SOLVED

log analytics API returning empty Table collection

MVP

I'm using Client Credentials to query Office 365 Audit data stored in Log Analytics. The AppID principal has Log Analytics Reader permissions to both the Log Analytics workspace and the Office 365 Audit Solution through IAM. (As detailed here: https://dev.loganalytics.io/documentation/1-Tutorials/Direct-API)

 

When I Invoke a rest request against the endpoint, I get an HTTP 200 response, so authentication is working fine, bu the Content payload is empty and just returns {"tables":[]}, without any results.

 

This happens regardless of query, all of which work fine when testing the query through the Log Explorer interface in the workspace.

I thought this might be permissions related, but still no change despite adding the App permissions to both workspace and solution. Any thoughts welcome as my Bing-fu hasn't helped.

 

Paul.

4 Replies
best response confirmed by Paul Hunt - Cimares (MVP)
Solution

After much bashing of the head against the desk, it would seem that not all the queries that work in the Log Analytics web engine work through the API. My previous errors were being masked by the JSON not converting properly and being left out of the body. Fiddler ftw!

 

If I use "search Operation == 'desired op'" and pass it into the body of the POST then that works ok and results are returned.

@Paul Hunt - Cimares I got the same, trying simple query 'Heartbeat| limit 50' which gets me empty table. How do I pass "search Operation == 'desired op'"  into the body ? Thnx

@niukk in my case, it was a missing "Content-Type: application/json" header.

 

Once the request header was added, data was returned.

 

I had same problem, Instead of posting query as json just append the query string in the url
like:

url = "https://api.loganalytics.io/v1/workspaces/"+ workspace_id + "/query?query=AzureActivity | summarize count() by Category"
1 best response

Accepted Solutions
best response confirmed by Paul Hunt - Cimares (MVP)
Solution

After much bashing of the head against the desk, it would seem that not all the queries that work in the Log Analytics web engine work through the API. My previous errors were being masked by the JSON not converting properly and being left out of the body. Fiddler ftw!

 

If I use "search Operation == 'desired op'" and pass it into the body of the POST then that works ok and results are returned.

View solution in original post