Resources
| where type has "microsoft.compute/disks"
| extend diskState = tostring(properties.diskState)
| where managedBy == ""
or diskState == 'Attached'
or diskState == 'Unattached'
| project name, diskState,managedBy,resourceGroup, location, subscriptionId, properties.diskSizeGB, properties.timeCreated
How do I convert this KQL Query into a az graph query command?
I'm from the Microsoft for Founders Hub team. I was able to run this and it worked as intended:
az graph query -q
"Resources
| where type has 'microsoft.compute/disks'
| extend diskState = tostring(properties.diskState)
| where managedBy == ''
or diskState == 'Attached'
or diskState == 'Unattached'
| project name, diskState,managedBy,resourceGroup, location, subscriptionId, properties.diskSizeGB, properties.timeCreated"
Upon reviewing your code block you submitted:
az graph query -q “
Resources
| where type =~ ‘microsoft.compute/disks’
| extend diskState = tostring(properties.diskState)
| where managedBy == "" or diskState == 'Attached' or diskState == 'Unattached'
| project name, diskState,managedBy,resourceGroup, location, subscriptionId, diskSize=properties.diskSizeGB, timeCreation=properties.timeCreated
”
--query ‘
data[].{Disk_Name:name, Disk_State:diskState, Managed_By:managedBy, Resource_Group:resourceGroup, Location:location, Subscription_Id:subscriptionId, Disk_Size:diskSize, Time_of_Creation:timeCreation}
’
-o tsv
I noticed you have two "query" parameters and you have double quotes within your query. Please convert the double quotes to single quotes and only use one query parameter.
Please review this for more information: https://learn.microsoft.com/en-us/azure/governance/resource-graph/concepts/explore-resources
Related
I want to list all Virtual Machine names that contain a private IP address under a specific subnet (e.g., named "sub-a"). How do I do that?
I was hoping that this query in Azure Resource Graph Explorer would at least print all non empty private IP addresses:
Resources
| where type =~ 'microsoft.compute/virtualmachines' and isnotempty(properties.privateIPAddress)
You need to look at the Network Interfaces and expand the properties to pull the Private IP address. Something like this should do the trick. I modified one of our examples to pull private IP instead of public IP.
Resources
| where type =~ 'microsoft.compute/virtualmachines'
| extend nics=array_length(properties.networkProfile.networkInterfaces)
| mv-expand nic=properties.networkProfile.networkInterfaces
| where nics == 1 or nic.properties.primary =~ 'true' or isempty(nic)
| project vmId = id, vmName = name, vmSize=tostring(properties.hardwareProfile.vmSize), nicId = tostring(nic.id)
| join kind=leftouter (
Resources
| where type =~ 'microsoft.network/networkinterfaces'
| extend ipConfigsCount=array_length(properties.ipConfigurations)
| extend subnet = tostring(properties.ipConfigurations[0].properties.subnet)
| mv-expand ipconfig=properties.ipConfigurations
| where ipConfigsCount == 1 or ipconfig.properties.primary =~ 'true'
| project nicId = id, subnet, privateIp = tostring(ipconfig.properties.privateIPAddress))
on nicId
| order by subnet asc
I'm running Cilium inside an Azure Kubernetes Cluster and want to parse the cilium log messages in the Azure Log Analytics. The log messages have a format like
key1=value1 key2=value2 key3="if the value contains spaces, it's wrapped in quotation marks"
For example:
level=info msg="Identity of endpoint changed" containerID=a4566a3e5f datapathPolicyRevision=0
I couldn't find a matching parse_xxx method in the docs (e.g. https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/parsecsvfunction ). Is there a possibility to write a custom function to parse this kind of log messages?
Not a fun format to parse... But this should work:
let LogLine = "level=info msg=\"Identity of endpoint changed\" containerID=a4566a3e5f datapathPolicyRevision=0";
print LogLine
| extend KeyValuePairs = array_concat(
extract_all("([a-zA-Z_]+)=([a-zA-Z0-9_]+)", LogLine),
extract_all("([a-zA-Z_]+)=\"([a-zA-Z0-9_ ]+)\"", LogLine))
| mv-apply KeyValuePairs on
(
extend p = pack(tostring(KeyValuePairs[0]), tostring(KeyValuePairs[1]))
| summarize dict=make_bag(p)
)
The output will be:
| print_0 | dict |
|--------------------|-----------------------------------------|
| level=info msg=... | { |
| | "level": "info", |
| | "containerID": "a4566a3e5f", |
| | "datapathPolicyRevision": "0", |
| | "msg": "Identity of endpoint changed" |
| | } |
|--------------------|-----------------------------------------|
With the help of Slavik N, I came with a query that works for me:
let containerIds = KubePodInventory
| where Namespace startswith "cilium"
| distinct ContainerID
| summarize make_set(ContainerID);
ContainerLog
| where ContainerID in (containerIds)
| extend KeyValuePairs = array_concat(
extract_all("([a-zA-Z0-9_-]+)=([^ \"]+)", LogEntry),
extract_all("([a-zA-Z0-9_]+)=\"([^\"]+)\"", LogEntry))
| mv-apply KeyValuePairs on
(
extend p = pack(tostring(KeyValuePairs[0]), tostring(KeyValuePairs[1]))
| summarize JSONKeyValuePairs=parse_json(make_bag(p))
)
| project TimeGenerated, Level=JSONKeyValuePairs.level, Message=JSONKeyValuePairs.msg, PodName=JSONKeyValuePairs.k8sPodName, Reason=JSONKeyValuePairs.reason, Controller=JSONKeyValuePairs.controller, ContainerID=JSONKeyValuePairs.containerID, Labels=JSONKeyValuePairs.labels, Raw=LogEntry
Hi i'm trying to get to a log event by nestling a query in the "where" of another query. is this possible?
AzureDiagnostics
| where resource_workflowName_s == "[Workflow Name]"
| where resource_runId_s == (AzureDiagnostics | where trackedProperties_PayloadID_g == "[GUID]" | distinct resource_runId_s)
try:
AzureDiagnostics
| where resource_workflowName_s == "[Workflow Name]"
| where resource_runId_s in (
toscalar(AzureDiagnostics
| where trackedProperties_PayloadID_g == "[GUID]"
| distinct resource_runId_s))
I was wondering if I could get some help with Log analytics. New to this so bear with me.
I'm trying to create a query that will provide informtaion on disk utilisation in Azure. I've gottwo commands (below), however I'm not able to merge them as I would like one query which gives me % free space, overall size of disk, name of vm and name of disk. Anything else I can get in terms of disk usage would be great, not overly concerned with IOPs at the moment.
The commands are:
This command below proivides info on free space:
search ObjectName == "LogicalDisk" and CounterName == "% Free Space"
This command below provides information on free Mb remaining.
search ObjectName == "LogicalDisk" and CounterName == "Free Megabytes"
I have tried this which helps, but again information is quite limited
search ObjectName == "LogicalDisk" and CounterName == "Free Megabytes" and TimeGenerated > ago(1d)
| summarize FreeSpace = min(CounterValue) by Computer, InstanceName
| where strlen(InstanceName) ==2 and InstanceName contains ":"
Thanks in advance :)
You can use the below script to query the Azure log database:
// % Disk free space
Perf | where ObjectName == "LogicalDisk" and CounterName == "% Free Space" and InstanceName != "_Total"
| summarize CounterValue = min(CounterValue) by Computer, InstanceName, CounterName
| order by CounterValue asc nulls first
To limit output to disks with less than 20% free space just add an extra condition:
| where CounterValue < 20
You could use the following command
Perf | where (ObjectName == "LogicalDisk" and CounterName == "Free Megabytes") | summarize arg_max(TimeGenerated, *) by Computer | sort by TimeGenerated desc
More information about this you could check this link.
If I type out my Powershell select-object expression like below:
$csvdata | Select-Object #{expression={$_.1}; label='first'}
I receive desired output:
first
-
mike
john
But if I store the expression as a string first and then call that string as the expression to select-object:
$tstexp = "#{expression={`$_.1}; label='first'}"
$csvdata | Select-Object $tstexp
The output doesn't evaluate correctly and is used instead as the object name.
#{expression={$_.1}; label='first'}
-------------------------------
Is it possible to pass select-object an expression list as a string?
You can pass it as a [Hashtable]:
$tstexp = #{expression={$_.1}; label='first'}
$csvdata | Select-Object $tstexp
(just remove the quotes).
If it must be a string (I can only imagine that you are reading/generating it from outside your script), then you could evaluate it as a script block:
# Create the string
$tstexp = "#{expression={$_.1}; label='first'}"
# Convert to script block
$tstblock = [scriptblock]::Create($tstexp)
# Execute script block
$tstval = & $tstblock
# $tstval now contains the hashtable
$csvdata | Select-Object $tstval
Edit
If you must use a string, it's easier to use Invoke-Expression as Jeroen Mostert's answer explains (but of course, avoid the string if possible).
You're looking for Invoke-Expression:
$csvdata | select-object (Invoke-Expression $tstexp)