I'm using azure resource graph to create dashboard and need the VM last reboot or Power-Off date.
Need your helps please.
Thank you
I tried to reproduce the same in my environment:
Graph query:
Resources
| where type == 'microsoft.compute/virtualmachines'
| summarize count() by PowerState = tostring(properties.extended.instanceView.powerState.code)
Checked the powerstate :
Tried below query :
resources
| where type has 'microsoft.compute/virtualmachines/extensions'
| where name has 'MicrosoftMonitoringAgent' or name has 'AzureMonitorWindowsAgent'
| extend AzureVM = extract('virtualMachines/(.*)/extensions',1,id), ArcVM = extract('machines/(.*)/extensions',1,id)
|summarize count() by name=tolower(AzureVM), ArcVM=tolower(ArcVM), subscriptionId, resourceGroup, AgentType=name
| extend hasBoth = iff(count_ > 0, 'Yes', 'No')
| join
(
resources
| where type =~ 'Microsoft.Compute/virtualMachines'
| project name, properties.extended.instanceView.powerState.displayStatus,
properties.extended.instanceView.powerState.code,
created_ = properties.timeCreated
| order by name desc
) on name
where i got created time of azure vm running and deallocation time.
If you want the alert when the vm stpped you can check this : azureportal - Azure alert to notify when a vm is stopped - Stack Overflow
Reference: resource-graph-samples | Microsoft Learn
Related
I'm trying to get a query to check the VM Agent status in Azure. Currently I'm using RestAPI, but I need one call to the API for each machine, and I want to do it with Azure Graph to list all the VMs with the Azure Agent status in a single request.
This is the query in Azure Graph
Resources
| where type in~ ("microsoft.compute/virtualmachines","microsoft.classiccompute/virtualmachines")
But under properties the STATUS of the agent is not available. Any ideas?
I tried listing the extensions but it is also not helping, with this query:
Resources
| where type == 'microsoft.compute/virtualmachines'
| extend
JoinID = toupper(id),
OSName = tostring(properties.osProfile.computerName),
OSType = tostring(properties.storageProfile.osDisk.osType),
VMSize = tostring(properties.hardwareProfile.vmSize)
| join kind=leftouter(
Resources
| where type == 'microsoft.compute/virtualmachines/extensions'
| extend
VMId = toupper(substring(id, 0, indexof(id, '/extensions'))),
ExtensionName = name
) on $left.JoinID == $right.VMId
| summarize Extensions = make_list(ExtensionName) by id, OSName, OSType, VMSize
| order by tolower(OSName) asc
I can only see the extensions but I need the Azure Agent STATUS.
After trying many approaches, Agent Status cannot be retrieved directly from the VM properties but ProvisioningState as well as powerstate can be retrieved.
This ProvisionVMAgent property is there for marketplace images that have the agent installed on creation as mentioned here.
To identify the exact health check of the VM, we can use the "ProvisioningState" attribute rather than the "Agent status".
I've done these changes to your code:
Resources
| where type == 'microsoft.compute/virtualmachines'
| extend
JoinID = toupper(id),
OSName = tostring(properties.osProfile.computerName),
OSType = tostring(properties.storageProfile.osDisk.osType),
VMSize = tostring(properties.hardwareProfile.vmSize),
powerState = tostring(properties.extended.instanceView.powerState.displayStatus),
ProvisioningState = tostring(properties.provisioningState)
| join kind=leftouter(
Resources
| where type == 'microsoft.compute/virtualmachines/extensions'
| extend
VMId = toupper(substring(id, 0, indexof(id, '/extensions'))),
ExtensionName = name
) on $left.JoinID == $right.VMId
| summarize Extensions = make_list(ExtensionName) by id, OSName, OSType, VMSize, powerState, ProvisioningState
| order by tolower(OSName) asc
Output:
Note: All statuses of VM's can be received by calling PowerShell command Get-AzVM -status
Reference: AzureVMAgent, Finding VM Agent-Powershell
given by #rakhesh sasidharan
I am very new with the sintaxis of Kusto query. My goal is to create a kusto query to retreive which Logic App has a system error and in which action the error was located. Additionally, I would like to know which connector, this failed action belongs. For example, If the action "Move Email" failed I would like to have the connector name, in this case, Office 365 Outlook or something similar in order to classify the action.
My query to achieve this goal was based on the Table "AzureDiagnostics":
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.LOGIC"
| where Category == "WorkflowRuntime"
| where status_s == "Failed"
| where code_s !has 'ActionFailed'
| where OperationName has "workflowActionCompleted" or OperationName has "workflowTriggerCompleted"
| extend ResourceName = coalesce(resource_actionName_s, resource_triggerName_s)
| extend ResourceCategory = substring(OperationName, 34, strlen(OperationName) - 43)
| project
LogicAppName = resource_workflowName_s,
ResourceCategory,
ResourceName,
LogicAppId = resource_runId_s,
ErrorCode = code_s,
ErrorMessage = error_message_s,
ErrorTime = format_datetime(startTime_t,'dd.MM.yyyy')
The connector name will give me the possibility to classify the failed logic apps and this way I can create a report to show which type of connector we are having issues.
Thanks in advance for your help or another workarround to classify the failed logic apps.
After reproducing from our end, One of the workarounds is that we can fetch the action name of the failed step along with the status using the below query.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.LOGIC"
| where Category == "WorkflowRuntime"
| where status_s == "Failed"
| extend Status = code_s
| project
LogicAppName = resource_workflowName_s,
ResourceRunID = resource_runId_s,
Operation = OperationName,
ActionName = coalesce(resource_actionName_s, resource_triggerName_s),
Status
RESULTS:
Updated Answer
There is no direct way to get the connector's name. One of the workarounds would be using tracked properties to save the connector name and retrieve it through logs. Not a perfect way but this is one of the workarounds that achieves the requirement.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.LOGIC"
| where OperationName == "Microsoft.Logic/workflows/workflowActionCompleted"
| where status_s == "Failed"
| extend Status = code_s
| project
LogicAppName = resource_workflowName_s,
ResourceRunID = resource_runId_s,
Operation = OperationName,
ActionName = coalesce(resource_actionName_s, resource_triggerName_s),
Status,
ConnectorName = trackedProperties_ConnectorName_s
Below is the flow in my logic app
Failed Run
In logs
I have this query that works in Azure logs when i set the scope to the specific application insights I want to use
let usg_events = dynamic(["*"]);
let mainTable = union pageViews, customEvents, requests
| where timestamp > ago(1d)
| where isempty(operation_SyntheticSource)
| extend name =replace("\n", "", name)
| where '*' in (usg_events) or name in (usg_events)
;
let queryTable = mainTable;
let cohortedTable = queryTable
| extend dimension =tostring(client_CountryOrRegion)
| extend dimension = iif(isempty(dimension), "<undefined>", dimension)
| summarize hll = hll(user_Id) by tostring(dimension)
| extend Users = dcount_hll(hll)
| order by Users desc
| serialize rank = row_number()
| extend dimension = iff(rank > 5, 'Other', dimension)
| summarize merged = hll_merge(hll) by tostring(dimension)
| project ["Country or region"] = dimension, Counts = dcount_hll(merged);
cohortedTable
but trying to use the same in grafana just gives an error.
"'union' operator: Failed to resolve table expression named 'pageViews'"
Which is the same i get in azure logs if i dont set the scope to the specific application insights resource. So my question is. how do i make it so grafana targets this specific scope inside the logs? The query jsut gets the countries of the users that log in
As far as I know, Currently, there is no option/feature to add Scope in Grafana.
The Scope is available only in the Azure Log Analytics Workspace.
If you want the Feature/Resolution, please raise a ticket in Grafana Community where all the issues are officially addressed.
I have a issue. I want to know how can I join two columns in one.
I want to join the "OS" and "sku" columns in one with the name "OS"
This is my KQL:
Kusto Query on Azure Resource Graph
Resources
| where type == "microsoft.compute/virtualmachines"
| extend OS = properties.storageProfile.imageReference.offer
| extend sku = properties.storageProfile.imageReference.sku
| project OS, sku, name, nic = (properties.networkProfile.networkInterfaces)
| mvexpand nic
| project OS, sku, name, nic_id = tostring(nic.id)
| join (
Resources
| where type == "microsoft.network/networkinterfaces"
| project nic_id = tostring(id), properties) on nic_id
| mvexpand ipconfig = (properties.ipConfigurations)
| extend subnet_resource_id = split(tostring(ipconfig.properties.subnet.id), '/'), ipAddress = ipconfig.properties.privateIPAddress
| order by name desc
| project vmName=(name), OS, sku, vnetName=subnet_resource_id[8], subnetName=subnet_resource_id[10], ipAddress
This is my result:
I need like this:
Can anyone help me, thanks so much.
I've tried to use the "union" operator, but I can't make it work.
I have used these reference link:
Azure Docs Link 1
Azure Docs Link 2
Azure Docs Link 3
If you want to combine two strings - you can use strcat() function:
Resources
| where type == "microsoft.compute/virtualmachines"
| extend OS = properties.storageProfile.imageReference.offer
| extend sku = properties.storageProfile.imageReference.sku
| project OS, sku, name, nic = (properties.networkProfile.networkInterfaces)
| mvexpand nic
| project OS, sku, name, nic_id = tostring(nic.id)
| join (
Resources
| where type == "microsoft.network/networkinterfaces"
| project nic_id = tostring(id), properties) on nic_id
| mvexpand ipconfig = (properties.ipConfigurations)
| extend subnet_resource_id = split(tostring(ipconfig.properties.subnet.id), '/'), ipAddress = ipconfig.properties.privateIPAddress
| order by name desc
| project vmName=(name), OS = strcat(OS, ' ', sku), vnetName=subnet_resource_id[8], subnetName=subnet_resource_id[10], ipAddress
We are showing SLA charts for URLs, VPN and VMs for that if there is any planned scheduled maintenance we want to exclude that timings in KQL SLA charts as its known downtime.
We are disabling Alerts via powershell during this time we are passing below columns to Loganalytics custom table.
"resourcename": "$resourcename",
"Alertstate": "Enabled",
"Scheduledmaintenance" : "stop",
"Environment" : "UAT",
"timestamp": "$TimeStampField",
Now we want to use join condition SLA charts queries with custom table data and exclude the time range in SLA charts during scheduled maintenance.
Adding query as per request
---------------------------
url_json_CL
| where Uri_s contains "xxxx"
| extend Availablity = iff(StatusCode_d ==200,1.000,0.000)
| extend urlhit = 1.000
| summarize PassCount = sum(Availablity), TestCount = sum(urlhit) by Uri_s ,ClientName_s
| extend AVLPERCENTAGE = ((PassCount / TestCount ) * 100)
| join kind=leftouter
( scheduledmaintenance2_CL
| where ResourceName_s == "VMname"
| where ScheduledMaintenance_s == "start"
| extend starttime = timestamp_t)
on ClientName_s
| join kind= leftouter
(scheduledmaintenance2_CL
| where ResourceName_s == "VMname"
| where ScheduledMaintenance_s == "stop"
| extend stoptime = timestamp_t )
on ClientName_s
| extend excludedtime=stoptime - starttime
| project ClientName_s, ResourceName_s, excludedtime, AVLPERCENTAGE , Uri_s
| top 3 by ClientName_s desc
You can perform cross-resource log queries in Azure Monitor
Using Application Insights explorer we can query Log analytics workspace custom tables as well.
workspace("/subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx/resourcegroups/rgname/providers/Microsoft.OperationalInsights/workspaces/workspacename").Event | count
Using Log Analytics logs explorer you can query the Application Insights Availability Results
app("applicationinsightsinstancename").availabilityResults
You can use any of the above options to query the required tables and join the tables. Please refer to this documentation on joins.
Additional documentation reference.
Hope this helps.