Log Analytic workspace weird behavior

Question

Log Analytic workspace weird behavior

Mohamed jihad bayali 1,141

Hello Team,

I hope you're doing fine,

I created recently a dcr to collect Error logs on a virtual Machine, here is the configuration :

The DCR is writing to a log analytic workspace.

When i try to query the events from the workspace, i'm having this weird result :

Event level = 2
Event levelname = Warning

Normally, Event level = 2 is error not warning, for a reason it appearing as warning, and i don't know why
Any help? thanks

4 answers

Your answer

Answer 1

Mohamed jihad bayali 1,141

The query that i'm using is :

Event
| where Computer == 'ComputerName'

Answer 2

George Moise 2,361 Microsoft Employee

Hello @Mohamed jihad bayali ,

Just tested in my lab and managed to reproduce the same:

Answer 3

Mohamed jihad bayali 1,141

Hello George,

Thank you for taking time to reproduce the issue, and thanks for the feedback,

That's a weird behavior

The eventLevel =2 is correct (2 = Error, 3=Warning) but the EventLevelName is wrong.

I created Alerts using the EventLevel, and not the EventLevelName to bypass the anomaly

Answer 4

Maxim Sergeev 6,586 Microsoft Employee

Follow the workaround:

Event  
| extend MyEventLevel = case (tostring(EventLevel) == "3", "Warning", tostring(EventLevel) == "4", "Information","Error")  
| project Source, EventData, EventLevel, MyEventLevel

Mohamed jihad bayali 1,141 Reputation points

2022-10-14T17:02:14.663+00:00

It worked for me
Thank you

Share via

Log Analytic workspace weird behavior

4 answers

Your answer