cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Computer Groups with new query language?

Sean Tompkins
New Contributor

‎Oct 06 2017 07:30 AM - last edited on ‎Apr 07 2022 04:45 PM by

‎Oct 06 2017 07:30 AM - last edited on ‎Apr 07 2022 04:45 PM by

Computer Groups with new query language?

I'm trying to set up computer groups in my OMS environment, but running into some issues. Has anyone used computer groups successfully with the new query language?

 

I see the created computer groups in settings, and can view members of the group from there. I created the group with a query that looks like this: Heartbeat | where Computer has "dev" | distinct Computer

 

The only blog I can find on using computer groups in queries is here, and it uses the older query language: https://blogs.technet.microsoft.com/msoms/2016/04/04/computer-groups-in-oms/

like this: Type:Perf ObjectName=Processor Computer IN $ComputerGroups[My Crepe Computers] | measure avg(CounterValue) by Computer interval 1HOUR

 

When I try to use this format in the Legacy language converter, I get an error saying "no viable alternative at input 'Heartbeat(Computerin'" (note that in my query there ARE spaces between Computer, in, and heartbeat). If I try the regular search window with 'Heartbeat | where (Computer in $ComputerGroups[mygroupname]' I get the error 'A recognition error occurred. Token: "in".' Finally, if I add ComputerGroups to the filter window, every query I try leaves the computergroup fields with no entries, so the filter is greyed out.

 

Has anyone worked with computer groups in the new OMS? Are they broken, or am I missing something? I've scoured the language documentation and can't find anything there...

Labels:
5,402 Views
1 Like
8 Replies
Reply
8 Replies
Richard Pesenko

‎Oct 08 2017 08:01 PM

‎Oct 08 2017 08:01 PM

Re: Computer Groups with new query language?

I was able to get this to work in my subscription:
Heartbeat | where Computer contains "<name>" | distinct Computer

 

I then saved the query, made a function of it, and used it to create a computer group.

 

 

0 Likes
Reply
Sean Tompkins

‎Oct 09 2017 06:16 AM

‎Oct 09 2017 06:16 AM

Re: Computer Groups with new query language?

Can you use that computer group in a query? That's the part that is failing for me.

0 Likes
Reply
Ketan Ghelani

‎Oct 09 2017 07:57 PM

‎Oct 09 2017 07:57 PM

Re: Computer Groups with new query language?

Please refer to the documentation.  Please refer to the "Notes" section that refers to the new query language.

1 Like
Reply
best response confirmed by Stanislav Zhelyazkov (MVP)
Stanislav Zhelyazkov

‎Oct 09 2017 10:51 PM

‎Oct 09 2017 10:51 PM

Solution

Re: Computer Groups with new query language?

Example:

Heartbeat | where Computer contains "SRV" | distinct Computer

 

You will create function out of this query and save with it with alias MyComputers for example. Than in a new query you can refer to it in this way for example:

 

Perf | where Computer in (MyComputers)

 

If it does not work right away in the Analytics Portal try refreshing it.

1 Like
Reply
James B

‎Nov 10 2017 02:28 AM

‎Nov 10 2017 02:28 AM

Re: Computer Groups with new query language?

Hi Stanislav,

 

I have followed your example but I still can't get computer groups to work.

 

OMs_v1.JPG

 

I have saved the search and can see the group under Computer Groups > Saved Groups but I am unable to reference the group in a search query. We had this working in the legacy log analytics but it didn't get converted during the log analytics upgrade.

 

0 Likes
Reply
Stanislav Zhelyazkov

‎Nov 10 2017 02:31 AM

‎Nov 10 2017 02:31 AM

Re: Computer Groups with new query language?

Perf type is with capital P so it will be Perf | where Computer in (MyComputers) The language is casesensitive. Let me know if that fixes it.
0 Likes
Reply
James B

‎Nov 10 2017 02:59 AM

‎Nov 10 2017 02:59 AM

Re: Computer Groups with new query language?

I believe I have spotted the issue, the capital P was issue number 1 :) issue number 2 is that the search save was a legacy format: Type=Heartbeat OSType=Linux Computer=regex("@p{1}[0-9]*") | Distinct  Computer

 

I had to save the search using the new format:
Heartbeat | where OSType == "Linux" and Computer matches regex "^.+p{1}[0-9]*$" | distinct Computer

after I had saved the search I was then able to use your search and it worked.

 

Perf | where Computer in (MyComputers())
 
 
thank you very much for your assistance :) 




0 Likes
Reply
Stanislav Zhelyazkov

‎Nov 10 2017 03:01 AM

‎Nov 10 2017 03:01 AM

Re: Computer Groups with new query language?

Happy to hear that it is working.
0 Likes
Reply