Programmatically Search Operations Management Suite

Automation, Azure, Azure Operational Insights Preview, Hybrid Security, Log Analytics, Microsoft, Operational Insights, Operations Management Suite, PowerShell, Script, Software, System Center, System Center Operations Manager, Windows 3 Minutes

At Ignite Jo Chan showed us how we can now execute Search queries trough Operations Management Suite API which is basically Azure Resource Manager API. He demonstrated that with a tool called ARMClient. That tool seems nice but I wanted to get results with PowerShell as it is more familiar to me.

Searching over Internet I’ve found ARMPowerShell Module. I’ve installed the module and with simple command like Connect-ARM I was able to authenticate. Look trough Jo’s examples from Ignite I’ve managed to get results with the following commands:

Connect-ARM
$Subscription = $ARMSubscriptions.Values | where {$_.DisplayName -eq “Visual Studio Ultimate with MSDN”}
$ResourceGroupName = “oi-default-east-us”
$OMSWorkspace = “test-stan”
$SubscriptionID = $Subscription.subscriptionId
$BaseSavedSearches = “/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$OMSWorkspace/savedSearches”

$OMSSavedSearches = Execute-ARMQuery -SubscriptionId $SubscriptionID -HTTPVerb       Get
-Base           $BaseSavedSearches `
-APIVersion     “2014-10-10”

$BaseSearch = “/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$OMSWorkspace/search”
$Query = “shutdown Type=Event EventLog=System Source=User32 EventID=1074 | Select TimeGenerated,Computer”
$OMSSearchResult = Execute-ARMQuery  -SubscriptionId $SubscriptionID -HTTPVerb       Post
-Base           $BaseSearch -Data           @{Query=$Query}
-APIVersion     “2014-10-10”

Unfortunately this module requires some user interaction. For example Connect-ARM pops up a prompt for entering your credentials. And I’ve wanted to be able to query the OMS API from Azure Automation. This lead me to writing my own small OMS module.

First I needed to find a way to authenticate and get token so I can execute web requests with Invoke-WebRequest. On StackOverflow I’ve found the following code. This allows me to get token from Azure AD. What I’ve needed is to load ADAL assembly. In my module I’ve wrote a function Import-ADALDll to do that. For that function and for the Azure Automation module I borrowed some code from my friend and fellow MVP Tao Yang. To get Token I’ve wrote a separate function called Get-AADToken. Now that I have those two pieces in hand I’ve wrote two other functions:

  • Get-OMSSavedSearches – This will return all Saved Searches in your OMS workspace. I thought that it will be useful as you can get the actual query and use it later. Result is returned as object.
  • Execute-OMSSearchQuery – With this function you will be able to execute queries. Simple as that. Results are returned as object.

The module I’ve created is called OMSSearch and you can find it in GitHub along with small documentation.

After you archive the files from Github into OMSSearch.zip file you can upload that file as module in Azure Automation:

image

When the module is uploaded you will be able to create OMS Connection. OMS Connection probably is not the right term but here is how mine looks:

image

You have TenantADName which represents the UPN suffix that is attached to the accounts you create in your Azure AD. You will also create Azure AD account that has co-administrator rights in your subscription or owner/contributor rights on the resource group where your OMS workspaces is located.

You will enter the credentials for that account in the OMS Connection.

Besides those two there are some other prerequisites that you need to have. You can find those in the GItHub page.

After that a simple Runbook like this will returned saved searches:

workflow Get-SavedSearches
{
$OMSCon = Get-AutomationConnection -Name ‘stasoutlook’
$Token = Get-AADToken -OMSConnection $OMSCon
$subscriptionId = “3c1d68a5-4064-4522-94e4-e0378165555e”
$ResourceGroupName = “oi-default-east-us”
$OMSWorkspace = “test”    

    Get-OMSSavedSearches -OMSWorkspaceName $OMSWorkspace 
-ResourceGroupName $ResourceGroupName -SubscriptionID $subscriptionId
-Token $Token
}

image

The other example is with executing queries:

workflow Get-RestartedServers
{
$OMSCon = Get-AutomationConnection -Name ‘stasoutlook’
$Token = Get-AADToken -OMSConnection $OMSCon
$subscriptionId = “3c1d68a5-4064-4522-94e4-e03781655555e”
$ResourceGroupName = “oi-default-east-us”
$OMSWorkspace = “test”
$Query = ‘shutdown Type=Event EventLog=System Source=User32 EventID=1074 | Select TimeGenerated,Computer’

    Execute-OMSSearchQuery -SubscriptionID $subscriptionId -ResourceGroupName $ResourceGroupName   
-OMSWorkspaceName $OMSWorkspace -Query $Query
-Token $Token
}

image

Hope you will find this module useful until may be we have Azure cmdlets for OMS.

Published by Stanislav Zhelyazkov

Stanislav Zhelyazkov has been working in IT since 2007. Stanislav has started his IT career as a Help Desk Specialist in 2007 while studying Informatics in the University of Ruse. He also worked in HP Enterprise Services (now known as DXC), maintaining large corporate IT infrastructures for clients in Holland, Switzerland and Germany and was involved in a Private Cloud project based on MS Hyper-V and System Center. He was also in the role of Principal Consultant in Lumagate developing and consulting companies on Azure, OMS, management and Private clouds. Currently he is Cloud Infrastructure Engineer at Sentia Denmark. Stanislav is active community member at MSDN forums providing answers on Azure. His blogposts can be found at www.cloudadministrator.net or www.systemcentercentral.com.

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.