azure-powershellazure-eventhubazure-log-analytics
Output the results of a Log Analytics Workspace query to Event Hub
I'm performing a query to output logs captured in an Azure Log Analytics Workspace, for example: Invoke-AzOperationalInsightsQuery -WorkspaceId '' -Query "AzureDiagnostics | where Category == 'AzureFirewallApplicationRule'"
However I need to send the results of this to an Event Hub for further processing.
I'm trying to use the REST API (https://learn.microsoft.com/en-us/rest/api/eventhub/send-batch-events) but struggling to dynamically generate a request body to send to the Event Hub based on the output fields of the query. This may not be the best way to do it, any suggestions?
Solution
I suggest you can use Send event api by sending a simple json data one by one. Because if you use send batch api, you should build a more complex source data.
You can use the following powershell code to send data to event hub using send event api.
$queryResults = Invoke-AzOperationalInsightsQuery -WorkspaceId "xxx" -Query "your query"
#generate sas token
$URI_1 = "event_hub_namespace.servicebus.windows.net/eventhub_path"
$Access_Policy_Name="RootManageSharedAccessKey"
$Access_Policy_Key="the key"
#Token expires now+3000
$Expires=([DateTimeOffset]::Now.ToUnixTimeSeconds())+3000
$SignatureString=[System.Web.HttpUtility]::UrlEncode($URI_1)+ "`n" + [string]$Expires
$HMAC = New-Object System.Security.Cryptography.HMACSHA256
$HMAC.key = [Text.Encoding]::ASCII.GetBytes($Access_Policy_Key)
$Signature = $HMAC.ComputeHash([Text.Encoding]::ASCII.GetBytes($SignatureString))
$Signature = [Convert]::ToBase64String($Signature)
$SASToken = "SharedAccessSignature sr=" + [System.Web.HttpUtility]::UrlEncode($URI_1) + "&sig=" + [System.Web.HttpUtility]::UrlEncode($Signature) + "&se=" + $Expires + "&skn=" + $Access_Policy_Name
$SASToken
$method = "POST"
$url = "https://event_hub_namespace.servicebus.windows.net/eventhub_path/messages"
$signature = $SASToken
# API headers
$headers = @{
"Authorization"=$signature;
"Content-Type"="application/atom+xml;type=entry;charset=utf-8";
}
#use foreach to send data
foreach($s in $queryResults.Results){
#Write-Output "hello"
$json = $s | ConvertTo-Json
#Write-Output $json
Invoke-WebRequest -Method $method -Headers $headers -Body $json -uri $url
}
Write-Output "**completed**"
After execute the powershell, I use code to receive the data from event hub, and I can confirm that all the data are sent to event hub. The screenshot as below:
- Deploy Azure Initiative (set definition) with Azure PowerSHell
- Is there an API to list all Azure Regions?
- Azure PowerShell: New-AzRoleAssignment doesn't work with ApplicationId instead of ObjectId
- How to install web deploy using PowerShell using Complete Installation Selection
- What is the replacement of `Get-AzEventGridSubscription -ResourceGroup -TopicName` in Az PowerShell 12.x
- The template output 'ctrName' is not valid: The language expression property array index '4' is out of bounds
- New-AzResourceGroupDeployment: 4:21:36 PM - The deployment 'FileStorageDeployment' failed with error(s). Showing 1 out of 1 error(s)
- Azure: Creating Linux VM returns Required parameter 'osProfile.computerName' is missing (null)
- How to reference a secret variable from an AzurePowerShell@5 task
- Poweshell to set Azure SQL Auditing
- Create Pipeline via Azure Powershell and pipelineReturnValue activity is not properly created
- Generating SAS account token in powershell
- Detected characters in arguments that may not be executed correctly by the shell. Please escape special characters using backtick (`)
- Azure Run Command Error: The string is missing the terminator: "
- Powershell how to use azure vault secret value using yaml
- How to read the name of the App Service Plan used an App Service with Azure Powershell
- Azure PowerShell command to list all Azure VM SKU Sizes enabled for Confidential Computing Azure ACC
- Get Private FQDNs, IPs, Names of the Private Endpoints for the Azure resources deployed in an Virtual Network using PowerShell Script
- Foreach parallel Missing an argument for parameter 'xxx'. Specify a parameter of type 'System.Object' and try again
- Query resources in resource groups where tags are missing
- Azure Portal PowerShell Read Global Admins Certificate
- Need to set up the e-mail notification for PowerShell runbook to send its output periodically/daily to the mail
- How to get Drive Item ID of a file from a user OneDrive using PowerShell Microsoft Graph
- Unable to connect to the server: getting credentials: exec: executable kubelogin not found
- Error: Code=InvalidTemplateDeployment; Message=The template deployment 'StAccDeployment' is not valid according to the validation procedure
- New-AzResourceGroupDeployment: Cannot retrieve the dynamic parameters for the cmdlet when trying to execute the bicep script
- Unable to acquire token for tenant 'organizations' with error 'InteractiveBrowserCredential authentication failed: User canceled authentication. '
- Get the Operating system details of the in-place upgraded Azure VM using Azure PowerShell
- How to add Mail.Send permission when creating application with secret?
- Powershell module can't find subscription when a bicep kicks it off