Azure Question posted in
The official documentation to get you started can be found here.

Azure – Create a custom list of servers

In Azure Monitoring logs, I have a whole bunch of data being passed from numerous servers and I want to be able to filter out certain records based on the server name being in a list of servers

Something like

AppMessages_CL
| where event contains "memory"
| extend x = parse_json(tostring(event))
| where x.daemon in table('List_of_Servers')
| extend y = parse_json(tostring(x.msg))
| where toint(substring(tostring(y.memory), 0, 3)) >= 200

The problem is that I can’t find any method of storing a static list of server names that I can just refer to.

I can embed the list in the query but I’d prefer to have one single central list for all the different queries.

Any hints would be greatly appreciated.

Tags:

2

Answers


  1. 0

    The problem is that I can’t find any method of storing a static list of server names that I can just refer to.

    You can do that by using below way:

    Firstly, create Data Collection Endpoint in Monitor in the same region as the Log Analytics Workspace:

    enter image description here

    Then in Log Analytics Workspace, In Table section Create a table using DCR:

    enter image description here

    Then provide a name and create a new data collection rule:

    enter image description here

    Then select the endpoint created before:

    enter image description here

    Then provide the json file, in which you want to store the server list:

    enter image description here

    My sample json file contains:

    [
  {
    "ServerName": "Rith_Server1"
  },
  {
    "ServerName": "Cho_Server2"
  },
  {
    "ServerName": "Test_Server3"
  },
  {
    "ServerName": "Don_Server4"
  },
  {
    "ServerName": "T_Server5"
  }
]

    then it looks like below and click on next:

    enter image description here

    Then table gets created:

    enter image description here

    Or you can also create table using code. Also check this test-fiddle with let.

    Login or Signup to reply.
  2. 0

    Some more options not listened in the other answer:

    Azure Storage

    Create a CSV file and put in a blob container, you can then reference it like this using a Shared Access Signature:

    let servers = externaldata(serverid:string, servername:string])  [h@"https://xxx.blob.core.windows.net/data.csv?<INSERT-SASTOKEN-HERE>  with(format="csv");
AppMessages_CL
| where event contains "memory"
| extend x = parse_json(tostring(event))
| extend daemon = tostring(x.daemon)
| join kind=inner (servers) on $left.daemon = $right.servername 
| extend y = parse_json(tostring(x.msg))
| where toint(substring(tostring(y.memory), 0, 3)) >= 200

    In memory table

    let servers = datatable(servername:string)
[
   "server1",
   "server2",
   "server3",
];
AppMessages_CL
| where event contains "memory"
| extend x = parse_json(tostring(event))
| where x.daemon in (servers)
| extend y = parse_json(tostring(x.msg))
| where toint(substring(tostring(y.memory), 0, 3)) >= 200
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search