List By Workspace Saved Searches

description retrieve all saved searches within a log analytics workspace in microsoft azure sentinel, requiring resource group, subscription id, and workspace name endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/savedsearches method get inputs path parameters (object) – required resourcegroupname (string) – required subscriptionid (string) – required workspacename (string) – required parameters (object) – required api version (string) – required output example \[ { "status code" 200, "response headers" { "cache control" "no cache", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json; charset=utf 8", "content encoding" "gzip", "expires" " 1", "vary" "accept encoding", "x ms ratelimit remaining subscription reads" "11999", "request context" "appid=cid v1\ e6336c63 aab2 45f0 996a e5dbab2a1508", "x content type options" "nosniff", "strict transport security" "max age=31536000; includesubdomains", "access control allow origin" " ", "x powered by" "asp net", "x ms request id" "dee963e1 17f2 461b 83a1 321ca07cb530", "x ms correlation request id" "dee963e1 17f2 461b 83a1 321ca07cb530", "x ms routing request id" "jioindiacentral 20230810t104321z\ dee963e1 17f2 461b 83a1 321ca07cb530", "date" "thu, 10 aug 2023 10 43 20 gmt" }, "reason" "ok", "json body" { "value" \[ { "id" "/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/savedsearches/00000000 0000 0000 0000 00000000000", "etag" "w/\\"datetime'2023 08 10t10%3a40%3a18 6215548z'\\"", "properties" { "category" "saved search test category", "displayname" "create or update saved search test", "query" "heartbeat | summarize count() by computer | take a", "version" 2 }, "name" "00000000 0000 0000 0000 00000000000", "type" "microsoft operationalinsights/savedsearches" }, { "id" "/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/savedsearches/logmanagement(swimlaneazuresentinel) logmanagement|allevents", "properties" { "displayname" "all events", "category" "log management", "query" "event | sort by timegenerated desc\r\n// oql type=event // args {oq true; workspaceid 00000000 0000 0000 0000 000000000000} // settings {ptt true; sorti true; sortf true} // version 0 1 122", "version" 2 }, "name" "logmanagement(swimlaneazuresentinel) logmanagement|allevents", "type" "microsoft operationalinsights/savedsearches" }, { "id" "/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/savedsearches/logmanagement(swimlaneazuresentinel) logmanagement|showserversthrowinginternalservererror", "properties" { "displayname" "shows servers that are throwing internal server error", "category" "log management", "query" "search scstatus == 500 | extend type = $table | where type == w3ciislog | summarize aggregatedvalue = count() by scomputername\r\n// oql type=w3ciislog scstatus=500 | measure count() by scomputername // args {oq true; workspaceid 00000000 0000 0000 0000 000000000000} // settings {pef true; sorti true; sortf true} // version 0 1 122", "version" 2 }, "name" "logmanagement(swimlaneazuresentinel) logmanagement|showserversthrowinginternalservererror", "type" "microsoft operationalinsights/savedsearches" }, { "id" "/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/savedsearches/logmanagement(swimlaneazuresentinel) logmanagement|countiislogentrieshttprequestmethod", "properties" { "displayname" "count of iis log entries by http request method", "category" "log management", "query" "search | extend type = $table | where type == w3ciislog | summarize aggregatedvalue = count() by csmethod\r\n// oql type=w3ciislog | measure count() by csmethod // args {oq true; workspaceid 00000000 0000 0000 0000 000000000000} // settings {pef true; sorti true; sortf true} // version 0 1 122", "version" 2 }, "name" "logmanagement(swimlaneazuresentinel) logmanagement|countiislogentrieshttprequestmethod", "type" "microsoft operationalinsights/savedsearches" }, { "id" "/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/savedsearches/logmanagement(swimlaneazuresentinel) logmanagement|countiislogentrieshttpuseragent", "properties" { "displayname" "count of iis log entries by http user agent", "category" "log management", "query" "search | extend type = $table | where type == w3ciislog | summarize aggregatedvalue = count() by csuseragent\r\n// oql type=w3ciislog | measure count() by csuseragent // args {oq true; workspaceid 00000000 0000 0000 0000 000000000000} // settings {pef true; sorti true; sortf true} // version 0 1 122", "version" 2 }, "name" "logmanagement(swimlaneazuresentinel) logmanagement|countiislogentrieshttpuseragent", "type" "microsoft operationalinsights/savedsearches" }, { "id" "/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/savedsearches/logmanagement(swimlaneazuresentinel) logmanagement|countiislogentriesclientipaddress", "properties" { "displayname" "count of iis log entries by client ip address", "category" "log management", "query" "search | extend type = $table | where type == w3ciislog | summarize aggregatedvalue = count() by cip\r\n// oql type=w3ciislog | measure count() by cip // args {oq true; workspaceid 00000000 0000 0000 0000 000000000000} // settings {pef true; sorti true; sortf true} // version 0 1 122", "version" 2 }, "name" "logmanagement(swimlaneazuresentinel) logmanagement|countiislogentriesclientipaddress", "type" "microsoft operationalinsights/savedsearches" }, { "id" "/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/savedsearches/logmanagement(swimlaneazuresentinel) logmanagement|iislogentriesforclientip", "properties" { "displayname" "iis log entries for a specific client ip address (replace with your own)", "category" "log management", "query" "search cip == \\"192 168 0 1\\" | extend type = $table | where type == w3ciislog | sort by timegenerated desc | project csuristem, scbytes, csbytes, timetaken, scstatus\r\n// oql type=w3ciislog cip=\\"192 168 0 1\\" | select csuristem,scbytes,csbytes,timetaken,scstatus // args {oq true; workspaceid 00000000 0000 0000 0000 000000000000} // settings {pef true; sorti true; sortf true} // version 0 1 122", "version" 2 }, "name" "logmanagement(swimlaneazuresentinel) logmanagement|iislogentriesforclientip", "type" "microsoft operationalinsights/savedsearches" }, { "id" "/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/savedsearches/logmanagement(swimlaneazuresentinel) logmanagement|countofiislogentriesbyurlrequestedbyclient", "properties" { "displayname" "count of iis log entries by url requested by client (without query strings)", "category" "log management", "query" "search | extend type = $table | where type == w3ciislog | summarize aggregatedvalue = count() by csuristem\r\n// oql type=w3ciislog | measure count() by csuristem // args {oq true; workspaceid 00000000 0000 0000 0000 000000000000} // settings {pef true; sorti true; sortf true} // version 0 1 122", "version" 2 }, "name" "logmanagement(swimlaneazuresentinel) logmanagement|countofiislogentriesbyurlrequestedbyclient", "type" "microsoft operationalinsights/savedsearches" }, { "id" "/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/savedsearches/logmanagement(swimlaneazuresentinel) logmanagement|countofiislogentriesbyhostrequestedbyclient", "properties" { "displayname" "count of iis log entries by host requested by client", "category" "log management", "query" "search | extend type = $table | where type == w3ciislog | summarize aggregatedvalue = count() by cshost\r\n// oql type=w3ciislog | measure count() by cshost // args {oq true; workspaceid 00000000 0000 0000 0000 000000000000} // settings {pef true; sorti true; sortf true} // version 0 1 122", "version" 2 }, "name" "logmanagement(swimlaneazuresentinel) logmanagement|countofiislogentriesbyhostrequestedbyclient", "type" "microsoft operationalinsights/savedsearches" }, { "id" "/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/savedsearches/logmanagement(swimlaneazuresentinel) logmanagement|countofiislogentriesbyurlforhost", "properties" { "displayname" "count of iis log entries by url for the host \\"www contoso com\\" (replace with your own)", "category" "log management", "query" "search cshost == \\"www contoso com\\" | extend type = $table | where type == w3ciislog | summarize aggregatedvalue = count() by csuristem\r\n// oql type=w3ciislog cshost=\\"www contoso com\\" | measure count() by csuristem // args {oq true; workspaceid 00000000 0000 0000 0000 000000000000} // settings {pef true; sorti true; sortf true} // version 0 1 122", "version" 2 }, "name" "logmanagement(swimlaneazuresentinel) logmanagement|countofiislogentriesbyurlforhost", "type" "microsoft operationalinsights/savedsearches" }, { "id" "/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/savedsearches/logmanagement(swimlaneazuresentinel) logmanagement|totalbytessentbyclientipaddress", "properties" { "displayname" "total bytes sent by client ip address", "category" "log management", "query" "search | extend type = $table | where type == w3ciislog | summarize aggregatedvalue = sum(csbytes) by cip\r\n// oql type=w3ciislog | measure sum(csbytes) by cip // args {oq true; workspaceid 00000000 0000 0000 0000 000000000000} // settings {pef true; sorti true; sortf true} // version 0 1 122", "version" 2 }, "name" "logmanagement(swimlaneazuresentinel) logmanagement|totalbytessentbyclientipaddress", "type" "microsoft operationalinsights/savedsearches" }, { "id" "/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/savedsearches/logmanagement(swimlaneazuresentinel) logmanagement|totalbytesreceivedbyeachazureroleinstance", "properties" { "displayname" "total bytes received by each azure role instance", "category" "log management", "query" "search | extend type = $table | where type == w3ciislog | summarize aggregatedvalue = sum(csbytes) by roleinstance\r\n// oql type=w3ciislog | measure sum(csbytes) by roleinstance // args {oq true; workspaceid 00000000 0000 0000 0000 000000000000} // settings {pef true; sorti true; sortf true} // version 0 1 122", "version" 2 }, "name" "logmanagement(swimlaneazuresentinel) logmanagement|totalbytesreceivedbyeachazureroleinstance", "type" "microsoft operationalinsights/savedsearches" }, { "id" "/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/savedsearches/logmanagement(swimlaneazuresentinel) logmanagement|totalbytesreceivedbyeachiiscomputer", "properties" { "displayname" "total bytes received by each iis computer", "category" "log management", "query" "search | extend type = $table | where type == w3ciislog | summarize aggregatedvalue = sum(csbytes) by computer | limit 500000\r\n// oql type=w3ciislog | measure sum(csbytes) by computer | top 500000 // args {oq true; workspaceid 00000000 0000 0000 0000 000000000000} // settings {pef true; sorti true; sortf true} // version 0 1 122", "version" 2 }, "name" "logmanagement(swimlaneazuresentinel) logmanagement|totalbytesreceivedbyeachiiscomputer", "type" "microsoft operationalinsights/savedsearches" }, { "id" "/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/savedsearches/logmanagement(swimlaneazuresentinel) logmanagement|totalbytesrespondedtoclientsbyeachiisserveripaddress", "properties" { "displayname" "total bytes responded back to clients by each iis serverip address", "category" "log management", "query" "search | extend type = $table | where type == w3ciislog | summarize aggregatedvalue = sum(scbytes) by sip\r\n// oql type=w3ciislog | measure sum(scbytes) by sip // args {oq true; workspaceid 00000000 0000 0000 0000 000000000000} // settings {pef true; sorti true; sortf true} // version 0 1 122", "version" 2 }, "name" "logmanagement(swimlaneazuresentinel) logmanagement|totalbytesrespondedtoclientsbyeachiisserveripaddress", "type" "microsoft operationalinsights/savedsearches" }, { "id" "/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/savedsearches/logmanagement(swimlaneazuresentinel) logmanagement|totalbytesrespondedtoclientsbyclientipaddress", "properties" { "displayname" "total bytes responded back to clients by client ip address", "category" "log management", "query" "search | extend type = $table | where type == w3ciislog | summarize aggregatedvalue = sum(scbytes) by cip\r\n// oql type=w3ciislog | measure sum(scbytes) by cip // args {oq true; workspaceid 00000000 0000 0000 0000 000000000000} // settings {pef true; sorti true; sortf true} // version 0 1 122", "version" 2 }, "name" "logmanagement(swimlaneazuresentinel) logmanagement|totalbytesrespondedtoclientsbyclientipaddress", "type" "microsoft operationalinsights/savedsearches" }, { "id" "/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/savedsearches/logmanagement(swimlaneazuresentinel) logmanagement|averagehttprequesttimebyclientipaddress", "properties" { "displayname" "average http request time by client ip address", "category" "log management", "query" "search | extend type = $table | where type == w3ciislog | summarize aggregatedvalue = avg(timetaken) by cip\r\n// oql type=w3ciislog | measure avg(timetaken) by cip // args {oq true; workspaceid 00000000 0000 0000 0000 000000000000} // settings {pef true; sorti true; sortf true} // version 0 1 122", "version" 2 }, "name" "logmanagement(swimlaneazuresentinel) logmanagement|averagehttprequesttimebyclientipaddress", "type" "microsoft operationalinsights/savedsearches" }, { "id" "/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/savedsearches/logmanagement(swimlaneazuresentinel) logmanagement|allsyslog", "properties" { "displayname" "all syslogs", "category" "log management", "query" "syslog | sort by timegenerated desc\r\n// oql type=syslog // args {oq true; workspaceid 00000000 0000 0000 0000 000000000000} // settings {ptt true; sorti true; sortf true} // version 0 1 122", "version" 2 }, "name" "logmanagement(swimlaneazuresentinel) logmanagement|allsyslog", "type" "microsoft operationalinsights/savedsearches" }, { "id" "/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/savedsearches/logmanagement(swimlaneazuresentinel) logmanagement|allsyslogswitherrors", "properties" { "displayname" "all syslog records with errors", "category" "log management", "query" "syslog | where severitylevel == \\"error\\" | sort by timegenerated desc\r\n// oql type=syslog severitylevel=error // args {oq true; workspaceid 00000000 0000 0000 0000 000000000000} // settings {ptt true; sorti true; sortf true} // version 0 1 122", "version" 2 }, "name" "logmanagement(swimlaneazuresentinel) logmanagement|allsyslogswitherrors", "type" "microsoft operationalinsights/savedsearches" }, { "id" "/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/savedsearches/logmanagement(swimlaneazuresentinel) logmanagement|allsyslogbyfacility", "properties" { "displayname" "all syslog records grouped by facility", "category" "log management", "query" "syslog | summarize aggregatedvalue = count() by facility\r\n// oql type=syslog | measure count() by facility // args {oq true; workspaceid 00000000 0000 0000 0000 000000000000} // settings {ptt true; sorti true; sortf true} // version 0 1 122", "version" 2 }, "name" "logmanagement(swimlaneazuresentinel) logmanagement|allsyslogbyfacility", "type" "microsoft operationalinsights/savedsearches" }, { "id" "/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/savedsearches/logmanagement(swimlaneazuresentinel) general|stalecomputers", "properties" { "displayname" "stale computers (data older than 24 hours)", "category" "general exploration", "query" "search not(objectname == \\"advisor metrics\\" or objectname == \\"managedspace\\") | summarize lastdata = max(timegenerated) by computer | limit 500000 | where lastdata < ago(24h)\r\n// oql not(objectname=\\"advisor metrics\\" or objectname=managedspace) | measure max(timegenerated) as lastdata by computer | top 500000 | where lastdata < now 24hours // args {oq true; workspaceid 00000000 0000 0000 0000 000000000000} // settings {ptt true; sorti true; sortf true} // version 0 1 122", "version" 2 }, "name" "logmanagement(swimlaneazuresentinel) general|stalecomputers", "type" "microsoft operationalinsights/savedsearches" } ] } } ] output parameters status code (number) reason (string) json body (object) value (array) id (string) etag (string) properties (object) displayname (string) category (string) query (string) version (number) name (string) type (string) response headers header type cache control string pragma string transfer encoding string content type string content encoding string expires string vary string x ms ratelimit remaining subscription reads string request context string x content type options string strict transport security string access control allow origin string x powered by string x ms request id string x ms correlation request id string x ms routing request id string date string