Note

Access to this page requires authorization. You can try signing in or .

Access to this page requires authorization. You can try .

Microsoft.OperationalInsights workspaces/savedSearches 2020-08-01

Bicep resource definition

The workspaces/savedSearches resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.OperationalInsights/workspaces/savedSearches resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01' = {
 parent: resourceSymbolicName
 etag: 'string'
 name: 'string'
 properties: {
 category: 'string'
 displayName: 'string'
 functionAlias: 'string'
 functionParameters: 'string'
 query: 'string'
 tags: [
 {
 name: 'string'
 value: 'string'
 }
 ]
 version: int
 }
}

Property Values

Microsoft.OperationalInsights/workspaces/savedSearches

Name Description Value
etag The ETag of the saved search. To override an existing saved search, use "*" or specify the current Etag string
name The resource name string (required)
parent In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource.

For more information, see Child resource outside parent resource.		 Symbolic name for resource of type: workspaces
properties The properties of the saved search. SavedSearchProperties (required)

SavedSearchProperties

Name Description Value
category The category of the saved search. This helps the user to find a saved search faster. string (required)
displayName Saved search display name. string (required)
functionAlias The function alias if query serves as a function. string
functionParameters The optional function parameters if query serves as a function. Value should be in the following format: 'param-name1:type1 = default_value1, param-name2:type2 = default_value2'. For more examples and proper syntax please refer to /azure/kusto/query/functions/user-defined-functions. string
query The query expression for the saved search. string (required)
tags The tags attached to the saved search. Tag[]
version The version number of the query language. The current version is 2 and is the default. int

Tag

Name Description Value
name The tag name. string (required)
value The tag value. string (required)

Usage Examples

Bicep Samples

A basic example of deploying Log Analytics (formally Operational Insights) Saved Search.

param resourceName string = 'acctest0001'
param location string = 'westeurope'

resource workspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = {
 name: resourceName
 location: location
 properties: {
 features: {
 disableLocalAuth: false
 enableLogAccessUsingOnlyResourcePermissions: true
 }
 publicNetworkAccessForIngestion: 'Enabled'
 publicNetworkAccessForQuery: 'Enabled'
 retentionInDays: 30
 sku: {
 name: 'PerGB2018'
 }
 workspaceCapping: {
 dailyQuotaGb: -1
 }
 }
}

resource savedSearch 'Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01' = {
 name: resourceName
 parent: workspace
 properties: {
 category: 'Saved Search Test Category'
 displayName: 'Create or Update Saved Search Test'
 functionAlias: ''
 query: 'Heartbeat | summarize Count() by Computer | take a'
 tags: []
 }
}

ARM template resource definition

The workspaces/savedSearches resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.OperationalInsights/workspaces/savedSearches resource, add the following JSON to your template.

{
 "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
 "apiVersion": "2020-08-01",
 "name": "string",
 "etag": "string",
 "properties": {
 "category": "string",
 "displayName": "string",
 "functionAlias": "string",
 "functionParameters": "string",
 "query": "string",
 "tags": [
 {
 "name": "string",
 "value": "string"
 }
 ],
 "version": "int"
 }
}

Property Values

Microsoft.OperationalInsights/workspaces/savedSearches

Name Description Value
apiVersion The api version '2020-08-01'
etag The ETag of the saved search. To override an existing saved search, use "*" or specify the current Etag string
name The resource name string (required)
properties The properties of the saved search. SavedSearchProperties (required)
type The resource type 'Microsoft.OperationalInsights/workspaces/savedSearches'

SavedSearchProperties

Name Description Value
category The category of the saved search. This helps the user to find a saved search faster. string (required)
displayName Saved search display name. string (required)
functionAlias The function alias if query serves as a function. string
functionParameters The optional function parameters if query serves as a function. Value should be in the following format: 'param-name1:type1 = default_value1, param-name2:type2 = default_value2'. For more examples and proper syntax please refer to /azure/kusto/query/functions/user-defined-functions. string
query The query expression for the saved search. string (required)
tags The tags attached to the saved search. Tag[]
version The version number of the query language. The current version is 2 and is the default. int

Tag

Name Description Value
name The tag name. string (required)
value The tag value. string (required)

Usage Examples

Azure Quickstart Templates

The following Azure Quickstart templates deploy this resource type.

Template Description
OMS - Azure VM Inventory Solution

👁 Deploy to Azure
 Enables Azure VM Inventory Solution in OMS. Solution collects Azure VM inventory along with disks, networking components, NSG rules and extensions into OMS workspace.
OMS Kemp Application Delivery

👁 Deploy to Azure
 Kemp Application Delivery solution for OMS

Terraform (AzAPI provider) resource definition

The workspaces/savedSearches resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.OperationalInsights/workspaces/savedSearches resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
 type = "Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01"
 name = "string"
 parent_id = "string"
 body = {
 etag = "string"
 properties = {
 category = "string"
 displayName = "string"
 functionAlias = "string"
 functionParameters = "string"
 query = "string"
 tags = [
 {
 name = "string"
 value = "string"
 }
 ]
 version = int
 }
 }
}

Property Values

Microsoft.OperationalInsights/workspaces/savedSearches

Name Description Value
etag The ETag of the saved search. To override an existing saved search, use "*" or specify the current Etag string
name The resource name string (required)
parent_id The ID of the resource that is the parent for this resource. ID for resource of type: workspaces
properties The properties of the saved search. SavedSearchProperties (required)
type The resource type "Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01"

SavedSearchProperties

Name Description Value
category The category of the saved search. This helps the user to find a saved search faster. string (required)
displayName Saved search display name. string (required)
functionAlias The function alias if query serves as a function. string
functionParameters The optional function parameters if query serves as a function. Value should be in the following format: 'param-name1:type1 = default_value1, param-name2:type2 = default_value2'. For more examples and proper syntax please refer to /azure/kusto/query/functions/user-defined-functions. string
query The query expression for the saved search. string (required)
tags The tags attached to the saved search. Tag[]
version The version number of the query language. The current version is 2 and is the default. int

Tag

Name Description Value
name The tag name. string (required)
value The tag value. string (required)

Usage Examples

Terraform Samples

A basic example of deploying Log Analytics (formally Operational Insights) Saved Search.

terraform {
 required_providers {
 azapi = {
 source = "Azure/azapi"
 }
 }
}

provider "azapi" {
 skip_provider_registration = false
}

variable "resource_name" {
 type = string
 default = "acctest0001"
}

variable "location" {
 type = string
 default = "westeurope"
}

resource "azapi_resource" "resourceGroup" {
 type = "Microsoft.Resources/resourceGroups@2020-06-01"
 name = var.resource_name
 location = var.location
}

resource "azapi_resource" "workspace" {
 type = "Microsoft.OperationalInsights/workspaces@2022-10-01"
 parent_id = azapi_resource.resourceGroup.id
 name = var.resource_name
 location = var.location
 body = {
 properties = {
 features = {
 disableLocalAuth = false
 enableLogAccessUsingOnlyResourcePermissions = true
 }
 publicNetworkAccessForIngestion = "Enabled"
 publicNetworkAccessForQuery = "Enabled"
 retentionInDays = 30
 sku = {
 name = "PerGB2018"
 }
 workspaceCapping = {
 dailyQuotaGb = -1
 }
 }
 }
 schema_validation_enabled = false
 response_export_values = ["*"]
}

resource "azapi_resource" "savedSearch" {
 type = "Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01"
 parent_id = azapi_resource.workspace.id
 name = var.resource_name
 body = {
 properties = {
 category = "Saved Search Test Category"
 displayName = "Create or Update Saved Search Test"
 functionAlias = ""
 query = "Heartbeat | summarize Count() by Computer | take a"
 tags = [
 ]
 }
 }
 schema_validation_enabled = false
 response_export_values = ["*"]
}

Feedback

Was this page helpful?

Additional resources

  • Last updated on