Forum Widgets
Latest Discussions
MetricsQueryClient returning different results based on timespan
I'm using the Python MetricsQueryClient to list out how many tokens were used on certain days via the APIM policy "azure-openai-emit-token-metric". The problem is that when I call the query_resource() function with "timespan" set for the entire month of October, I get different results for token count usage for today's date than when I set the "timespan" to just the last 48 hours. For example, when setting the timespan to be from 10/20/2024 to 10/22/2024, I see 34 prompt tokens for today's date. But if I set the timespan to be 10/1/24 to 11/1/24, I see 0 prompt tokens for today's date. Is this a known issue? It is documented somewhere?
"gettype()" function in KQL - "double" result
"double" is supposedly not a datatype in Kusto (Copilot says it is a synonym for "real"), but the gettype function will return it as a value... gettype(123.45) -> "real" gettype(cm.total) -> "double" (where cm was a container of measurements used to contain a number of C# double values) MS should either return "real" or mention "real" in the gettype documentation so programmers writing switch statements will realize that "double" is a possible value that should be handled.Dependency Agent Alternatives
Hello. The retirement notice for the Azure Dependency Agent (https://learn.microsoft.com/en-us/azure/azure-monitor/vm/vminsights-maps-retirement) recommends selecting an Azure Marketplace product as a replacement but is not specific about what product(s) offer similar functionality. Would appreciate more specific guidance and experiences from the wider community. Thanks.Recent Logic Apps Failures with Defender ATP Steps – "TimeGenerated" No Longer Recognized
Hi everyone, I’ve recently encountered an issue with Logic Apps failing on Defender ATP steps. Requests containing the TimeGenerated parameter no longer work—the column seems to be unrecognized. My code hasn’t changed at all, and the same queries run successfully in Defender 365’s Advanced Hunting. For example, this basic KQL query: DeviceLogonEvents | where TimeGenerated >= ago(30d) | where LogonType != "Local" | where DeviceName !contains ".fr" | where DeviceName !contains "shared-" | where DeviceName !contains "gdc-" | where DeviceName !contains "mon-" | distinct DeviceName Now throws the error: Failed to resolve column or scalar expression named 'TimeGenerated'. Fix semantic errors in your query. Removing TimeGenerated makes the query work again, but this isn’t a viable solution. Notably, the identical query still functions in Defender 365’s Advanced Hunting UI. This issue started affecting a Logic App that runs weekly—it worked on May 11th but failed on May 18th. Questions: Has there been a recent schema change or deprecation of TimeGenerated in Defender ATP's KQL for Logic Apps? Is there an alternative column or syntax we should use now? Are others experiencing this? Any insights or workarounds would be greatly appreciated!
Azure Monitoring Agent Extension - no update
Hello, I am using Azure Arc along with the AzureMonitorLinuxAgent and AzureMonitorWindowsAgent extensions. However, I've encountered multiple instances where the version listed in the changelog for the Azure Monitor Agent extension (https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-extension-versions) is newer than the version I can see in the portal - also with azure cli or powershell, the newest version is missing - i only see the previous one. Has anyone else experienced this issue? Last time they had to redeploy something in westeurope But i guess this is no coincidence Thanks if somebody can share there experience or can help...AKS Pod resource utilization (CPU/Memory) alert
Hi All, I am trying to set up an alert for AKS pod CPU/Memory utilization alert when a max utilization hits certain threshold (let's say >95%). Sample query for CPU utilization. let cpuusage = materialize(Perf | where ObjectName == 'K8SContainer' | where CounterName has 'cpuUsageNanoCores' | extend ContainerNameParts = split(InstanceName, '/') | extend ContainerNamePartCount = array_length(ContainerNameParts) | extend PodUIDIndex = ContainerNamePartCount - 2, ContainerNameIndex = ContainerNamePartCount - 1 | extend ContainerName = strcat(ContainerNameParts[PodUIDIndex], '/', ContainerNameParts[ContainerNameIndex]) | summarize AggregatedValue=max(CounterValue) by bin(TimeGenerated, 15m), ContainerName | project TimeGenerated, ContainerName, AggregatedValue | join kind = inner ( KubePodInventory | summarize arg_max(TimeGenerated, *) by ContainerName | project Name, ContainerName, Namespace, ServiceName ) on ContainerName | project TimeGenerated, Name, ServiceName, ContainerName, Namespace, CPU_mCores_Usage=AggregatedValue / 1000000); let cpurequest=materialize(Perf | where ObjectName == 'K8SContainer' | where CounterName == 'cpuRequestNanoCores' | extend ContainerNameParts = split(InstanceName, '/') | extend ContainerNamePartCount = array_length(ContainerNameParts) | extend PodUIDIndex = ContainerNamePartCount - 2, ContainerNameIndex = ContainerNamePartCount - 1 | extend ContainerName = strcat(ContainerNameParts[PodUIDIndex], '/', ContainerNameParts[ContainerNameIndex]) | project ContainerName, CounterValue | join kind = inner (KubePodInventory //| summarize arg_max(TimeGenerated, 24h) by ContainerName, Name, Namespace | project Name, ContainerName, Namespace ) on ContainerName | project Name, Namespace, ContainerName, CpuReq_in_mcores=(CounterValue / 1000000)); let cpulimits = materialize(Perf | where ObjectName == 'K8SContainer' | where CounterName == 'cpuLimitNanoCores' | extend ContainerNameParts = split(InstanceName, '/') | extend ContainerNamePartCount = array_length(ContainerNameParts) | extend PodUIDIndex = ContainerNamePartCount - 2, ContainerNameIndex = ContainerNamePartCount - 1 | extend ContainerName = strcat(ContainerNameParts[PodUIDIndex], '/', ContainerNameParts[ContainerNameIndex]) | extend CpuNanoCoreLimit= CounterValue | project ContainerName, CpuNanoCoreLimit | join kind = inner ( KubePodInventory | summarize arg_max(TimeGenerated, *) by ContainerName | project Name, ContainerName, Namespace, ServiceName ) on ContainerName | project Name, ServiceName, Namespace, ContainerName, CPU_mCores_Limit=CpuNanoCoreLimit / 1000000); cpulimits | join cpurequest on ContainerName | join cpuusage on ContainerName | order by Namespace asc, ContainerName asc | extend CName = split(ContainerName, '/') | extend PodName= Name | extend Cpu_Perct_utilization=round((CPU_mCores_Usage / CPU_mCores_Limit) * 100, 2) | project TimeGenerated, Namespace, ServiceName, PodName, CPU_mCores_Usage, CPU_mCores_Limit, CpuReq_in_mcores, Cpu_Perct_utilization | sort by TimeGenerated desc But just wanted to modify the query little bit, wanted to get an alert only when utilization hits maximum continuously 3 times within 30 minutes (by keeping frequency of evaluation 10 min). Please advise.Azure SQL Database - Diagnostic Settings - Possible Bug
Hi, so when configuring the Diagnostic Settings for a azure SQL databatabe if we select "all logs", 2 new options for diagnostic settings pop up. In the following image, first, you see without checking the "all Logs" checkbox on the left, in the middle of the image, you can see the 2 new logs showing, and on the right, you can see that it doesn't appear on the supposed logs available. I'm pretty sure this is a bug, can someone confirm this behavior. Thanks in advance, best regards.
Sentinel Incident Priority Mapping to SIR
Hi , we are working on implementing SIR module within our ServiceNow platform. And we have 5 level of priority within SIR (Critical, High, moderate, low, Planning) whereas sentinel has only 4 priorities (informational, Low, Medium, High). Interested to know how other organizations have handled and mapped these priorities. Thanks in advance.Getting empty response while running a kql query using rest api
Hello All, Trying to run a KQL query using power via rest API by passing azure Entra app id and secret key. But we are getting empty response. Log analytics reader role is assigned on LA workspace and able to retrieve access token. When we try to run KQL query manually, we are seeing result. Below is sample snippet that i used, Not sure what is wrong with it? Any help would be highly appreciated. $tenantId = <Tenant id> $clientId = <azure entra application app id> $clientSecret = < app secret key> # Log Analytics Workspace details $workspaceId = <workspace ID> # Acquire a token $body = @{ client_id = $clientId scope = "https://api.loganalytics.io/.default" client_secret = $clientSecret grant_type = "client_credentials" } $query = "AppRequests | limit 10" $uri = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" $response = Invoke-RestMethod -Uri $uri -Method Post -ContentType "application/x-www-form-urlencoded" -Body $body $accessToken = $response.access_token # Define the Log Analytics REST API endpoint $baseUri = "https://api.loganalytics.io/v1/workspaces/$workspaceId/query" # Set headers for the query $headers = @{ Authorization = "Bearer $accessToken" "Content-Type" = "application/json" } # Prepare the request body $requestbody = @{ query = $query } | ConvertTo-Json # Send the request $response = Invoke-RestMethod -Uri $baseUri -Method Post -Headers $headers -Body $requestbody -Debug # Display the results $response
