az monitor log-analytics workspace saved-search

Manage saved search for log analytics workspace.

Commands

az monitor log-analytics workspace saved-search create

Create a saved search for a given workspace.

az monitor log-analytics workspace saved-search delete

Delete a saved search for a given workspace.

az monitor log-analytics workspace saved-search list

List all saved searches for a given workspace.

az monitor log-analytics workspace saved-search show

Show a saved search for a given workspace.

az monitor log-analytics workspace saved-search update

Update a saved search for a given workspace.

az monitor log-analytics workspace saved-search create

Create a saved search for a given workspace.

az monitor log-analytics workspace saved-search create --category
                                                       --display-name
                                                       --name
                                                       --resource-group
                                                       --saved-query
                                                       --workspace-name
                                                       [--fa]
                                                       [--fp]
                                                       [--subscription]
                                                       [--tags]

Examples

Create a saved search for a given workspace.

az monitor log-analytics workspace saved-search create -g MyRG --workspace-name MyWS -n MySavedSearch --category Test1 --display-name TestSavedSearch -q "AzureActivity | summarize count() by bin(timestamp, 1h)" --fa myfun --fp "a:string = value"

Required Parameters

--category

The category of the saved search. This helps the user to find a saved search faster.

--display-name

Display name of the saved search.

--name -n

Name of the saved search and it's unique in a given workspace.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--saved-query -q

The query expression for the saved search.

--workspace-name

Name of the Log Analytics Workspace.

Optional Parameters

--fa --func-alias

Function Aliases are short names given to Saved Searches so they can be easily referenced in query. They are required for Computer Groups.

--fp --func-param

The optional function parameters if query serves as a function. Value should be in the following format: 'param-name1:type1 = default_value1, param-name2:type2 = default_value2'. For more examples and proper syntax please refer to https://docs.microsoft.com/en-us/azure/kusto/query/functions/user-defined-functions.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

az monitor log-analytics workspace saved-search delete

Delete a saved search for a given workspace.

az monitor log-analytics workspace saved-search delete --name
                                                       --resource-group
                                                       --workspace-name
                                                       [--subscription]
                                                       [--yes]

Required Parameters

--name -n

Name of the saved search and it's unique in a given workspace.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--workspace-name

Name of the Log Analytics Workspace.

Optional Parameters

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--yes -y

Do not prompt for confirmation.

az monitor log-analytics workspace saved-search list

List all saved searches for a given workspace.

az monitor log-analytics workspace saved-search list --resource-group
                                                     --workspace-name
                                                     [--query-examples]
                                                     [--subscription]

Required Parameters

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--workspace-name

Name of the Log Analytics Workspace.

Optional Parameters

--query-examples

Recommend JMESPath string for you. You can copy one of the query and paste it after --query parameter within double quotation marks to see the results. You can add one or more positional keywords so that we can give suggestions based on these key words.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az monitor log-analytics workspace saved-search show

Show a saved search for a given workspace.

az monitor log-analytics workspace saved-search show --name
                                                     --resource-group
                                                     --workspace-name
                                                     [--query-examples]
                                                     [--subscription]

Required Parameters

--name -n

Name of the saved search and it's unique in a given workspace.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--workspace-name

Name of the Log Analytics Workspace.

Optional Parameters

--query-examples

Recommend JMESPath string for you. You can copy one of the query and paste it after --query parameter within double quotation marks to see the results. You can add one or more positional keywords so that we can give suggestions based on these key words.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az monitor log-analytics workspace saved-search update

Update a saved search for a given workspace.

az monitor log-analytics workspace saved-search update --name
                                                       --resource-group
                                                       --workspace-name
                                                       [--add]
                                                       [--category]
                                                       [--display-name]
                                                       [--fa]
                                                       [--force-string]
                                                       [--fp]
                                                       [--remove]
                                                       [--saved-query]
                                                       [--set]
                                                       [--subscription]
                                                       [--tags]

Examples

Update a saved search for a given workspace.

az monitor log-analytics workspace saved-search update -g MyRG --workspace-name MyWS -n MySavedSearch --category Test1 --display-name TestSavedSearch -q "AzureActivity | summarize count() by bin(timestamp, 1h)" --fa myfun --fp "a:string = value"

Required Parameters

--name -n

Name of the saved search and it's unique in a given workspace.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--workspace-name

Name of the Log Analytics Workspace.

Optional Parameters

--add

Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.

--category

The category of the saved search. This helps the user to find a saved search faster.

--display-name

Display name of the saved search.

--fa --func-alias

Function Aliases are short names given to Saved Searches so they can be easily referenced in query. They are required for Computer Groups.

--force-string

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

--fp --func-param

The optional function parameters if query serves as a function. Value should be in the following format: 'param-name1:type1 = default_value1, param-name2:type2 = default_value2'. For more examples and proper syntax please refer to https://docs.microsoft.com/en-us/azure/kusto/query/functions/user-defined-functions.

--remove

Remove a property or an element from a list. Example: --remove property.list OR --remove propertyToRemove.

--saved-query -q

The query expression for the saved search.

--set

Update an object by specifying a property path and value to set. Example: --set property1.property2=.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.