Querying Azure activities with subscription names

Julien Allaix 0 Reputation points
2024-11-07T10:53:57.31+00:00

Hello,

I'm trying to list Azure activities in my Log Analytics workspace, and need the subscription name to be displayed.

With my current KQL request:

AzureActivity
| extend subscriptionId = SubscriptionId
| join kind=inner (
    arg("").ResourceContainers
    | where type == 'microsoft.resources/subscriptions'
    | project subscriptionId, subscriptionName = name
  ) on subscriptionId

Azure responds with the following answer: Some aspects of the query had errors so the results are not complete If the issue persists, please open a support ticket. Request id: 23323d56-22e4-490c-b15f-3398a513054f

As I currently only have a basic support plan, I'm asking here...

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,316 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alistair Ross 7,136 Reputation points Microsoft Employee
    2024-11-07T11:44:30.4866667+00:00

    Hi @Julien Allaix There are a few things I would change to make this run, but also to be aware of.

    1. Start with getting your subscriptions. This should be on the left side of the join as it will be the smaller data set. I've used a project to only pass the columns we want, but also to rename them for ease and clarity at the same time. As you are using the arg() operator, it will return data based on your read permissions 
    arg("").ResourceContainers
| where type == "microsoft.resources/subscriptions"
| project SubscriptionName = name, SubscriptionId = subscriptionId
    1. Now get your activity logs. Ensure you put in any relevant filters, such as TimeGenerated, OperationNameValue, ActivityStatusValue etc. This will optimize the query speed.
    AzureActivity
| where TimeGenerated >ago(7d)
    1. Now join it all together. 
    arg("").ResourceContainers
| where type == "microsoft.resources/subscriptions"
| project SubscriptionName = name, SubscriptionId = subscriptionId
| join kind=inner (
    AzureActivity
    | where TimeGenerated >ago(7d)
) on SubscriptionId
| project-away SubscriptionId1
    1. Just be aware of the join flavour, as you have used an inner join, you will only return results for the subscriptions you have read access to, but the workspace can contain data from workspaces that you cannot read. Here I've used a rightouter join to return all activity logs, regardless of what subscriptions I can read, and I've used a little logic to populate the name with the id if it doesn't exist due to my permissions to read it.
    arg("").ResourceContainers
| where type == "microsoft.resources/subscriptions"
| project SubscriptionName = name, SubscriptionId = subscriptionId
| join kind=rightouter   (
    AzureActivity
    | where TimeGenerated >ago(7d)
) on SubscriptionId
| extend SubscriptionId = SubscriptionId1
| project-away SubscriptionId1
| extend SubscriptionName = iff(isempty(SubscriptionName), SubscriptionId, SubscriptionName)
    1. Just a little extra, I'm a big fan of using let statements for either side of my joins for clarity, but also for testing
    let Subscriptions = 
    arg("").ResourceContainers
    | where type == "microsoft.resources/subscriptions"
    | project SubscriptionName = name, SubscriptionId = subscriptionId
;
let Logs = 
    AzureActivity
    | where TimeGenerated >ago(1d)
    | summarize arg_max(TimeGenerated, * ) by SubscriptionId
;
Subscriptions
| join kind = rightouter (
    Logs
) on SubscriptionId
| extend SubscriptionId = SubscriptionId1
| project-away SubscriptionId1
| extend SubscriptionName = iff(isempty(SubscriptionName), SubscriptionId, SubscriptionName)

    Hope this helps

    Alistair

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.