Device info using KQL - azure

How can we get a device info using KQL, Is there any inbuilt function in Azure ?
I have checked but am not able to find out. Can anyone help me out of this ?
Thanks in advance,

If you are looking at the application insights logs from the invocation logs then you can use Cloud_RoleName for the name of the function app (the app service itself) and operation_name for the function name. In the following example I have a function called MyFunction that is run from the app service MyFunctionApp.
requests
| project timestamp, id, operation_Name, success, resultCode, duration, operation_Id, cloud_RoleName, invocationId=customDimensions['InvocationId']
| where timestamp > ago(30d)
| where cloud_RoleName =~ 'MyFunctionApp' and operation_Name =~ 'MyFunction'
| order by timestamp desc
| take 20

Related

How to monitor and alert is log ingestion stops to a specifik Azure log analytics workspace

I have recently encountered issues where ingestion to certain log tables in an Azure log analytics table have stopped. This was caused by an Azure service disruption.
I use these log sources for Azure sentinel and now we want to set up an alert in case it happens again.
The problem we are facing and need help with is that you don't seem to be able to get a search result when you are querying for something that is zero/null.
I have tried this query without results:
workspace("xxxxxxxxxxxxxx").SigninLogs
| union withsource = source AuditLogs, AADNonInteractiveUserSignInLogs, AADServicePrincipalSignInLogs, AADProvisioningLogs, SecurityAlert, AzureActivity, AzureDiagnostics, DnsEvents, DnsInventory, DeviceEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceInfo, DeviceLogonEvents, DeviceNetworkEvents, DeviceNetworkInfo, DeviceProcessEvents, DeviceRegistryEvents, OfficeActivity
| where TimeGenerated > now (-24h)
| project TimeGenerated, source
| summarize numbers_per_source=count() by source
| where numbers_per_source <= 1
Can someone please point me in the right direction with log query tips, thanks

How do you create a report with every URL hit between two date/time's in an Azure web app?

I have an Azure web app with Application insights.
I need a report that shows every URL hit, when, and if possible, how long it took to execute.
In Pseudo code, something like this
select URL, Date, Duration from WebSite where Date between '1 April 2022 08:00:00' and '2 April 2022 08:00:00'
Results would look like this:
/page1 '1 April 2022 08:01:23' 203ms
/page3 '1 April 2022 08:02:03' 103ms
/page2 '1 April 2022 08:02:04' 83ms
/page5 '1 April 2022 08:03:08' 93ms
Is this possible? If so, what is the query?
I recommend getting this report directly from the app service HTTP logs because data in Application Insights can be sampled depending on how it is configured for your infrastructure.
In order to get the report from app service logs, go to the app service and select "Logs" in the left-hand side menu. Then use the following query:
AppServiceHTTPLogs
| where TimeGenerated between (datetime(2022-04-01T00:00:00Z) .. 1d)
| project CsUriStem, TimeGenerated, TimeTaken
You can specify the date range directly in the query or select it in the "Time range" dropdown:
If you want to run a similar report by using Application Insights data, the query will look like this:
requests
| where cloud_RoleName == 'your app service role name'
| where timestamp between (datetime(2022-04-01T00:00:00Z) .. 1d)
| project url, timestamp, duration
Please note that you may need to filter by cloud_RoleName or cloud_RoleInstance if multiple app services are connected to the same Application Insights resource.

Reserved EventIds in ApplicationInsights

I am creating some LogError calls in my ASP.NET Core webapp on the line of
_logger.LogError(new EventId(5000,"CustomName"),"description");``
I can find this event in Application Insights by querying like this
traces | where timestamp > ago(10m) |where customDimensions.EventId == 5000
Is there any list of event ids that is reserved? I only want to get my own events. I know that a third party library that i bind to my project theoretically can write some events with the above event id, but I am thinking more if Microsoft has a list of reserved event ids. If I do this search in my log
traces | where timestamp > ago(10m) |where customDimensions.EventId > 1
I get some hits, on Azure Function startup, so I know that Microsoft are using this also.
I have searched the docs, but haven't found any list.
No, there're no reserved EventIDs in app insights. You always need to provide it by yourself.

OMS Heartbeat query for when a server is down

How can i set an alert in OMS when a server is powered off or is not available? I have searched on google but the alerts either dont work or too many get sent . I need the alert to be generated as soon as the server goes offline
i found out myself
Heartbeat | summarize LastHeartbeat = max(TimeGenerated) by Computer | where Computer == "server1" | where LastHeartbeat < ago(5m)

How to trigger a failure in an azure function http trigger, WITH a custom error response

I cannot find a way to fail a http call to a nodejs azure function, and include a custom error response.
Calling context.done() allows for a custom response (but not indicated as a failure in Application Insights)
Calling context.done(true, XXX) does create a failure, but returns a generic error to the user (no matter what I put in XXX):
{"id":"b6ca6fb0-686a-4a9c-8c66-356b6db51848","requestId":"7599d94b-d3f2-48fe-80cd-e067bb1c8557","statusCode":500,"errorCode":0,"message":"An error has occurred. For more information, please check the logs for error ID b6ca6fb0-686a-4a9c-8c66-356b6db51848"}
This is just the latest headache I have ran into in trying to get a fast web api running on Azure funcs. If you cant track errors, than it should hardly be called "Application Insights". Any ideas?
Success will be true, but resultCode will be set to your value.
Try an AppInsights query like this:
// Get all errors
requests
| where toint(resultCode) >= 400
| limit 10
[Update]
The Id value in Requests is the 'function instance id', which uniquely identifies that invocation.
There is also a 'traces' table that contains the logging messages from your azure function. You can join between requests and traces via the operation_Id.
requests
| where toint(resultCode) >= 400
| take 10
| join (traces) on operation_Id
| project id, message, operation_Id
The response body is not automatically logged to AppInsights. You'll need to add some explicit log statements to capture that.
Why not use context.res to return a customer response for an HTTP trigger function?

Resources