Azure Monitor REST API Filter Syntax
Many Azure Monitor APIs take a parameter, {filter-expression}, that you can use to filter or constrain the set of data that is collected.
Using filter '*' in request multiple resources
Important
The * in a filter for multiple resources is not a wildcard. It is a literal string that is used to request multiple resources. The * is used to request multiple resources in a single time series.
In the sample below $filter=Microsoft.ResourceId eq '*' tells the API to return a separate time series per virtual machine resource in the subscription and region. Without the filter the API would return a single time series aggregating the average CPU for all VMs. The times series for each resource is differentiated by the Microsoft.ResourceId metadata value on each time series entry.
If you use $filter=Microsoft.ResourceId eq '*' and there are no resources, in this case VMs in the specified time series, the empty timeseries timeseries:[] is returned as there are no results for the requested set of dimension that includes ResourceId
The same query without the filter will return a single time series returning an aggregated average CPU = 0 for all VMs as this is the sum across all of the requested dimensions.
GET https://management.azure.com/subscriptions/12345678-abcd-98765432-abcdef012345/providers/microsoft.Insights/metrics?timespan=2023-06-25T22:20:00.000Z/2023-06-26T22:25:00.000Z&interval=PT5M&metricnames=Percentage CPU&aggregation=average&api-version=2021-05-01®ion=eastus&metricNamespace=microsoft.compute/virtualmachines&$filter=Microsoft.ResourceId eq '*'
Example using $filter
Here are the possible expression strings you can pass as {filter-expression}. No other syntax is allowed.
List events for a resource group
$filter=eventTimestamp ge <Start Time> and eventTimestamp le <End Time> and eventChannels eq 'Admin, Operation' and resourceGroupName eq '<ResourceGroupName>'Example:
$filter=eventTimestamp ge 2014-12-29T22:00:37Z and eventTimestamp le 2014-12-29T23:36:37Z and eventChannels eq 'Admin, Operation' and resourceGroupName eq 'CloudLab'
List events for a resource
$filter=eventTimestamp ge <Start Time> and eventTimestamp le <End Time> and eventChannels eq 'Admin, Operation' and resourceUri eq '<ResourceURI>'Example:
$filter=eventTimestamp ge 2014-12-29T22:00:37Z and eventTimestamp le 2014-12-29T23:36:37Z and eventChannels eq 'Admin, Operation' and resourceUri eq '/subscriptions/089bd33f-d4ec-47fe-8ba5-0753aa5c5b33/resourcegroups/CloudLab/providers/Microsoft.Web/sites/mytestweb004'
List events for an Azure subscription
$filter=eventTimestamp ge <Start Time> and eventTimestamp le <End Time> and eventChannels eq 'Admin, Operation'Example:
$filter=eventTimestamp ge 2014-12-29T22:00:37Z and eventTimestamp le 2014-12-29T23:36:37Z and eventChannels eq 'Admin, Operation'
List events for an Azure resource provider
$filter=eventTimestamp ge <Start Time> and eventTimestamp le <End Time> and eventChannels eq 'Admin, Operation' and resourceProvider eq '<ResourceProviderName>'Example:
$filter=eventTimestamp ge 2014-12-29T22:00:37Z and eventTimestamp le 2014-12-29T23:36:37Z and eventChannels eq 'Admin, Operation' and resourceProvider eq 'Microsoft.Web'
List events for a correlation ID
api-version=2014-04-01&$filter=eventTimestamp ge 2014-07-16T04:36:37.6407898Z and eventTimestamp le 2014-07-20T04:36:37.6407898Z and eventChannels eq 'Admin, Operation' and correlationId eq '<CorrelationID>'Example: api-version=2014-04-01&$filter=eventTimestamp ge 2014-12-29T22:00:37Z and eventTimestamp le 2014-12-29T23:36:37Z and eventChannels eq 'Admin, Operation' and correlationId eq '07c85493-5e87-4efd-9200-0c64d904d878'