Powershell and Rest API

12 Topics

Permissions to query Azure Log Analytics from PowerShell
Team, I am able to query with the following Code from one Work-space but same code is not working for another Work-space but I am able to query directly after login both the workspace . I have read access where Powershell code does not returns any output. Do I need any additional permission to run the below Code ? $query = "Heartbeat | where TimeGenerated > ago(1d) | summarize LastHeartbeat = max(TimeGenerated) by Computer | where isnotempty(Computer) | where LastHeartbeat < ago(1h)" $selectSub = Set-AzContext -SubscriptionId "f8878fbq-4ch3-4ce0-8b08-9729ab66fa42" if ($selectSub) { $Workspace = Get-AzOperationalInsightsWorkspace -Name "insight-lt-workspace" -ResourceGroupName "azure-insight-lt" try { $Result = Invoke-AzOperationalInsightsQuery -WorkspaceId $Workspace.CustomerId.Guid -Query $query -Verbose -ErrorAction SilentlyContinue } catch { Write-host 'Failure' } } $Result.Results Thanks Biswajit
Biswajit21
Apr 08, 2022 Place Azure Observability
1.8KViews
1like
0Comments
Computer group created through PowerShell cmdlet not working
I created computer group using powershell cmdlet New-AzOperationalInsightsComputerGroup ------- $Query = "Heartbeat | where Computer in ('myserver.adx.com') | distinct Computer" New-AzOperationalInsightsComputerGroup -ResourceGroupName "MyRG" -WorkspaceName "My WN" -SavedSearchId "id12345" -DisplayName "MyDN" -Category "MyCategory" -Query $Query -Version 1 ------- To confirm group is created successfully -------------------- (Get-AzOperationalInsightsSavedSearch -ResourceGroupName "MyRG" -WorkspaceName "My WN").Value.Properties | ?{$_.category -eq "MyCategory" -and $_.DisplayName -eq "MyDN"} Category : MyCategory DisplayName : MyDN Query : Heartbeat | where Computer in ('myserver.adx.com') | distinct Computer Version : 2 Tags : {Group} -------------------- Now I go to log analytics and run -------------------- MyDN | project Computer MyDN | distinct Computer -------------------- Both commands fail with “Syntax Error” 'distinct' operator: Failed to resolve table or column expression named 'MyDN' i reached out to support and was told that i need a "function" to use groups in query and "New-AzOperationalInsightsComputerGroup" does not create a function. is there a way i can create function/computergroup through powershell ?
Solved
Mayank Bansal
Apr 08, 2022 Place Azure Observability
1.7KViews
0likes
3Comments
Fetch Log Analytics workspace alerts types configured in a csv using powershell
Hello, I want to create a Powershell script to find the current configured alerts in a Azure subscription and save the data in a csv file. I am interested to get the "Alert Types" in my results for all the VM's for which Alerts are configured using Log Analytics workspac
SarthakChatterjee
Apr 08, 2022 Place Azure Observability
2.8KViews
0likes
6Comments
log analytics API returning empty Table collection
I'm using Client Credentials to query Office 365 Audit data stored in Log Analytics. The AppID principal has Log Analytics Reader permissions to both the Log Analytics workspace and the Office 365 Audit Solution through IAM. (As detailed here: https://dev.loganalytics.io/documentation/1-Tutorials/Direct-API) When I Invoke a rest request against the endpoint, I get an HTTP 200 response, so authentication is working fine, bu the Content payload is empty and just returns {"tables":[]}, without any results. This happens regardless of query, all of which work fine when testing the query through the Log Explorer interface in the workspace. I thought this might be permissions related, but still no change despite adding the App permissions to both workspace and solution. Any thoughts welcome as my Bing-fu hasn't helped. Paul.
Solved
Paul Hunt - Cimares
Apr 08, 2022 Place Azure Observability
6.9KViews
0likes
4Comments
Log analytics API
Hey - i have built up a collection of saved searches in Azure log analytics, mainly searching the SecurityAlerts, SignInLogs and OfficeActivity tables. When i get a security alert notification from Microsoft, I run my searches then export to CSV to search for indicators of compromise bla bla. This is great, somewhat quick and easy.. But is there a programmatic way of doing this? Using the Security Graph API i can see the signIn resource type, so thats great, but i do not see exchange mailbox audit log resource, so i cannot see how to retrieve audit logs via an API.. Can i query the Log Analytics data directly through an API or is there another way to access this data programatically? I looked at using the Azure Cloud Console, but even this didn't seem to be able to access the data..
Solved
AndrewX
Apr 08, 2022 Place Azure Observability
3.5KViews
0likes
1Comment
ARM Template for KQL Query Alert
Hi All, I want to configure Log Analytics alert using ARM templates so just following given link:-https://docs.microsoft.com/en-in/azure/azure-monitor/insights/solutions-resources-searches-alerts#sample But problem is, I am working on a requirement to create CPU, Memory and Disk alert. And for this I need to write 3 different ARM with different KQL. Could anyone please help me to edit this given template to achieve my requirement to generate all alert using single ARM. If I will create 3 different template then the major problem is I will have 3 solution under my Log Analytics as this template is creating solution for each alert. So just looking for a way to edit this template in such a way to configure multiple alert using single template. Looking forward from your side. Elaborating more about question:- Why I want to create multiple alert using one template:- • As it is creating solution for every alert so if I will use new template for every single alert then I will have lots of solution under Azure. • And creation of multiple template will create a mess too. Now suppose I need to create a new alert of Disk then I need to edit below fields in template (highlighted in Brown for Disk Alert). This will create a new solution for alert but I want to create multiple alerts under this one solution. "SolutionName": "SolutionTest2", "SolutionVersion": "1.0", "SolutionPublisher": "SolutionTesters", "ProductName": "SolutionTest2", "LogAnalyticsApiVersion": "2017-03-03-preview", "MySearch": { "displayName": "Disk over 70%", "query": 'Perf | where ObjectName=="LogicalDisk" and CounterName=="% Free Space" and CounterValue>70 ', "category": "Samples", "name": "Samples-Count of Disk Data" }, "MyAlert": { "Name": "[toLower(concat('myalert-',uniqueString(resourceGroup().id, deployment().name)))]", "DisplayName": "Disk over 70%", "Description": "Disk alert. Fires when 3 error records found over hour interval.", "Severity": "critical", "ThresholdOperator": "gt", "ThresholdValue": 70, "Schedule": { "Name": "[toLower(concat('myschedule-',uniqueString(resourceGroup().id, deployment().name)))]", "Interval": 15, "TimeSpan": 60 }, "MetricsTrigger": { "TriggerCondition": "Consecutive", "Operator": "gt", "Value": 3 }, "ThrottleMinutes": 60, "AzNsNotification": { "GroupIds": [ "[parameters('actiongroup')]" ], And I also got to know the API used in given link are deprecated however still working. So we need to create template https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-tutorial-create-multiple-instances?tabs=azure-cli APIs.
Solved
GouravIN
Apr 08, 2022 Place Azure Observability
4.1KViews
0likes
4Comments
How to install oms extension on Linux VMs using CLI
Hi There, I want to install OMS extension on Linux VMs using Azure CLI and for this I am using below code. But not sure why there are two values with workspaceKey and omskey as well as workspaceId and omsid. are they referring any two different key and IDs? az vm extension set \ --resource-group myResourceGroup \ --vm-name myVM \ --name OmsAgentForLinux \ --publisher Microsoft.EnterpriseCloud.Monitoring \ --version 1.7 --protected-settings '{"workspaceKey": "omskey"}' \ --settings '{"workspaceId": "omsid"}'
GouravIN
Apr 08, 2022 Place Azure Observability
4.8KViews
0likes
6Comments
Log Analytics Data Collector API PowerShell Function
I created a function that takes the input of time, log type and a hashtable and writes it to Log Analytics. This was intended to be a “universal” log writer for Log Analytics. I use it in an Azure Automation Module so I can pass log data from any runbook to Log Analytics but it could be used in any PowerShell Script. Function is on GitHub. https://github.com/tsrob50/LogAnalyticsAPIFunction Links to Resources and overview video here: http://www.ciraltos.com/azure-oms-log-analytics-step-by-step-data-collector-api/
TravisRoberts
Apr 08, 2022 Place Azure Observability
3.1KViews
0likes
0Comments
How to export Azure Alert Rules (Log Analytics)
Hi, I am trying to export all rules (Enabled/Disabled) from Azure Portal using Get-AzureRMALertRule cmdlet, however, it is returning blank output. I have more than 10 Rules configured. Some are enabled and some are disabled. FYR:Please find attached of screenshot of PowerShell. Somewhere, i read that this cmdlet pulls the data for App-Insight rules only. is this true? Appreciate, if someone could help me to understand the issue and export the requested data. Regards, Ravi
Ravi Gupta
Apr 08, 2022 Place Azure Observability
32KViews
0likes
11Comments
Saved Searches API
When using https://docs.microsoft.com/en-us/rest/api/loganalytics/savedsearches/getresults i receive the following error: “{"error":{"code":"InvalidOperationArgument","message":"Saved search result not supported for the new query language"}}” I've tried using API versions “api-version=20150320” and “20170101preview" (dashes removed) and receive the above error. Is Save Search supported in the new query language; if not, when will the API be updated?
Solved
Deleted
Apr 07, 2022 Place Azure Observability
2.8KViews
0likes
2Comments