Querying Log Analytics So That It Returns a List of All Table Names

2
votes

I am using Python to call queries against my Azure Log Analytics Workspace. In order to provide maximum scalability, I would like to implement a query which returns all table names within my Log Analytics workspace. Essentially, I would like to generate a list of all the table names, so I can make calls to them later in my python script.

I have tried a few different queries. For example:

Search * | distinct $table

Instead of getting a list of tables, such as: 

[
  {
    "$table": "ExampleTable"
  }
]

I get an error message:

{'error': 
    {
           'message': 'The request had some invalid properties', 'code': 'BadArgumentError', 'innererror': 
           {
               'code': 'SyntaxError', 'message': 'Syntax Error'
           }
    }
}

Any suggestions/examples would be greatly appreciated. Thank you!

UPDATE:

After once again visiting the Azure Log Analytics REST API website, I decided to spend some time messing around with the built-in API explorer tool. It was there that I was able to successfully query the example workspace for a list of tables. I was able to do this using a couple different queries:

search * | distinct $table
search * | distinct Type

While both of these queries worked perfectly within the example environment, they both still continue to fail me within my own environments. Both my python app, as well as my Azure LogicApp continue to receive syntax errors whenever I send the same query which returns perfect results in the API explorer. I continue to be boggled by this issue. Here is the site for the API Explorer for those who would like to test this: https://dev.loganalytics.io/apiexplorer/query?appId=DEMO_WORKSPACE&apiKey=DEMO_KEY

Also, to answer the obvious question: yes, I have the rest of the API connection set up correctly. I can and do make other queries successfully, both in the Python application and in the LogicApp workflow. It just seems to be this particular one that is giving me issues.

Lastly, in case it helps, this is the error message I continue to receive whenever I make the query: 

{'error': {'message': 'The request had some invalid properties', 'code': 'BadArgumentError', 'innererror': {'code': 'SyntaxError', 'message': 'Syntax Error'}}}
4
pythonpython-requestsadalazure-log-analyticsazure-data-explorer

4 Answers

1
votes

With regards to the Kusto-query-language part of the question, Search should be search (lowercase s)

1
votes

I didn't dig deep but it definitely looks like issue with Python understanding of '$' in your query. May be we have to explicitly call API in a way that we tell Python to escape '$' in this scenario.

However, you may use below query to accomplish your requirement.

search * | distinct Type

One other note is, as the Log Analytics query language has changed to a newer version so make sure you use the latest available API. The new API documentation is available at https://dev.loganalytics.io/

Hope this helps!! Cheers!!

Note: If you think your question has been answered then please 'accept' it, if just helped then please click "This answer is useful" and provide an up vote. This can be beneficial to other community members reading this thread.

1
votes

Please notice that search * | distinc will not give you all the tables in your workspace, only the ones that contain at least a record. Otherwise, they will not appear in the results of the search *, and therefore not in the distinct query as well.

Please checkout this API to get the workspace's schema: https://docs.microsoft.com/en-us/rest/api/loganalytics/workspaces%202015-03-20/getschema

1
votes
search "*" | summarize count() by $table | sort by count_ desc

this shows you every table, sorted by the count of logs landing in it.