AZ-104 – Question 64

0
1148

You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1.
You need to view the error events from a table named Event.
Which query should you run in Workspace1?

  • A. Get-Event Event | where {$_.EventType == "error"}
  • B. Event | search "error"
  • C. select * from Event where EventType == "error"
  • D. Event | where EventType is "error"

Correct Answer: B 
The search operator provides a multi-table/multi-column search experience.
The syntax is:
Table_name | search "search term"
Note:
There are several versions of this question in the exam. The question has three possible correct answers:
1. search in (Event) "error"
2. Event | search "error"
3. Event | where EventType == "error"
Other incorrect answer options you may see on the exam include the following:
1. Get-Event Event | where {$_.EventTye ג€"eq "error"}
2. Event | where EventType is "error"
3. select * from Event where EventType is "error"
4. search in (Event) * | where EventType ג€"eq "error"

Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/search-queries 
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/get-started-portal  
https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/searchoperator?pivots=azuredataexplorer