You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1. You need to view the error events from a table named Event. Which query should you run in Workspace1?
A.
Get-Event Event | where {$_.EventType == "error"}
B.
Event | search "error"
C.
select * from Event where EventType == "error"
D.
search in (Event) * | where EventType ג€"eq ג€errorג€
C. select * from Event where EventType == "error" This query selects all columns (*) from the "Event" table where the EventType column is equal to "error". It effectively filters the rows in the "Event" table to only those where the EventType is "error", which is what you need to view the error events.
The reason why it’s not B. Event | search "error" is that this query selects all records from the "Event" table and then filters them for the string "error". While this query might work in some contexts, it doesn't directly filter based on the EventType column being "error". It searches for the string "error" within all columns.
The correct query to view error events from a table named "Event" in Azure Log Analytics workspace is:
C. select * from Event where EventType == "error"
This query will retrieve all the records from the "Event" table where the EventType is equal to "error," allowing you to view only the error events.
That's not valid KQL, try it with this sample code
let MyInMemoryTable = datatable(EventType: string, EventMessage: string, EventTime: datetime)
[
"error", "Something bad occurred in the application.", datetime(2024-01-09T13:00:00),
"warning", "A warning was logged by the application, be careful of error", datetime(2024-01-09T14:00:00),
"info", "Informational message from the application.", datetime(2024-01-09T15:00:00),
"error", "Oh noes occurred in the application.", datetime(2024-01-09T16:00:00)
];
SELECT * FROM (MyInMemoryTable) where EventType == "error"
C. select * from Event where EventType == "error"
To view the error events from a table named Event in the Azure Log Analytics workspace named Workspace1, you should run the query:
select * from Event where EventType == "error"
This query selects all the columns (*) from the Event table where the EventType is equal to "error". It will retrieve all the error events from the Event table in Workspace1.
The other options provided are not valid for querying data in Azure Log Analytics. They do not use the correct syntax or functions for querying data in Log Analytics.
select * from Event where EventType == "error" is an example of SQL (Structured Query Language) whereas Log Analytics uses KQL (Kusto Query Language). The correct answer is B
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
NaoVaz
Highly Voted 2 years, 5 months agoAnKiLa
2 years, 1 month agoBravo_Dravel
Most Recent 1 month, 1 week ago[Removed]
6 months ago3c5adce
10 months agoMCLC2021
10 months agoAmir1909
1 year agoOryx360
1 year, 6 months agoEwoutBI
1 year, 1 month agoXtraWest
1 year, 8 months agoAthul07
1 year, 9 months agosedex
1 year, 7 months agogauravit43
2 years, 1 month agovirgilpza
2 years, 6 months agoKSoul
2 years, 6 months agolibran
2 years, 6 months agoEmnCours
2 years, 6 months ago