Get-AzureRmOperationalInsightsSearchResults
Returns search results based on the specified parameters.
Warning
The AzureRM PowerShell module has been officially deprecated as of February 29, 2024. Users are advised to migrate from AzureRM to the Az PowerShell module to ensure continued support and updates.
Although the AzureRM module may still function, it's no longer maintained or supported, placing any continued use at the user's discretion and risk. Please refer to our migration resources for guidance on transitioning to the Az module.
Syntax
Get-AzureRmOperationalInsightsSearchResults
[-ResourceGroupName] <String>
[-WorkspaceName] <String>
[[-Top] <Int64>]
[[-PreHighlight] <String>]
[[-PostHighlight] <String>]
[[-Query] <String>]
[[-Start] <DateTime>]
[[-End] <DateTime>]
[[-Id] <String>]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Description
The Get-AzureRmOperationalInsightsSearchResults cmdlet returns the search results based on the specified parameters. You can access the status of the search in the Metadata property of the returned object. If the status is Pending, then the search has not completed, and the results will be from the archive. You can retrieve the results of the search from the Value property of the returned object.
Examples
Example 1: Get search results using a query
PS C:\>Get-AzureRmOperationalInsightsSearchResults -ResourceGroupName "ContosoResourceGroup" -WorkspaceName "ContosoWorkspace" -Query "Type=Event" -Top 100This command gets all search results by using a query.
Example 2: Get search results using an ID
PS C:\>Get-AzureRmOperationalInsightsSearchResults -ResourceGroupName "ContosoResourceGroup" -WorkspaceName "ContosoWorkspace" -Id "ContosoSearchId"This command gets search results by using an ID.
Example 3: Wait for a search to complete before displaying results
PS C:\>$error.clear()
$response = @{}
$StartTime = Get-Date
$resGroup = "ContosoResourceGroup"
$wrkspace = "ContosoWorkspace"
# Sample Query
$query = "Type=Event"
# Get Initial response
$response = Get-AzureRmOperationalInsightsSearchResults -WorkspaceName $wrkspace -ResourceGroupName $resGroup -Query $query -Top 15000
$elapsedTime = $(get-date) - $script:StartTime
Write-Host "Elapsed: " $elapsedTime "Status: " $response.Metadata.Status
# Split and extract request Id
$reqIdParts = $response.Id.Split("/")
$reqId = $reqIdParts[$reqIdParts.Count -1]
# Poll if pending
while($response.Metadata.Status -eq "Pending" -and $error.Count -eq 0) {
$response = Get-AzureRmOperationalInsightsSearchResults -WorkspaceName $wrkspace -ResourceGroupName $resGroup -Id $reqId
$elapsedTime = $(get-date) - $script:StartTime
Write-Host "Elapsed: " $elapsedTime "Status: " $response.Metadata.Status
}
Write-Host "Returned " $response.Value.Count " documents"
Write-Host $errorThis script starts a search and waits until it completes before displaying the results.
Parameters
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with azure
| Type: | IAzureContextContainer |
| Aliases: | AzureRmContext, AzureCredential |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-End
End of the queried time range.
| Type: | Nullable<T>[DateTime] |
| Position: | 7 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Id
If an id is given, the search results for that id will be retrieved using the original query parameters.
| Type: | String |
| Position: | 8 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-PostHighlight
| Type: | String |
| Position: | 4 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-PreHighlight
| Type: | String |
| Position: | 3 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Query
The search query that will be executed.
| Type: | String |
| Position: | 5 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-ResourceGroupName
The name of the resource group that contains the workspace.
| Type: | String |
| Position: | 0 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Start
Start of the queried time range.
| Type: | Nullable<T>[DateTime] |
| Position: | 6 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Top
The maximum number of results to be returned, limited to 5000.
| Type: | Int64 |
| Position: | 2 |
| Default value: | 10 |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-WorkspaceName
Specifies a workspace name.
| Type: | String |
| Aliases: | Name |
| Position: | 1 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Inputs
Nullable<T>[[System.DateTime, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]
Outputs
PSSearchGetSearchResultsResponse