Invoke-AzureRmOperationalInsightsQuery
Returns search results based on the specified parameters.
Warning
The AzureRM PowerShell module has been officially deprecated as of February 29, 2024. Users are advised to migrate from AzureRM to the Az PowerShell module to ensure continued support and updates.
Although the AzureRM module may still function, it's no longer maintained or supported, placing any continued use at the user's discretion and risk. Please refer to our migration resources for guidance on transitioning to the Az module.
Syntax
Invoke-AzureRmOperationalInsightsQuery
-WorkspaceId <String>
-Query <String>
[-Timespan <TimeSpan>]
[-Wait <Int32>]
[-IncludeRender]
[-IncludeStatistics]
[-AsJob]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Invoke-AzureRmOperationalInsightsQuery
-Workspace <PSWorkspace>
-Query <String>
[-Timespan <TimeSpan>]
[-Wait <Int32>]
[-IncludeRender]
[-IncludeStatistics]
[-AsJob]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Description
The Invoke-AzureRmOperationalInsightsQuery cmdlet returns the search results based on the specified parameters. You can access the status of the search in the Metadata property of the returned object. If the status is Pending, then the search has not completed, and the results will be from the archive. You can retrieve the results of the search from the Value property of the returned object.
Examples
Example 1: Get search results using a query
PS C:\> $queryResults = Invoke-AzureRmOperationalInsightsQuery -WorkspaceId "63613592-b6f7-4c3d-a390-22ba13102111" -Query "union * | take 10"
PS C:\> $queryResults.Results
...Once invoked, $queryResults.Results will contain all of the resulting rows from your query.
Example 2: Convert $results.Result IEnumberable to an array
PS C:\> $queryResults = Invoke-AzureRmOperationalInsightsQuery -WorkspaceId "63613592-b6f7-4c3d-a390-22ba13102111" -Query "union * | take 10"
PS C:\> $resultsArray = [System.Linq.Enumerable]::ToArray($results.Results)
...Some queries can result in very large data sets being returned. Because of this, the default behavior of the cmdlet is to return an IEnumerable to reduce memory costs. If you'd prefer to have an array of results, you can use the LINQ Enumerable.ToArray() extension method to convert the IEnumerable to an array.
Example 3: Get search results using a query over a specific timeframe
PS C:\> $queryResults = Invoke-AzureRmOperationalInsightsQuery -WorkspaceId "63613592-b6f7-4c3d-a390-22ba13102111" -Query "union * | take 10" -Timespan (New-TimeSpan -Hours 24)
PS C:\> $queryResults.Results
...The results from this query will be limited to the past 24 hours.
Example 4: Include render & statistics in query result
PS C:\> $queryResults = Invoke-AzureRmOperationalInsightsQuery -WorkspaceId "63613592-b6f7-4c3d-a390-22ba13102111" -Query "union * | take 10" -IncludeRender -IncludeStatistics
PS C:\> $queryResults.Results
...
PS C:\> $queryResults.Render
...
PS C:\> $queryResults.Statistics
...Parameters
-AsJob
Run cmdlet in the background
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with azure.
| Type: | IAzureContextContainer |
| Aliases: | AzureRmContext, AzureCredential |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-IncludeRender
If specified, rendering information for metric queries will be included in the response.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-IncludeStatistics
If specified, query statistics will be included in the response.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Query
The query to execute.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Timespan
The timespan to bound the query by.
| Type: | Nullable<T>[TimeSpan] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Wait
Puts an upper bound on the amount of time the server will spend processing the query.
| Type: | Nullable<T>[Int32] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Workspace
The workspace
| Type: | PSWorkspace |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-WorkspaceId
The workspace ID.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
Parameters: Workspace (ByValue)