One of the questions I am frequently asked is how we can effectively determine what resources are sending data to a particular Log Analytics Workspace. Those who are administrators of Azure will know that most subscriptions will eventually contain Log Analytics Workspaces as shown in the list and screenshot below:
- DefaultWorkspace-d3f0e229-2fcd-45df-a791-614ba183e648-canadaea
- DefaultWorkspace-d3f0e229-2fcd-45df-a791-614ba183e648-CCAN
- DefaultWorkspace-d3f0e229-2fcd-45df-a791-614ba183e648-EUS
This isn’t the fault of poor management as many resources such as Insights would automatically default to these types of workspaces when they are enabled.
Attempting to browse the blades in these Log Analytics Workspaces will not allow us to easily determine what resources in Azure are sending data to the Log Analytics Workspace:
While it is possible to review the type of tables created and if the schema and data stored is known, then we could possibly query the data for the resources but this can be prone to errors causing resources to be missed:
Trying to search for how to achieve this lead me to the PowerShell cmdlet: Get-AzOperationalInsightsDataSource (https://learn.microsoft.com/en-us/powershell/module/az.operationalinsights/get-azoperationalinsightsdatasource?view=azps-10.2.0) but this did not allow me to obtain the information I needed.
What I ended up thinking of was whether it was possible to use Resource Graph Explorer to retrieve this information and after viewing the properties of a resource that I need was sending logs to a Logs Analytics Workspace, I was able to confirm that it could be done.
The following the is properties of a Function App:
If we scroll down the properties of the resource, we will find the following name/value pair:
Name: "WorkspaceResourceId"
Value: "/subscriptions/dxxxxxx9-2fcd-xxxx-a791-xxxxxxxxe648/resourceGroups/DefaultResourceGroup-CCAN/providers/Microsoft.OperationalInsights/workspaces/DefaultWorkspace-d3f0e229-2fcd-45df-a791-614ba183e648-CCAN",
Validating that a resource would have the Log Analytics Workspace defined in its properties, we can use the following query to list all resources that contain this property:
resources
| where properties.WorkspaceResourceId == "/subscriptions/d3xxxxx-2fcd-xxxx-xxxx-6xxxxxe648/resourceGroups/DefaultResourceGroup-CCAN/providers/Microsoft.OperationalInsights/workspaces/DefaultWorkspace-d3f0e229-2fcd-45df-a791-614ba183e648-CCAN"
| project name
Note that if you do not know of at least one resource that uses the Log Analytics Workspace, we can retrieve the WorkspaceResourceId of the workspace by navigating to the Log Analytics Workspace in portal.azure.com and copying the string from the URL:
I hope this helps anyone who may be looking for this information as I did but unable to find an easy way to achieve this.
No comments:
Post a Comment