We want to see activity logs initiated by all the users from the organization(like users#mycompamy.com). We don't want to see the activity initiated by platform(by azure policy, by backup management, etc).
On the Azure portal, there is only two option: Either select 'All' or type a single user's name. I tried '*#mycompany.com' but it didn't work. Is there any way to get this.
thanks
Updated:
In azure monitor -> Logs, you can write the query like below:
AzureActivity
| where Caller contains "#mycompamy.com"
Add a screenshot for this:
Original answer:
A simple way is that just type the #mycompany.com in the search box. The screenshot is as below:
Another more advanced method is that nav to azure monitor -> logs -> then use kusto query, then you can query what you like as per the condition like use this where clause EventInitiatedBy contains "#mycompany.com".
Related
What are the ways to find a log that we have generated using azure function or trigger in azure portal
Thanks in Advance, any help will be appreciated
One of the approach is using Kusto query, you can find a log which was generated by azure function in portal by following below steps:
Go to Azure Portal=> then Select your function app=> select logs from left side pane=> Then you write your kusto query
Example query:
traces
| where message contains "starting"
Output:
I am trying to bring in Azure Synapse logs into Loganalytics to create dashboards on usage level.
I have already setup in diagnostic settings to pass on the logs to my loganalytics workspace.
But while trying to execute queries from below documentation, I am getting error saying -
Query -
//Chart the most active resource classes
AzureDiagnostics | where Category contains "ExecRequests" | where
Status_s == "Completed" | summarize totalQueries = dcount(RequestId_s)
by ResourceClass_s | render barchart
Error:
'where' operator: Failed to resolve column or scalar expression named 'Status_s'...
Documentation link for queries : https://learn.microsoft.com/en-us/azure/synapse-analytics/sql-data-warehouse/sql-data-warehouse-monitor-workload-portal
Please let me know if there is something I am missing. I am directly logging to loganalytics workspace and running these queries inside a workbook...
Also i didnt find any proper documentation/blogs/links for connecting synapse to loganalytics, please let me know if anyone has that..
The documentation linked in your post appears to be out of date even though the last update date is recent.
See this link:
Azure services that use resource-specific mode store data in a table
specific to that service and do not use the AzureDiagnostics
table.
The link also lists a number of resource-specific tables for Synapse. "SynapseSqlPoolExecRequests" and "SynapseSqlPoolSqlRequests" are a few examples that might provide the info you're seeking.
I would like to have the user select the log analytics workspace as a parameter in an Azure Monitor notebook to perform a query, similar to what is explained in the parameter documentation. However, I can't resolve the log analytics workspace using a variable.
What I would like to do is something like:
let event_table = workspace({parameter}).Event;
event_table
| take 5
The following query using a string literal is successful in both an azure monitor notebook and in a log query:
let event_table = workspace("name_of_work_space").Event;
event_table
| take 5
The following fails with the error "Unknown function 'workspace'. in both an azure monitor notebook and a log query:
let logAnalyticsWorkspaceName = "name_of_work_space";
let event_table = workspace(logAnalyticsWorkspaceName).Event;
event_table
| take 5
It seems that only string literals are allowed as arguments to the workspace() function.
Additionally, iff() and case() functions only return scalars so I cannot use iff() and case() to conditionally return a table or workspace based on a Azure Notebook parameter.
How do I supply a parameter to an Azure Monitor Notebook to query against a particular log analytics workspace?
Dynamically setting the workspace be accomplished using a parameter. Create a parameter for Workspaces where the parameter type is Resource picker (from Azure Resource Graph). That parameter will then appear as an option in the Log Analytics drop down for downstream controls. A demonstration appears in the video "How to build tabs and alerts in Azure workbooks | Azure Portal" at 5:00.
I would like to set up an Azure alert for when someone on our team sets up an Azure database. Once alerted, I want to have an additional alert created if that resource is running for more than a certain amount of time.
My solution is to create an Alert Rule on the storage account and have it send an email. Where I'm running into trouble is how to monitor the database, since it just got created and I don't know the name yet for the second Alert rule that will monitor its uptime.
Is there some programmatic way to determine the database resource name?
If you don't want to invest time in Programmatic way there is a option to set or configure an alert at Resource Group level based on Resource type, where in the alert rule configure with below configurations
Scope -Select the right subscription, filter by resource type like SqlDatabase and if required filter based on location wise
Condition - In Select condition, Signal type drop down select "Create/Update Azure Sql Database" and in alert logic you can provide additional filtering logic's
Can choose existing Action group or create new one based on your requirement
Add "Alert rule details" like rule name, description etc.
Finally create alert rule
Now once alert rule is created if any new Azure SqlDatabase is created you will be notified based on alert configured.
According to the official doc, you can use Event Grid to notify Azure Automation when a SQL database is created.
https://learn.microsoft.com/en-au/azure/event-grid/overview#ops-automation
Once you subscribe, you can use Logic Apps to send you an email for example.
About the second part, you'll need to query the metrics and figure out if it's running (is performing compute) or not.
Is it possible to use the cross-resource query (with 2 subscriptions) from the an Application-Insights resource's, Logs(Analytics) blade in the Azure portal?
I've managed to use the full qualified name for the same app I'm using!
i.e. using
app("/subscriptions/sub1/resourceGroups/rg1/providers/microsoft.insights/components/apptelemetry1").requests in apptelemetry1 returns the same result as the query requests. But trying to use a similar query for an app in another subscription doesn't work (I've double checked the resources names many times).
I've Tried using the all of the options listed in app-expression,
cross-workspace-query.
(Resource name, Qualified Name, ID, Azure Resource ID).
The only response I'm getting is: "The following application isn’t available anymore".
Since you cannot use this query app("/subscriptions/sub1/resourceGroups/rg1/providers/microsoft.insights/components/apptelemetry1").requests in the application insights instance apptelemetry1 itself, there must be some problem with the instance apptelemetry1.
You can check if you have the read access to the application.
And if it's still cannot after assign read access, you can submit a support ticket where you can get professional help from Microsoft.