Query logs from Start/Stop VMs during off-hours

Article
03/16/2023

Note

Start/Stop VM during off-hours version 1 is unavailable in the marketplace now as it will retire by 30 September 2023. We recommend you start using version 2, which is now generally available. The new version offers all existing capabilities and provides new features, such as multi-subscription support from a single Start/Stop instance. If you have the version 1 solution already deployed, you can still use the feature, and we will provide support until 30 September 2023. The details of the announcement will be shared soon.

Azure Automation forwards two types of records to the linked Log Analytics workspace: job logs and job streams. This article reviews the data available for query in Azure Monitor.

Job logs

Property	Description
Caller	Who initiated the operation. Possible values are either an email address or system for scheduled jobs.
Category	Classification of the type of data. For Automation, the value is JobLogs.
CorrelationId	GUID that is the Correlation ID of the runbook job.
JobId	GUID that is the ID of the runbook job.
operationName	Specifies the type of operation performed in Azure. For Automation, the value is Job.
resourceId	Specifies the resource type in Azure. For Automation, the value is the Automation account associated with the runbook.
ResourceGroup	Specifies the resource group name of the runbook job.
ResourceProvider	Specifies the Azure service that supplies the resources you can deploy and manage. For Automation, the value is Azure Automation.
ResourceType	Specifies the resource type in Azure. For Automation, the value is the Automation account associated with the runbook.
resultType	The status of the runbook job. Possible values are: - Started - Stopped - Suspended - Failed - Succeeded
resultDescription	Describes the runbook job result state. Possible values are: - Job is started - Job Failed - Job Completed
RunbookName	Specifies the name of the runbook.
SourceSystem	Specifies the source system for the data submitted. For Automation, the value is OpsManager
StreamType	Specifies the type of event. Possible values are: - Verbose - Output - Error - Warning
SubscriptionId	Specifies the subscription ID of the job.
Time	Date and time when the runbook job executed.

Job streams

Property	Description
Caller	Who initiated the operation. Possible values are either an email address or system for scheduled jobs.
Category	Classification of the type of data. For Automation, the value is JobStreams.
JobId	GUID that is the ID of the runbook job.
operationName	Specifies the type of operation performed in Azure. For Automation, the value is Job.
ResourceGroup	Specifies the resource group name of the runbook job.
resourceId	Specifies the resource ID in Azure. For Automation, the value is the Automation account associated with the runbook.
ResourceProvider	Specifies the Azure service that supplies the resources you can deploy and manage. For Automation, the value is Azure Automation.
ResourceType	Specifies the resource type in Azure. For Automation, the value is the Automation account associated with the runbook.
resultType	The result of the runbook job at the time the event was generated. A possible value is: - InProgress
resultDescription	Includes the output stream from the runbook.
RunbookName	The name of the runbook.
SourceSystem	Specifies the source system for the data submitted. For Automation, the value is OpsManager.
StreamType	The type of job stream. Possible values are: - Progress - Output - Warning - Error - Debug - Verbose
Time	Date and time when the runbook job executed.

When you perform any log search that returns category records of JobLogs or JobStreams, you can select the JobLogs or JobStreams view, which displays a set of tiles summarizing the updates returned by the search.

Sample log searches

The following table provides sample log searches for job records collected by Start/Stop VMs during off-hours.

Query	Description
Find jobs for runbook ScheduledStartStop_Parent that have finished successfully	`search Category == "JobLogs" \| where ( RunbookName_s == "ScheduledStartStop_Parent" ) \| where ( ResultType == "Completed" ) \| summarize AggregatedValue = count() by ResultType, bin(TimeGenerated, 1h) \| sort by TimeGenerated desc`
Find jobs for runbook ScheduledStartStop_Parent that have not completed successfully	`search Category == "JobLogs" \| where ( RunbookName_s == "ScheduledStartStop_Parent" ) \| where ( ResultType == "Failed" ) \| summarize AggregatedValue = count() by ResultType, bin(TimeGenerated, 1h) \| sort by TimeGenerated desc`
Find jobs for runbook SequencedStartStop_Parent that have finished successfully	`search Category == "JobLogs" \| where ( RunbookName_s == "SequencedStartStop_Parent" ) \| where ( ResultType == "Completed" ) \| summarize AggregatedValue = count() by ResultType, bin(TimeGenerated, 1h) \| sort by TimeGenerated desc`
Find jobs for runbook SequencedStartStop_Parent that have not completed successfully	`search Category == "JobLogs" \| where ( RunbookName_s == "SequencedStartStop_Parent" ) \| where ( ResultType == "Failed" ) \| summarize AggregatedValue = count() by ResultType, bin(TimeGenerated, 1h) \| sort by TimeGenerated desc`

Next steps

To set up the feature, see Configure Stop/Start VMs during off-hours.
For information on log alerts during feature deployment, see Create log alerts with Azure Monitor.
To resolve feature errors, see Troubleshoot Start/Stop VMs during off-hours issues.