Using latest azure cli (2.28.1)
The creation of Kusto queries against Log Analytics with the azure cli is documented here: https://learn.microsoft.com/en-us/cli/azure/monitor/log-analytics/workspace/saved-search?view=azure-cli-latest
using the saved-search directive. A minor irritation is that the cli always creates legacy categories rather than non-legacy and tags sometimes are not correctly applied.
But what I can not find is how to create queries against Insights with the cli. Combed the Microsoft docs without a hit. Insights is a subset of Log Analytics (Monitor) but the queries are stored separately. Alarms can target both resource groups (i.e. Insights and Log Analytics).
With bicep (az bicep build --file <bicep file>) resource definitions can be defined in a template (json) then deployed with the azure cli (az deployment group create --resource-group <name> --template-file <bicep generated template>)
Hard part was making parent and child resources in bicep. Needed a parent query pack and a child queries:
resource querypack 'Microsoft.OperationalInsights/queryPacks@2019-09-01-preview' =
{
name: 'DefaultQueryPack'
location: 'northeurope'
properties: {}
}
resource query 'Microsoft.OperationalInsights/queryPacks/queries@2019-09-01-preview' = {
parent: querypack
name: '6967c00c-9b46-4270-bee0-5a27b8b85cef'
properties: {
displayName: 'BadEventsBySdcFileId'
description: ''
body: '<kusto query>'
related: {
categories: [
'applications'
]
resourceTypes: [
'microsoft.insights/components'
]
}
tags: {}
}
}
Also the query resource name has to be a GUID which is not at all clear in the documentation. Tags are helpful to group by topic when hunting around for queries say that belong to a project domain.