azure monitor
1092 Topics
'where' operator: Failed to resolve table or column expression named 'SecurityEvent'
Hello Community, Whenever I attempt to run the following Log Analytic query in Azure Log Analytics I get the following error: 'where' operator: Failed to resolve table or column expression named 'SecurityEvent' I think it's because I need to enable 'SecurityEvent' in Log Analytics but I'm not sure. I was wondering if someone could provide a guide; SecurityEvent | where AccountType == "User" and EventID == 4625 and TimeGenerated > ago(6h) | summarize IPCount = dcount(IpAddress), makeset(IpAddress) by Account | where IPCount > 5 | sort by IPCount desc Any ideas would be much appreciated. CheersSolved164KViews0likes10Commentsquery multiple "contains"
Greetings Community, I'm trying to come up with a way to query for multiple computers, but I have different strings to search for. For example: Heartbeat | where TimeGenerated >= ago(1h) | where Computer contains 'ACOMPUTER1' | summarize max(TimeGenerated) by Computer I can run this query but I have to execute it for a different string each time: Heartbeat | where TimeGenerated >= ago(1h) | where Computer contains 'ACOMPUTER1' | summarize max(TimeGenerated) by Computer Heartbeat | where TimeGenerated >= ago(1h) | where Computer contains 'SERVERABC' | summarize max(TimeGenerated) by Computer Heartbeat | where TimeGenerated >= ago(1h) | where Computer contains 'THISMACHINE_B' | summarize max(TimeGenerated) by Computer Is there a way to go through multiple "contains" or "has" statements in a single query? Was thinking that I'd have to build an array in a function or something... any help is appreciated.Solved112KViews0likes11CommentsRemove duplicates from query
Hi, hope somebody can help me as I'm a bit stuck in my understanding of the query language. So I'm trying to get some creation events for App Services, though there seems to be multiple entries for the same App. Therefore I'm trying to find a way to remove duplicates on a column but retain the rest of the columns in the output / or a defined set of columns. Though after dodging distinct on a specific column only this is retained in the output. This is my query: AzureActivity | where OperationName == 'Delete website' and ActivityStatus == 'Succeeded' and ResourceProvider == 'Azure Web Sites' Though this produces two entires for the same deletion, so I tired this: AzureActivity | where OperationName == 'Delete website' and ActivityStatus == 'Succeeded' and ResourceProvider == 'Azure Web Sites' | distinct CorrelationId Though this only leaves the CorrelationId in the output but I need the Resource, ResourceID,OperationName also to be shown in the output. Any tips on how to get the syntax correct? ThanksSolved105KViews1like11Comments
'summarize' operator: Failed to resolve scalar expression named 'TimeGenerated'
I got the error as title, when execute below query, anyone know about this? let containerNames = Perf | where InstanceName like 'shenzhou-tts-829bbd20-3e9e-43a0-a7d7-35252d5ef498' | where ObjectName == 'K8SContainer' | where CounterName == "memoryRssBytes" | distinct InstanceName; containerNames | join ( Perf ) on InstanceName | where CounterName == "memoryRssBytes" | extend usage = tolong(CounterValue) | summarize max(usage) by InstanceName, Computer | extend maxUsageMB = max_usage * 1.0/(1024*1024) | summarize sum(maxUsageMB) by Computer, bin(TimeGenerated, 2h)Solved68KViews0likes2Comments
Help with Disk query in Log Analytics
Hi I was wondering if I could get some help with Log analytics. New to this so bear with me. I'm trying to create a query that will provide informtaion on disk utilisation in Azure. I've gottwo commands (below), however I'm not able to merge them as I would like one query which gives me % free space, overall size of disk, name of vm and name of disk. Anything else I can get in terms of disk usage would be great, not overly concerned with IOPs at the moment. The commands are: Thsi proivides info on free space: search ObjectName == "LogicalDisk" and CounterName == "% Free Space" This one provides information on free Mb remaining. search ObjectName == "LogicalDisk" and CounterName == "Free Megabytes" I have tried this which helps, but again information is quite limited search ObjectName == "LogicalDisk" and CounterName == "Free Megabytes" and TimeGenerated > ago(1d) | summarize FreeSpace = min(CounterValue) by Computer, InstanceName | where strlen(InstanceName) ==2 and InstanceName contains ":" Thanks in advance 🙂Solved59KViews0likes15Comments
Log Analytics Workspace with Multiple subscription
Hi Everyone, Good Day! I have couple doubts in Log analytics could you please help me to understand! 1. to my understanding we can created a workspace with only one subscription. Which means the log analytics will monitor only the resource are part of that subscriptions. Am i right? 2. if i have multiple workspaces for multiple subscriptions then is that possible to bring all of them under one Dashboard? Thanks in advanceSolved50KViews0likes18Comments
