search

Azure / azure-powershell

Microsoft Azure PowerShell
Other
4.22k stars 3.83k forks source link

Get-AzOperationalInsightsSavedSearchResults Saved search result not supported for the new query language #8842

Open YuriySamorodov opened 5 years ago

YuriySamorodov commented 5 years ago

Description

It looks like Get-AzOperationalInsightsSavedSearchResults does not support Kusto Getting the following error: Saved search result not supported for the new query language. Similar issues:

4548

7144

Steps to reproduce

Write a query in Azure Log Analytics with Kusto Save a query in portal Run command similar to the one below

$Parameters = @{ 
ResourceGroupName = defaultresourcegroup-eus
WorkspaceName = 'AzureSentinel-0d1b2858-9d41-44a4-aa88-5255dacf106f'
SavedSearchId = 'sharepointeventsyesterday-adef6535-1c67-4212-8a01-5fb8e543e36c'
}
Get-AzOperationalInsightsSavedSearchResults @Parameters

Environment data

Name                           Value                                                                                   
----                           -----                                                                                   
PSVersion                      5.1.17134.590                                                                           
PSEdition                      Desktop                                                                                 
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                 
BuildVersion                   10.0.17134.590                                                                          
CLRVersion                     4.0.30319.42000                                                                         
WSManStackVersion              3.0                                                                                     
PSRemotingProtocolVersion      2.3                                                                                     
SerializationVersion           1.1.0.1

Module versions


    Directory: C:\Program Files\WindowsPowerShell\Modules

ModuleType Version    Name                                ExportedCommands                                             
---------- -------    ----                                ----------------                                             
Script     1.4.0      Az.Accounts                         {Disable-AzDataCollection, Disable-AzContextAutosave, Enab...
Script     1.0.1      Az.Aks                              {Get-AzAks, New-AzAks, Remove-AzAks, Import-AzAksCredentia...
Script     1.0.2      Az.AnalysisServices                 {Resume-AzAnalysisServicesServer, Suspend-AzAnalysisServic...
Script     1.0.0      Az.ApiManagement                    {Add-AzApiManagementRegion, Get-AzApiManagementSsoToken, N...
Script     1.0.0      Az.ApplicationInsights              {Get-AzApplicationInsights, New-AzApplicationInsights, Rem...
Script     1.1.2      Az.Automation                       {Get-AzAutomationHybridWorkerGroup, Remove-AzAutomationHyb...
Script     1.0.0      Az.Batch                            {Remove-AzBatchAccount, Get-AzBatchAccount, Get-AzBatchAcc...
Script     1.0.0      Az.Billing                          {Get-AzBillingInvoice, Get-AzBillingPeriod, Get-AzEnrollme...
Script     1.1.0      Az.Cdn                              {Get-AzCdnProfile, Get-AzCdnProfileSsoUrl, New-AzCdnProfil...
Script     1.0.1      Az.CognitiveServices                {Get-AzCognitiveServicesAccount, Get-AzCognitiveServicesAc...
Script     1.5.0      Az.Compute                          {Remove-AzAvailabilitySet, Get-AzAvailabilitySet, New-AzAv...
Script     1.0.0      Az.ContainerInstance                {New-AzContainerGroup, Get-AzContainerGroup, Remove-AzCont...
Script     1.0.1      Az.ContainerRegistry                {New-AzContainerRegistry, Get-AzContainerRegistry, Update-...
Script     1.0.2      Az.DataFactory                      {Set-AzDataFactoryV2, Update-AzDataFactoryV2, Get-AzDataFa...
Script     1.0.0      Az.DataLakeAnalytics                {Get-AzDataLakeAnalyticsDataSource, New-AzDataLakeAnalytic...
Script     1.1.0      Az.DataLakeStore                    {Get-AzDataLakeStoreTrustedIdProvider, Remove-AzDataLakeSt...
Script     1.0.0      Az.DevTestLabs                      {Get-AzDtlAllowedVMSizesPolicy, Get-AzDtlAutoShutdownPolic...
Script     1.0.0      Az.Dns                              {Get-AzDnsRecordSet, New-AzDnsRecordConfig, Remove-AzDnsRe...
Script     1.1.0      Az.EventGrid                        {New-AzEventGridTopic, Get-AzEventGridTopic, Set-AzEventGr...
Script     1.0.1      Az.EventHub                         {New-AzEventHubNamespace, Get-AzEventHubNamespace, Set-AzE...
Script     1.0.0      Az.HDInsight                        {Get-AzHDInsightJob, New-AzHDInsightSqoopJobDefinition, Wa...
Script     1.0.2      Az.IotHub                           {Add-AzIotHubKey, Get-AzIotHubEventHubConsumerGroup, Get-A...
Script     1.0.2      Az.KeyVault                         {Add-AzKeyVaultCertificate, Update-AzKeyVaultCertificate, ...
Script     1.2.1      Az.LogicApp                         {Get-AzIntegrationAccountAgreement, Get-AzIntegrationAccou...
Script     1.0.0      Az.MachineLearning                  {Move-AzMlCommitmentAssociation, Get-AzMlCommitmentAssocia...
Script     1.0.0      Az.MarketplaceOrdering              {Get-AzMarketplaceTerms, Set-AzMarketplaceTerms}             
Script     1.0.0      Az.Media                            {Sync-AzMediaServiceStorageKeys, Set-AzMediaServiceKey, Ge...
Script     1.0.1      Az.Monitor                          {Get-AzMetricDefinition, Get-AzMetric, Remove-AzLogProfile...
Script     1.3.0      Az.Network                          {Add-AzApplicationGatewayAuthenticationCertificate, Get-Az...
Script     1.0.0      Az.NotificationHubs                 {Get-AzNotificationHub, Get-AzNotificationHubAuthorization...
Script     1.1.0      Az.OperationalInsights              {New-AzOperationalInsightsAzureActivityLogDataSource, New-...
Script     1.0.0      Az.PolicyInsights                   {Get-AzPolicyEvent, Get-AzPolicyState, Get-AzPolicyStateSu...
Script     1.0.0      Az.PowerBIEmbedded                  {Remove-AzPowerBIWorkspaceCollection, Get-AzPowerBIWorkspa...
Script     1.1.0      Az.RecoveryServices                 {Get-AzRecoveryServicesBackupProperty, Get-AzRecoveryServi...
Script     1.0.0      Az.RedisCache                       {Remove-AzRedisCachePatchSchedule, New-AzRedisCacheSchedul...
Script     1.0.0      Az.Relay                            {New-AzRelayNamespace, Get-AzRelayNamespace, Set-AzRelayNa...
Script     1.2.0      Az.Resources                        {Get-AzProviderOperation, Remove-AzRoleAssignment, Get-AzR...
Script     1.0.0      Az.ServiceBus                       {New-AzServiceBusNamespace, Get-AzServiceBusNamespace, Set...
Script     1.0.1      Az.ServiceFabric                    {Add-AzServiceFabricApplicationCertificate, Add-AzServiceF...
Script     1.0.2      Az.SignalR                          {New-AzSignalR, Get-AzSignalR, Get-AzSignalRKey, New-AzSig...
Script     1.5.0      Az.Sql                              {Get-AzSqlDatabaseTransparentDataEncryption, Get-AzSqlData...
Script     1.0.3      Az.Storage                          {Get-AzStorageAccount, Get-AzStorageAccountKey, New-AzStor...
Script     1.0.0      Az.StreamAnalytics                  {Get-AzStreamAnalyticsFunction, Get-AzStreamAnalyticsDefau...
Script     1.0.1      Az.TrafficManager                   {Add-AzTrafficManagerCustomHeaderToEndpoint, Remove-AzTraf...
Script     1.1.1      Az.Websites                         {Get-AzAppServicePlan, Set-AzAppServicePlan, New-AzAppServ...

Debug output

DEBUG: 7:12:29 PM - GetAzureOperationalInsightsSavedSearchResultsCommand begin processing with ParameterSet
'__AllParameterSets'.
DEBUG: 7:12:29 PM - using account id 'yuriy.samorodov@veeam.com'...
DEBUG: [Common.Authentication]: Authenticating using Account: 'yuriy.samorodov@veeam.com', environment: 'AzureCloud',
tenant: 'ba07baab-431b-49ed-add7-cbc3542f5140'
DEBUG: [ADAL]: Information: 3/25/2019 4:12:29 PM: ac7ed493-759e-4db0-96fb-56742fd57547 - AcquireTokenHandlerBase.cs:
=== Token Acquisition started:
 Authority: https://login.microsoftonline.com/ba07baab-431b-49ed-add7-cbc3542f5140/
 Resource: https://management.core.windows.net/
 ClientId: 1950a258-227b-4e31-a9cf-717495945fc2
 CacheType: null
 Authentication Target: User

DEBUG: [ADAL]: Information: 3/25/2019 4:12:29 PM:  - TokenCache.cs: Deserialized 6 items to token cache.
DEBUG: [ADAL]: Verbose: 3/25/2019 4:12:29 PM: ac7ed493-759e-4db0-96fb-56742fd57547 - TokenCache.cs: Looking up cache
for a token...
DEBUG: [ADAL]: Information: 3/25/2019 4:12:29 PM: ac7ed493-759e-4db0-96fb-56742fd57547 - TokenCache.cs: An item
matching the requested resource was found in the cache
DEBUG: [ADAL]: Information: 3/25/2019 4:12:29 PM: ac7ed493-759e-4db0-96fb-56742fd57547 - TokenCache.cs: 59.93311216
minutes left until token in cache expires
DEBUG: [ADAL]: Information: 3/25/2019 4:12:29 PM: ac7ed493-759e-4db0-96fb-56742fd57547 - TokenCache.cs: A matching item
 (access token or refresh token or both) was found in the cache
DEBUG: [ADAL]: Information: 3/25/2019 4:12:29 PM: ac7ed493-759e-4db0-96fb-56742fd57547 - AcquireTokenHandlerBase.cs:
=== Token Acquisition finished successfully. An access token was retuned:
 Access Token Hash: Hx6OqEqueF4AR0O/P7vwM7zxaePlUfD1e1qiVf4xkeY=
 Expiration Time: 3/25/2019 5:12:25 PM +00:00
 User Hash: 5+HHqiFghPJXbsLBYwc0nCQI4oWH2RGnDcUT8/UwJJA=

DEBUG: [ADAL]: Information: 3/25/2019 4:12:29 PM: b75e5b21-1ee6-4da4-add4-41b99548d55e - AcquireTokenHandlerBase.cs:
=== Token Acquisition started:
 Authority: https://login.microsoftonline.com/ba07baab-431b-49ed-add7-cbc3542f5140/
 Resource: https://management.core.windows.net/
 ClientId: 1950a258-227b-4e31-a9cf-717495945fc2
 CacheType: null
 Authentication Target: User

DEBUG: [ADAL]: Information: 3/25/2019 4:12:29 PM:  - TokenCache.cs: Deserialized 6 items to token cache.
DEBUG: [ADAL]: Verbose: 3/25/2019 4:12:29 PM: b75e5b21-1ee6-4da4-add4-41b99548d55e - TokenCache.cs: Looking up cache
for a token...
DEBUG: [ADAL]: Information: 3/25/2019 4:12:29 PM: b75e5b21-1ee6-4da4-add4-41b99548d55e - TokenCache.cs: An item
matching the requested resource was found in the cache
DEBUG: [ADAL]: Information: 3/25/2019 4:12:29 PM: b75e5b21-1ee6-4da4-add4-41b99548d55e - TokenCache.cs: 59.931279235
minutes left until token in cache expires
DEBUG: [ADAL]: Information: 3/25/2019 4:12:29 PM: b75e5b21-1ee6-4da4-add4-41b99548d55e - TokenCache.cs: A matching item
 (access token or refresh token or both) was found in the cache
DEBUG: [ADAL]: Information: 3/25/2019 4:12:29 PM: b75e5b21-1ee6-4da4-add4-41b99548d55e - AcquireTokenHandlerBase.cs:
=== Token Acquisition finished successfully. An access token was retuned:
 Access Token Hash: Hx6OqEqueF4AR0O/P7vwM7zxaePlUfD1e1qiVf4xkeY=
 Expiration Time: 3/25/2019 5:12:25 PM +00:00
 User Hash: 5+HHqiFghPJXbsLBYwc0nCQI4oWH2RGnDcUT8/UwJJA=

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/subscriptions/96a8617d-6b4f-4f0d-9628-42cd25164d50/resourcegroups/defaultresourcegroup-eus
/providers/Microsoft.OperationalInsights/workspaces/AzureSentinel-0d1b2858-9d41-44a4-aa88-5255dacf106f/savedSearches/sh
arepointeventsyesterday-adef6535-1c67-4212-8a01-5fb8e543e36c/results?api-version=2015-03-20

Headers:
x-ms-client-request-id        : 4d784599-3eca-4278-8973-2ebd771ceb2d
accept-language               : en-US

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
BadRequest

Headers:
Pragma                        : no-cache
Request-Context               : appId=cid-v1:3d24a429-e724-4d71-9886-21ad884cf893
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
x-ms-ratelimit-remaining-subscription-reads: 11996
x-ms-request-id               : 35505934-02b6-4ae7-a346-9f28f3b8e082
x-ms-correlation-request-id   : 35505934-02b6-4ae7-a346-9f28f3b8e082
x-ms-routing-request-id       : WESTEUROPE:20190325T161230Z:35505934-02b6-4ae7-a346-9f28f3b8e082
Cache-Control                 : no-cache
Date                          : Mon, 25 Mar 2019 16:12:29 GMT
Server                        : Microsoft-IIS/10.0
X-Powered-By                  : ASP.NET

Body:
{
  "error": {
    "code": "InvalidOperationArgument",
    "message": "Saved search result not supported for the new query language"
  }
}

Error output

Get-AzOperationalInsightsSavedSearchResults : Saved search result not supported for the new query language
At line:1 char:1
+ Get-AzOperationalInsightsSavedSearchResults -ResourceGroupName defaul ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-AzOperation...edSearchResults], CloudException
    + FullyQualifiedErrorId : Microsoft.Rest.Azure.CloudException,Microsoft.Azure.Commands.OperationalInsights.GetAzur
   eOperationalInsightsSavedSearchResultsCommand
markcowl commented 5 years ago

@xizhamsft Please respond on whether runnign saved Kusot Queries thtorugh the API is planned for (or should be) support.

YuriySamorodov commented 5 years ago

Thank you @markcowl In addition I would really love to know which language I am supposed to be using in case of Get-AzOperationalInsightsSavedSearchResults