Cross workspace queries

The API allows you to query across multiple workspaces. There are two ways to execute these queries: implicit and explicit. The implicit method performs an automatic union over data in the requested workspace, while the explicit method allows more precision and control over how to access data from each workspace.

The maximum number of resources in any cross-resource query is limited to 10.

Resource identifiers

For either implicit or explicit cross-workspace queries, you need to specify the resources you will be accessing. There are four types of identifiers:

  • Name - human-readable string <workspaceName> of the OMS workspace
  • Qualified Name - string with format <subscriptionName>/<resourceGroup>/<workspaceName>
  • Workspace ID - GUID string
  • Azure Resource ID - string with format /subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/ microsoft.operationalinsights/workspaces/<workspaceName>

Note

We strongly recommend identifying a workspace by its unique Workspace ID or Azure Resource ID because they remove ambiguity and are more performant.

Implicit cross workspace queries

For implicit syntax, specify the workspaces that you want to include in your query scope. The API performs a single query over each application provided in your list. The syntax for a cross-workspace POST is:

Example:

    POST https://api.loganalytics.azure.cn/v1/workspaces/00000000-0000-0000-0000-000000000000/query
    
    Authorization: Bearer <user token>
    Content-Type: application/json
    
    {
       "query": "union * | where TimeGenerated > ago(1d) | summarize count() by Type, TenantId",
       "workspaces": ["AIFabrikamDemo1", "AIFabrikamDemo2"]
    }

The same request as a GET (line breaks for readability of query parameters):

    GET https://api.loganalytics.azure.cn/v1/workspaces/00000000-0000-0000-0000-000000000000/query?query=union+*+%7C+where+TimeGenerated+%3E+ago(1d)+%7C+summarize+count()+by+Type%2C+TenantId&workspaces=AIFabrikamDemo1%2CAIFabrikamDemo2
    
    
    Authorization: Bearer <user token>
    Content-Type: application/json

This query would run over AIFabrikamDemo1, AIFabrikamDemo2, and the workspace represented by the GUID 00000000-0000-0000-0000-000000000000, returning the union of the results. In the GET version, the workspaces query parameters is a comma-separated list of resources to query.

Explicit cross workspace queries

In some cases, you might want the query to operate over a more targeted subset of the data in the workspaces of interest, combining data from multiple workspaces. In these cases, explicitly mention a workspace and table in the query, similar to making cross-cluster or cross-database queries or joins between tables.

The syntax to reference another application is: workspace('identifier').table.

Example:

    POST https://api.loganalytics.azure.cn/v1/workspaces/00000000-0000-0000-0000-000000000000/query
    Content-Type: application/json
    Authorization: Bearer <user token>
    
    {
    "query": "union (AzureActivity | where timestamp > ago(1d)), (workspaces('00000000-0000-0000-0000-000000000000').AzureActivity | where timestamp> ago(1d))"
    }

You can also URL encode this query and make it a GET request. In this case, there is no query parameter for other workspaces since the workspaces will get referenced from inside the query.

Throttling

For the purposes of rate limiting, one cross-resource query counts as one API query, regardless of the number of resources in the query.