Share via

az monitor log-analytics workspace saved-search

Manage saved search for log analytics workspace.

Commands

Name Description Type Status
az monitor log-analytics workspace saved-search create

Create a saved search for a given workspace.

 Core GA
az monitor log-analytics workspace saved-search delete

Delete a saved search for a given workspace.

 Core GA
az monitor log-analytics workspace saved-search list

List all saved searches for a given workspace.

 Core GA
az monitor log-analytics workspace saved-search show

Show a saved search for a given workspace.

 Core GA
az monitor log-analytics workspace saved-search update

Update a saved search for a given workspace.

 Core GA

az monitor log-analytics workspace saved-search create

Edit

Create a saved search for a given workspace.

az monitor log-analytics workspace saved-search create --category
                                                       --display-name
                                                       --name
                                                       --resource-group
                                                       --saved-query
                                                       --workspace-name
                                                       [--fa --func-alias]
                                                       [--fp --func-param]
                                                       [--tags]

Examples

Create a saved search for a given workspace.

az monitor log-analytics workspace saved-search create -g MyRG --workspace-name MyWS -n MySavedSearch --category Test1 --display-name TestSavedSearch -q "AzureActivity | summarize count() by bin(TimeGenerated, 1h)" --fa myfun --fp "a:string = value"

Required Parameters

--category

The category of the saved search. This helps the user to find a saved search faster.

--display-name

Display name of the saved search.

--name -n

Name of the saved search and it's unique in a given workspace.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--saved-query -q

The query expression for the saved search.

--workspace-name

Name of the Log Analytics Workspace.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--fa --func-alias

Function Aliases are short names given to Saved Searches so they can be easily referenced in query. They are required for Computer Groups.

--fp --func-param

The optional function parameters if query serves as a function. Value should be in the following format: 'param-name1:type1 = default_value1, param-name2:type2 = default_value2'. For more examples and proper syntax please refer to https://learn.microsoft.com/azure/kusto/query/functions/user-defined-functions.

--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az monitor log-analytics workspace saved-search delete

Edit

Delete a saved search for a given workspace.

az monitor log-analytics workspace saved-search delete [--ids]
                                                       [--name --saved-search-name]
                                                       [--resource-group]
                                                       [--subscription]
                                                       [--workspace-name]
                                                       [--yes]

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

Property Value
Parameter group: Resource Id Arguments
--name --saved-search-name -n

Name of the saved search and it's unique in a given workspace.

Property Value
Parameter group: Resource Id Arguments
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Property Value
Parameter group: Resource Id Arguments
--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Property Value
Parameter group: Resource Id Arguments
--workspace-name

The name of the workspace.

Property Value
Parameter group: Resource Id Arguments
--yes -y

Do not prompt for confirmation.

Property Value
Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az monitor log-analytics workspace saved-search list

Edit

List all saved searches for a given workspace.

az monitor log-analytics workspace saved-search list --resource-group
                                                     --workspace-name

Required Parameters

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--workspace-name

The name of the workspace.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az monitor log-analytics workspace saved-search show

Edit

Show a saved search for a given workspace.

az monitor log-analytics workspace saved-search show [--ids]
                                                     [--name --saved-search-name]
                                                     [--resource-group]
                                                     [--subscription]
                                                     [--workspace-name]

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

Property Value
Parameter group: Resource Id Arguments
--name --saved-search-name -n

Name of the saved search and it's unique in a given workspace.

Property Value
Parameter group: Resource Id Arguments
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Property Value
Parameter group: Resource Id Arguments
--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Property Value
Parameter group: Resource Id Arguments
--workspace-name

The name of the workspace.

Property Value
Parameter group: Resource Id Arguments
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az monitor log-analytics workspace saved-search update

Edit

Update a saved search for a given workspace.

az monitor log-analytics workspace saved-search update --name
                                                       --resource-group
                                                       --workspace-name
                                                       [--category]
                                                       [--display-name]
                                                       [--fa --func-alias]
                                                       [--fp --func-param]
                                                       [--saved-query]
                                                       [--tags]

Examples

Update a saved search for a given workspace.

az monitor log-analytics workspace saved-search update -g MyRG --workspace-name MyWS -n MySavedSearch --category Test1 --display-name TestSavedSearch -q "AzureActivity | summarize count() by bin(TimeGenerated, 1h)" --fa myfun --fp "a:string = value"

Required Parameters

--name -n

Name of the saved search and it's unique in a given workspace.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--workspace-name

Name of the Log Analytics Workspace.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--category

The category of the saved search. This helps the user to find a saved search faster.

--display-name

Display name of the saved search.

--fa --func-alias

Function Aliases are short names given to Saved Searches so they can be easily referenced in query. They are required for Computer Groups.

--fp --func-param

The optional function parameters if query serves as a function. Value should be in the following format: 'param-name1:type1 = default_value1, param-name2:type2 = default_value2'. For more examples and proper syntax please refer to https://learn.microsoft.com/azure/kusto/query/functions/user-defined-functions.

--saved-query -q

The query expression for the saved search.

--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False