Get-​Azure​Rm​Operational​Insights​Search​Results

Returns search results based on the specified parameters.

Syntax

Get-AzureRmOperationalInsightsSearchResults
   [-ResourceGroupName] <String>
   [-WorkspaceName] <String>
   [[-Top] <Int64>]
   [[-PreHighlight] <String>]
   [[-PostHighlight] <String>]
   [[-Query] <String>]
   [[-Start] <DateTime>]
   [[-End] <DateTime>]
   [[-Id] <String>]
   [<CommonParameters>]

Description

The Get-AzureRmOperationalInsightsSearchResults cmdlet returns the search results based on the specified parameters.

You can access the status of the search in the Metadata property of the returned object. If the status is Pending, then the search has not completed, and the results will be from the archive.

You can retrieve the results of the search from the Value property of the returned object.

Examples

Example 1: Get search results using a query

PS C:\>Get-AzureRmOperationalInsightsSearchResults -ResourceGroupName "ContosoResourceGroup" -WorkspaceName "ContosoWorkspace" -Query "Type=Event" -Top 100

This command gets all search results by using a query.

Example 2: Get search results using an ID

PS C:\>Get-AzureRmOperationalInsightsSearchResults -ResourceGroupName "ContosoResourceGroup" -WorkspaceName "ContosoWorkspace" -Id "ContosoSearchId"

This command gets search results by using an ID.

Example 3: Wait for a search to complete before displaying results

PS C:\>$error.clear()
$response = @{}
$StartTime = Get-Date

$resGroup = "ContosoResourceGroup"
$wrkspace = "ContosoWorkspace"

# Sample Query
$query = "Type=Event"

# Get Initial response
$response = Get-AzureRmOperationalInsightsSearchResults -WorkspaceName $wrkspace -ResourceGroupName $resGroup -Query $query -Top 15000
$elapsedTime = $(get-date) - $script:StartTime
Write-Host "Elapsed: " $elapsedTime "Status: " $response.Metadata.Status

# Split and extract request Id
$reqIdParts = $response.Id.Split("/")
$reqId = $reqIdParts[$reqIdParts.Count -1]

# Poll if pending
while($response.Metadata.Status -eq "Pending" -and $error.Count -eq 0) {
    $response = Get-AzureRmOperationalInsightsSearchResults -WorkspaceName $wrkspace -ResourceGroupName $resGroup -Id $reqId
    $elapsedTime = $(get-date) - $script:StartTime
    Write-Host "Elapsed: " $elapsedTime "Status: " $response.Metadata.Status
}

Write-Host "Returned " $response.Value.Count " documents"
Write-Host $error

This script starts a search and waits until it completes before displaying the results.

Required Parameters

-ResourceGroupName

The name of the resource group that contains the workspace.

Type:String
Position:0
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-WorkspaceName

Specifies a workspace name.

Type:String
Aliases:Name
Position:1
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False

Optional Parameters

-End

End of the queried time range.

Type:DateTime
Position:7
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-Id

If an id is given, the search results for that id will be retrieved using the original query parameters.

Type:String
Position:8
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-PostHighlight
Type:String
Position:4
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-PreHighlight
Type:String
Position:3
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-Query

The search query that will be executed.

Type:String
Position:5
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-Start

Start of the queried time range.

Type:DateTime
Position:6
Default value:None
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False
-Top

The maximum number of results to be returned, limited to 5000.

Type:Int64
Position:2
Default value:10
Accept pipeline input:True (ByPropertyName)
Accept wildcard characters:False

Outputs

PSSearchGetSearchResultsResponse

The PSSearchGetSearchResultsResponse object includes a Value property that includes the records returned from the search in JSON format and a metadata object that includes information about the results of the search.