Roelof
Reputation: 121
Saving a query for azure log analytics inside a (custom) query pack using Terraform
In order to save a query for a log analytics workspace using Terraform we can use the
azurerm_log_analytics_saved_search resource.
However, it seems that it is using the 'legacy query' option.
We have a policy on resource groups with obligatory tags, so creation of the default query pack fails, and I'd like to save a query to a custom query pack, is there a Terraform resource that is able to do this?
(The atm alternative is using the Azure CLI)
minimal example:
# create a resource group
resource "azurerm_resource_group" "example" {
name = "query-pack-tf"
location = "westeurope"
}
# create a log analytics workspace
resource "azurerm_log_analytics_workspace" "example" {
name = "workspace-01"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
# create a query pack
resource "azurerm_log_analytics_query_pack" "default" {
name = "pack-test"
resource_group_name = azurerm_resource_group.example.name
location = "westeurope"
}
# A resources that uploads a query to azure - there seems to be no way to save to any query pack
#-> this is the legacy way to save queries
resource "azurerm_log_analytics_saved_search" "example" {
name = "example-query"
log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
category = "Custom Logs"
display_name = "Example Query"
query = <<QUERY
// Your query logic goes here
// For example:
AzureDiagnostics
QUERY
}
Upvotes: 0
Views: 989
Answers (1)
Roelof
Reputation: 121
This is possible using azurerm_log_analytics_query_pack_query
If you add this snippet to the code example it should save to the query pack:
resource "azurerm_log_analytics_query_pack_query" "example" {
name = "19952bc3-0bf9-49eb-b713-6b80e7a41847"
query_pack_id = azurerm_log_analytics_query_pack.default.id
body = "let newExceptionsTimeRange = 1d;\nlet timeRangeToCheckBefore = 7d;\nexceptions\n| where timestamp < ago(timeRangeToCheckBefore)\n| summarize count() by problemId\n| join kind= rightanti (\nexceptions\n| where timestamp >= ago(newExceptionsTimeRange)\n| extend stack = tostring(details[0].rawStack)\n| summarize count(), dcount(user_AuthenticatedId), min(timestamp), max(timestamp), any(stack) by problemId \n) on problemId \n| order by count_ desc\n"
display_name = "Exceptions - New in the last 24 hours"
}
Then in order to find the query inside log analytics do the following:
- select Queries (right top)
- select '1 selected'
- tick the desired query pack
- go back to log analytics interface
- click dropdown and select 'query type'
- find your query pack query under 'Query pack'
Upvotes: 0
Related Questions
- Can't create data collection rule for Azure log analytics using Terraform - missing Terraform options?
- Sent the Postgresql query result to Log Analytics workspace to create custom metric in Azure Monitor
- How to get Custom Log tables from Azure Log Analytics Workspace through PowerShell script?
- Azure log analytics Azure Synapse integration
- Azure Terraform Build Generic Components using Infrastructure as Code
- How to implement Azure Monitoring Alert VM Heartbeat with Log Workspace using Terraform
- Create Insights Log query from Azure cli not Log Monitor saved search
- Is it possible to query Azure data warehouse within log analytics
- Run Azure Log Analytics query against Application Insights instances