You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1.
You need to view the error events from a table named Event.
Which query should you run in Workspace1?
- A. Get-Event Event | where {$_.EventType == "error"}
- B. Event | search "error"
- C. select * from Event where EventType == "error"
- D. Event | where EventType is "error"
Correct Answer: B
The search operator provides a multi-table/multi-column search experience.
The syntax is:
Table_name | search "search term"
Note:
There are several versions of this question in the exam. The question has three possible correct answers:
1. search in (Event) "error"
2. Event | search "error"
3. Event | where EventType == "error"
Other incorrect answer options you may see on the exam include the following:
1. Get-Event Event | where {$_.EventTye ג€"eq "error"}
2. Event | where EventType is "error"
3. select * from Event where EventType is "error"
4. search in (Event) * | where EventType ג€"eq "error"
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/search-queries
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/get-started-portal
https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/searchoperator?pivots=azuredataexplorer