Get-AzureRmOperationalInsightsSearchResults
Returns search results based on the specified parameters.
Caution
Because Az PowerShell modules now have all the capabilities of AzureRM PowerShell modules and more, we'll retire AzureRM PowerShell modules on 29 February 2024.
To avoid service interruptions, update your scripts that use AzureRM PowerShell modules to use Az PowerShell modules by 29 February 2024. To automatically update your scripts, follow the quickstart guide.
Syntax
Get-AzureRmOperationalInsightsSearchResults
[-ResourceGroupName] <String>
[-WorkspaceName] <String>
[[-Top] <Int64>]
[[-PreHighlight] <String>]
[[-PostHighlight] <String>]
[[-Query] <String>]
[[-Start] <DateTime>]
[[-End] <DateTime>]
[[-Id] <String>]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Description
The Get-AzureRmOperationalInsightsSearchResults cmdlet returns the search results based on the specified parameters. You can access the status of the search in the Metadata property of the returned object. If the status is Pending, then the search has not completed, and the results will be from the archive. You can retrieve the results of the search from the Value property of the returned object.
Examples
Example 1: Get search results using a query
PS C:\>Get-AzureRmOperationalInsightsSearchResults -ResourceGroupName "ContosoResourceGroup" -WorkspaceName "ContosoWorkspace" -Query "Type=Event" -Top 100This command gets all search results by using a query.
Example 2: Get search results using an ID
PS C:\>Get-AzureRmOperationalInsightsSearchResults -ResourceGroupName "ContosoResourceGroup" -WorkspaceName "ContosoWorkspace" -Id "ContosoSearchId"This command gets search results by using an ID.
Example 3: Wait for a search to complete before displaying results
PS C:\>$error.clear()
$response = @{}
$StartTime = Get-Date
$resGroup = "ContosoResourceGroup"
$wrkspace = "ContosoWorkspace"
# Sample Query
$query = "Type=Event"
# Get Initial response
$response = Get-AzureRmOperationalInsightsSearchResults -WorkspaceName $wrkspace -ResourceGroupName $resGroup -Query $query -Top 15000
$elapsedTime = $(get-date) - $script:StartTime
Write-Host "Elapsed: " $elapsedTime "Status: " $response.Metadata.Status
# Split and extract request Id
$reqIdParts = $response.Id.Split("/")
$reqId = $reqIdParts[$reqIdParts.Count -1]
# Poll if pending
while($response.Metadata.Status -eq "Pending" -and $error.Count -eq 0) {
$response = Get-AzureRmOperationalInsightsSearchResults -WorkspaceName $wrkspace -ResourceGroupName $resGroup -Id $reqId
$elapsedTime = $(get-date) - $script:StartTime
Write-Host "Elapsed: " $elapsedTime "Status: " $response.Metadata.Status
}
Write-Host "Returned " $response.Value.Count " documents"
Write-Host $errorThis script starts a search and waits until it completes before displaying the results.
Parameters
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with azure
| Type: | IAzureContextContainer |
| Aliases: | AzureRmContext, AzureCredential |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-End
End of the queried time range.
| Type: | Nullable<T>[DateTime] |
| Position: | 7 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Id
If an id is given, the search results for that id will be retrieved using the original query parameters.
| Type: | String |
| Position: | 8 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-PostHighlight
| Type: | String |
| Position: | 4 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-PreHighlight
| Type: | String |
| Position: | 3 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Query
The search query that will be executed.
| Type: | String |
| Position: | 5 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-ResourceGroupName
The name of the resource group that contains the workspace.
| Type: | String |
| Position: | 0 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Start
Start of the queried time range.
| Type: | Nullable<T>[DateTime] |
| Position: | 6 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Top
The maximum number of results to be returned, limited to 5000.
| Type: | Int64 |
| Position: | 2 |
| Default value: | 10 |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-WorkspaceName
Specifies a workspace name.
| Type: | String |
| Aliases: | Name |
| Position: | 1 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Inputs
Nullable<T>[[System.DateTime, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]
Outputs
PSSearchGetSearchResultsResponse