Invoke-AzOperationalInsightsQuery

Returns search results based on the specified parameters.

Syntax

Invoke-AzOperationalInsightsQuery
      -WorkspaceId <String>
      -Query <String>
      [-Timespan <TimeSpan>]
      [-Wait <Int32>]
      [-IncludeRender]
      [-IncludeStatistics]
      [-AsJob]
      [-DefaultProfile <IAzureContextContainer>]
      [<CommonParameters>]
Invoke-AzOperationalInsightsQuery
      -Workspace <PSWorkspace>
      -Query <String>
      [-Timespan <TimeSpan>]
      [-Wait <Int32>]
      [-IncludeRender]
      [-IncludeStatistics]
      [-AsJob]
      [-DefaultProfile <IAzureContextContainer>]
      [<CommonParameters>]

Description

The Invoke-AzOperationalInsightsQuery cmdlet returns the search results based on the specified parameters. You can access the status of the search in the Metadata property of the returned object. If the status is Pending, then the search has not completed, and the results will be from the archive. You can retrieve the results of the search from the Value property of the returned object.

Examples

Example 1: Get search results using a query

PS C:\> $queryResults = Invoke-AzOperationalInsightsQuery -WorkspaceId "63613592-b6f7-4c3d-a390-22ba13102111" -Query "union * | take 10"
PS C:\> $queryResults.Results
...

Once invoked, $queryResults.Results will contain all of the resulting rows from your query.

Example 2: Convert $results.Result IEnumerable to an array

PS C:\> $queryResults = Invoke-AzOperationalInsightsQuery -WorkspaceId "63613592-b6f7-4c3d-a390-22ba13102111" -Query "union * | take 10"
PS C:\> $resultsArray = [System.Linq.Enumerable]::ToArray($queryResults.Results)
...

Some queries can result in very large data sets being returned. Because of this, the default behavior of the cmdlet is to return an IEnumerable to reduce memory costs. If you'd prefer to have an array of results, you can use the LINQ Enumerable.ToArray() extension method to convert the IEnumerable to an array.

Example 3: Get search results using a query over a specific timeframe

PS C:\> $queryResults = Invoke-AzOperationalInsightsQuery -WorkspaceId "63613592-b6f7-4c3d-a390-22ba13102111" -Query "union * | take 10" -Timespan (New-TimeSpan -Hours 24)
PS C:\> $queryResults.Results
...

The results from this query will be limited to the past 24 hours.

Example 4: Include render & statistics in query result

PS C:\> $queryResults = Invoke-AzOperationalInsightsQuery -WorkspaceId "63613592-b6f7-4c3d-a390-22ba13102111" -Query "union * | take 10" -IncludeRender -IncludeStatistics
PS C:\> $queryResults.Results
...
PS C:\> $queryResults.Render
...
PS C:\> $queryResults.Statistics
...

See https://dev.loganalytics.io/documentation/Using-the-API/RequestOptions for details on the render and statistics info.

Parameters

-AsJob

Run cmdlet in the background

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure.

Type:Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
Aliases:AzContext, AzureRmContext, AzureCredential
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-IncludeRender

If specified, rendering information for metric queries will be included in the response.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-IncludeStatistics

If specified, query statistics will be included in the response.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Query

The query to execute.

Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Timespan

The timespan to bound the query by.

Type:System.Nullable`1[System.TimeSpan]
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Wait

Puts an upper bound on the amount of time the server will spend processing the query. See: https://dev.loganalytics.io/documentation/Using-the-API/Timeouts

Type:System.Nullable`1[System.Int32]
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Workspace

The workspace

Type:PSWorkspace
Position:Named
Default value:None
Accept pipeline input:True (ByValue)
Accept wildcard characters:False
-WorkspaceId

The workspace ID.

Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Inputs

PSWorkspace

Outputs

PSQueryResponse