OMSSearch Module Sample Runbook: Invoke-OMSSavedSearch

1 minute read

Over the last few days, I’ve been playing with the OMSSearch PowerShell / SMA / Azure Automation Module my friend and fellow SCCDM MVP Stanislav Zhelyazkov has created.

I am now part of this project on Github and have become the 3rd contributor (after Stan and Stefan Stranger). The module was updated yesterday (version 5.1.1) with some of my updates.

Today, I have written a sample runbook: Invoke-OMSSavedSearch. As the name suggests, it performs a user defined saved search.

Note: due to the limitation of the OMS Search API, we can only retrieve the user defined saved searches. Therefore you cannot use this runbook for any built-in saved searches in OMS.

Runbook:

workflow Invoke-OMSSavedSearch
{
  Param(
    [Parameter(Mandatory=$true)][String]$OMSConnectionName,
    [Parameter(Mandatory=$true)][String]$SavedSearchCategory,
    [Parameter(Mandatory=$true)][String]$SavedSearchName
  )
  #Retrieve OMS connection details
  $OMSConnection = Get-AutomationConnection -Name $OMSConnectionName
  $Token = Get-AADToken -OMSConnection $OMSConnection
  $SubscriptionID = $OMSConnection.SubscriptionID
  $ResourceGroupName = $OMSConnection.ResourceGroupName
  $WorkSpaceName = $OMSConnection.WorkSpaceName

  $SavedSearches = Get-OMSSavedSearches -SubscriptionID $SubscriptionID -ResourceGroupName $ResourceGroupName -OMSWorkspaceName $WorkSpaceName -Token $Token
  if ($SavedSearches -ne $null)
  {
    $arrSavedSearches = $SavedSearches.Properties
  }

  $bFound = $false
  Foreach ($item in $arrSavedSearches)
  {
    if ($item.DisplayName -ieq $SavedSearchName)
    {
      $objSavedSearch = $item
      $bFound = $true
    }
  }
  #Exit if the saved search is not found
  if ($bFound -eq $false)
  {
    Write-Error "Unable to find the saved search with name '$SavedSearchName' in category '$SavedSearchCategory'."
    Exit
  }

  $SearchQuery = $objSavedSearch.Query
  Write-Verbose "Execting search query `"$SearchQuery`"."
  $SearchResult = Invoke-OMSSearchQuery -SubscriptionID $SubscriptionID -ResourceGroupName $ResourceGroupName -OMSWorkspaceName $WorkSpaceName -Query $SearchQuery -Token $Token
  $SearchResult
}

This runbook expects 3 input parameters:

image

  • OMSConnectionName: the name of the OMS Connection object defined in SMA or Azure Automation
  • SavedSearchCategory: the saved search category you specified when you saved the search query
  • SavedSearchName: the display name of the saved search you specified when you saved the search query

SNAGHTML23f6a166

Runbook Result in SMA:

SNAGHTML23f938da

Same event in OMS:

image

Pre-Requisite:

This runbook is written based on version 5.1.1 of the OMSSearch Module. It will not work with the previous versions because I have added few additional paramters in the OMSConnection object which are used by this runbook.

Leave a comment