Azure Log Analytics Workspaces query missing Update table

John Biggston 71 Reputation points
2023-09-05T15:53:53.9266667+00:00

I'm attempting to run some queries against a workspace in Log Analytics, and I keep coming up against the same problem, namely, missing tables. For example, If I open Log Analytics workspaces, select a workspace that I have previously configured and then go to logs and then to the Queries tab, I can see several pre-canned queries. I'm interested in seeing information on systems which are missing updates, so I select the query "Missing Security or critical updates". This runs the query:

 Update
| where Classification in ("Security Updates", "Critical Updates")
| where UpdateState == 'Needed' and Optional == false and Approved == true
| summarize count() by Classification, Computer, _ResourceId

When I run this I get:

'where' operator: Failed to resolve table or column expression named 'Update' Request id: 620fec7e-5703-4694-aa38-6e4e205a3d6e

If I look under Tables, I dont see anything called "Update" so that makes sense, but I have no idea how to enable that or add that table.

Any thoughts on how to get this working?

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,961 questions
Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,301 questions
Microsoft Intune Updates
Microsoft Intune Updates
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Updates: Broadly released fixes addressing specific issue(s) or related bug(s). Updates may also include new or modified features (i.e. changing default behavior).
90 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AnuragSingh-MSFT 21,236 Reputation points
    2023-09-06T10:53:49.85+00:00

    @John Biggston , thank you for posting this question. The following information should help you regarding the query:

    1. Note that the tables in LA workspace are only visible if they have some data in it. Therefore, sometimes even the most common tables (like heartbeat) are invisible if there are no data in it. However, this does not mean that the query would fail (as posted in the question above). It simply means that the query would return something as below:

    User's image

    1. It might be possible that, the scope selected for log queries is incorrect. Please ensure that you are selecting the correct workspace

    User's image

    1. It might also be possible that the "legacy solution" which contains this table is not installed or was deleted. The Update table is not present in the default set of tables of LA workspace. It table is part of certain solutions (or solution packs) which are installed on LA workspace when performing certain actions. In the current case, when you connect LA workspace with Azure automation account for Azure Automation Update Management, the "Updates" solution is automatically installed. For details, see Update. It appears that none of the solutions which contain this table exist on this LA workspace, therefore you are getting the error. You can verify that from "Log Analytics Workspace" --> "Legacy Solutions" resource menu
    2. Another possibility could also be that the query being written in the log section has certain non-visible characters, which prevent the query execution. I would suggest typing a simple query like "Update | take 5" to see if you still get the error.

    Hope this helps.

    If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.

    2 people found this answer helpful.