You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1.
You need to view the error events from a table named Event.
Which query should you run in Workspace1?
- A. Get-Event Event | where {$_.EventType == "error"}
- B. search in (Event) "error"
- C. select * from Event where EventType == "error"
- D. search in (Event) * | where EventType -eq "error"
Correct Answer: B
To search a term in a specific table, add the table-name just after the search operator
Note:
There are several versions of this question in the exam. The question has two possible correct answers:
1. Event | search "error"
2. Event | where EventType == "error"
3. search in (Event) "error"
Other incorrect answer options you may see on the exam include the following:
1. Get-Event Event | where {$_.EventTye ג€"eq "error"}
2. Event | where EventType is "error"
3. search in (Event) * | where EventType ג€"eq "error"
4. select * from Event where EventType is "error"
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/search-queries
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/get-started-portal
https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/searchoperator?pivots=azuredataexplorer