Cannot create scheduled-query via az cli - how does the condition parse?

Question

I'm trying to set a log query alert through the az cli but I cannot for the life of me get the --condition option to accept a query with a quote in it.

E.g.:

az monitor scheduled-query create -n "Log Alert" -g rg --scopes /subscriptions/xxxx/resourceGroups/xxxx/providers/microsoft.insights/components/ai --condition "count 'customEvents | where name == "Event" ' > 360" --description "Check something"

But I just get this error:

cli.azure.cli.core.azclierror : BadRequestError: BadRequest: {
  "error": {
    "message": "The request had some invalid properties",
    "code": "BadArgumentError",
    "correlationId": "xxxx",
    "innererror": {
      "code": "SemanticError",
      "message": "A semantic error occurred.",
      "innererror": {
        "code": "SEM0100",
        "message": "'where' operator: Failed to resolve scalar expression named 'Event'"
      }
    }
  }
}
BadRequestError: BadRequest: {
  "error": {
    "message": "The request had some invalid properties",
    "code": "BadArgumentError",
    "correlationId": "xxxx",
    "innererror": {
      "code": "SemanticError",
      "message": "A semantic error occurred.",
      "innererror": {
        "code": "SEM0100",
        "message": "'where' operator: Failed to resolve scalar expression named 'Event'"
      }
    }
  }
}

I'm copying the example on the docs https://learn.microsoft.com/en-us/cli/azure/ext/scheduled-query/monitor/scheduled-query?view=azure-cli-latest#ext_scheduled_query_az_monitor_scheduled_query_create but I can't find the right combination of quote marks or escape characters to get this to parse, I've tried from a windows powershell and a bash cloud shell but that makes no difference.

if the answer is helpful, could you please accept it as answer? — Ivan Glasenberg, Jan 27 '21 at 02:03

Harshita Singh · Answer 1 · 2021-01-29T06:50:48.417

0

This is because you probably don't have Events table in Schema that can be checked under 'Logs' tile of your Log Analytics workspace:

Further, check if you have followed Collect Windows event log data sources with Log Analytics agent to setup logs.

Check out GitHub issue#38928 around same issue.

Edit:

I reached out to the PG and got to know that this is a known issue and it will be fixed in this PR. Pls note that it's in review stage and will be released soon.

edited Jan 29 '21 at 06:50

answered Jan 22 '21 at 18:38

Harshita Singh

4,590
1
10
13

I'm not sure that makes much difference here, the table I'm searching on is customEvents and the column is name, I can run my query ok in the portal, I can also make the alert ok using the portal UI, just not the az cli command. https://imgur.com/a/fgDIddp – mattb Jan 23 '21 at 08:50
Are you running command on right subscription? – Harshita Singh Jan 23 '21 at 09:27
You should have Event table as well. Your error message says : "'where' operator: Failed to resolve scalar expression named 'Event'" – Harshita Singh Jan 23 '21 at 09:28
"Event" is the search term, I'm looking in the customEvents table of application insights, if I change the condition to look like this I still get the same error `--condition "count 'customEvents | search "Event" ' > 360"` – mattb Jan 23 '21 at 11:38
Are you running `--condition "count 'customEvents | search "Event" ' > 360"` command in your Portal UI? Because the screenshot you shared has some other query which does not have `Event` in it. – Harshita Singh Jan 25 '21 at 07:03
1

I'm running `customEvents | search "Event" ` in the portal UI - wrapping it in a count errors - but event is the search term, not a table - this is application insights I'm searching if that helps. – mattb Jan 25 '21 at 08:49
Ok, let me circle back to the product group and let you know a solution. – Harshita Singh Jan 25 '21 at 10:55
3

Good News: I reached out to the PG and got to know that this is a known issue and it will be fixed in this PR: https://github.com/Azure/azure-cli-extensions/pull/2904/files. Pls note that it's in review stage and will be released soon. – Harshita Singh Jan 28 '21 at 05:31
If this answer helps, could you accept it as an answer to help the community? – Harshita Singh Jan 29 '21 at 06:51

score 0 · Answer 2 · answered Jan 25 '21 at 09:44

I suspect the new feature of creating scheduled query via cli is not available. I found an issue that mentions this code is not merged into master branch.

To escape double quotes for "Event", you can modify it as \"Event\". And then run the command, you will get an error message which provides the usage of --condition. But I tried many ways as per this tips, no good luck. Regards the issue mentioned above, I though it's currently impossible to create it via azure cli.

If azure cli is not a must, you can try use azure powershell New-AzScheduledQueryRule cmdlet.

Cannot create scheduled-query via az cli - how does the condition parse?

2 Answers2

Edit: