Group%20%3D%3D%20%22Collection%20002%22%0AUADriver%20%7C%20where%20Computer%20in%20(DriverGroup)%20%7C%20where%20Issue%20%3D%3D%20%22Driver%20will%20not%20migrate%20to%20new%20OS%22%3C%2FPRE%3E%0A%3CP%3EDoes%20anyone%20have%20any%20clarification%20on%20the%20query%20syntax%20when%20using%20an%20imported%20computer%20group%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-144668%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQuery%20Language%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-145491%22%20slang%3D%22en-US%22%3ERe%3A%20Query%20with%20SCCM%20ComputerGroup%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-145491%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Meir%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAll%204%20of%20the%20queries%20that%20you%20provided%20work%20as%20expected.%20I%20receive%20the%20list%20of%20computers%20that%20correspond%20to%20the%20different%20groups.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHow%20would%20I%20take%20these%20results%20and%20run%20them%20against%20a%20table%20search%3F%20For%20example%2C%20one%20of%20the%20following%20conditions%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EWaaSDeploymentStatus%20%7C%20where%20Computer%20in%20(WaaSGroup)%20%7C%20where%20DeploymentStatus%3D%3D%22Failed%22%0A%0A%0AUADriver%20%7C%20where%20Computer%20in%20(DriverGroup)%20%7C%20where%20Issue%20%3D%3D%20%22Driver%20will%20not%20migrate%20to%20new%20OS%22%3C%2FPRE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-144937%22%20slang%3D%22en-US%22%3ERe%3A%20Query%20with%20SCCM%20ComputerGroup%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-144937%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Bob%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20provide%20us%20some%20more%20details%20so%20we%20can%20help%20you.%3C%2FP%3E%0A%3CP%3EDoes%20the%20following%20queries%20provide%20any%20results%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%3EComputerGroup%20%7C%20where%20GroupSource%20%3D%3D%20%22SCCM%22%20and%20Group%20%3D%3D%20%22Collection%20001%22%20%7C%20distinct%20Computer%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EComputerGroup%20%7C%20where%20GroupSource%20%3D%3D%20%22SCCM%22%20and%20Group%20%3D%3D%20%22Collection%20001%22%20and%20TimeGenerated%20%26gt%3B%20ago(2d)%20%7C%20distinct%20Computer%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EComputerGroup%20%7C%20where%20GroupSource%20%3D%3D%20%22SCCM%22%20and%20Group%20%3D%3D%20%22Collection%20002%22%20%7C%20distinct%20Computer%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EComputerGroup%20%7C%20where%20GroupSource%20%3D%3D%20%22SCCM%22%20and%20Group%20%3D%3D%20%22Collection%20002%22%26nbsp%3Band%20TimeGenerated%20%26gt%3B%20ago(2d)%20%7C%20distinct%20Computer%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EBTW%3A%20you%20forgot%20the%20%22distinct%20Computer%22%20in%20the%20Collection%20002%20query.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThanks%2C%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EMeir%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

The following documentation provides some example queries using Computer Groups:

Computer groups in Log Analytics log searches

 

I am attempting to run a query using some computer groups imported from SCCM. I have confirmed that the groups are available through Settings > Computer Groups > SCCM. However, my query isn't providing any results. These are a couple of the queries I am attempting to process:

 

let WaaSGroup = ComputerGroup | where GroupSource == "SCCM" and Group == "Collection 001" | distinct Computer;
WaaSDeploymentStatus | where Computer in (WaaSGroup) | where DeploymentStatus=="Failed"
let DriverGroup = ComputerGroup | where GroupSource == "SCCM" and Group == "Collection 002"
UADriver | where Computer in (DriverGroup) | where Issue == "Driver will not migrate to new OS"

Does anyone have any clarification on the query syntax when using an imported computer group?

 

Thanks!

 

2 Replies

Hi Bob,

 

Please provide us some more details so we can help you.

Does the following queries provide any results?

 

  1. ComputerGroup | where GroupSource == "SCCM" and Group == "Collection 001" | distinct Computer
  2. ComputerGroup | where GroupSource == "SCCM" and Group == "Collection 001" and TimeGenerated > ago(2d) | distinct Computer
  3. ComputerGroup | where GroupSource == "SCCM" and Group == "Collection 002" | distinct Computer
  4. ComputerGroup | where GroupSource == "SCCM" and Group == "Collection 002" and TimeGenerated > ago(2d) | distinct Computer

 

BTW: you forgot the "distinct Computer" in the Collection 002 query.

 

Thanks,

Meir 

Hi Meir,

 

All 4 of the queries that you provided work as expected. I receive the list of computers that correspond to the different groups. 

 

How would I take these results and run them against a table search? For example, one of the following conditions:

 

WaaSDeploymentStatus | where Computer in (WaaSGroup) | where DeploymentStatus=="Failed"


UADriver | where Computer in (DriverGroup) | where Issue == "Driver will not migrate to new OS"