Skip to content

Latest commit

 

History

History
123 lines (99 loc) · 5.23 KB

log-analytics-log-search-api-python.md

File metadata and controls

123 lines (99 loc) · 5.23 KB
title description services documentationcenter author manager editor ms.service ms.devlang ms.topic ms.tgt_pltfrm ms.workload ms.date ms.author
Python script to retrieve data from Azure Log Analytics | Microsoft Docs
The Log Analytics Log Search API allows any REST API client to retrieve data from a Log Analytics workspace. This article provides a sample Python script using the Log Search API.
log-analytics
bwren
carmonm
tysonn
log-analytics
na
article
na
infrastructure-services
11/03/2017
bwren

Retrieve data from Log Analytics with a Python script

The Log Analytics Log Search API allows any REST API client to retrieve data from a Log Analytics workspace. This article presents a sample Python script that uses the Log Analytics Log Search API.

Note

This article uses the Log Search API for the legacy query language in Log Analytics. An update will be provided to this article for workspaces that have been upgraded to the new Log Analytics query language.

Authentication

This script uses a service principal in Azure Active Directory to authenticate to the workspace. Service principals allow a client application to request that the service authenticate an account even if the client does not have the account name. Before running this script, you must create a service principal using the process at Use portal to create an Azure Active Directory application and service principal that can access resources. You'll need to provide the Application ID, Tenant ID, and Authentication Key to the script.

Note

When you create an Azure Automation account, a service principal is created that is suitable to use with this script. If you already have a service principal created by Azure Automation then you should be able to use it instead of creating a new one, although you may need to create an authentication key if it doesn't already have one.

Script

import adal
import requests
import json
import datetime
from pprint import pprint

# Details of workspace.  Fill in details for your workspace.
resource_group = 'xxxxxxxx'
workspace = 'xxxxxxxx'

# Details of query.  Modify these to your requirements.
query = "Type=Event"
end_time = datetime.datetime.utcnow()
start_time = end_time - datetime.timedelta(hours=24)
num_results = 100  # If not provided, a default of 10 results will be used.

# IDs for authentication.  Fill in values for your service principal.
subscription_id = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
tenant_id = 'xxxxxxxx-xxxx-xxxx-xxx-xxxxxxxxxxxx'
application_id = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx'
application_key = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'

# URLs for authentication
authentication_endpoint = 'https://login.microsoftonline.com/'
resource  = 'https://management.core.windows.net/'

# Get access token
context = adal.AuthenticationContext('https://login.microsoftonline.com/' + tenant_id)
token_response = context.acquire_token_with_client_credentials('https://management.core.windows.net/', application_id, application_key)
access_token = token_response.get('accessToken')

# Add token to header
headers = {
    "Authorization": 'Bearer ' + access_token,
    "Content-Type":'application/json'
}

# URLs for retrieving data
uri_base = 'https://management.azure.com'
uri_api = 'api-version=2015-11-01-preview'
uri_subscription = 'https://management.azure.com/subscriptions/' + subscription_id
uri_resourcegroup = uri_subscription + '/resourcegroups/'+ resource_group
uri_workspace = uri_resourcegroup + '/providers/Microsoft.OperationalInsights/workspaces/' + workspace
uri_search = uri_workspace + '/search'

# Build search parameters from query details
search_params = {
        "query": query,
        "top": num_results,
        "start": start_time.strftime('%Y-%m-%dT%H:%M:%S'),
        "end": end_time.strftime('%Y-%m-%dT%H:%M:%S')
        }

# Build URL and send post request
uri = uri_search + '?' + uri_api
response = requests.post(uri,json=search_params,headers=headers)

# Response of 200 if successful
if response.status_code == 200:

    # Parse the response to get the ID and status
    data = response.json()
    search_id = data["id"].split("/")
    id = search_id[len(search_id)-1]
    status = data["__metadata"]["Status"]

    # If status is pending, then keep checking until complete
    while status == "Pending":

        # Build URL to get search from ID and send request
        uri_search = uri_search + '/' + id
        uri = uri_search + '?' + uri_api
        response = requests.get(uri,headers=headers)

        # Parse the response to get the status
        data = response.json()
        status = data["__metadata"]["Status"]

else:

    # Request failed
    print (response.status_code)
    response.raise_for_status()

print ("Total records:" + str(data["__metadata"]["total"]))
print ("Returned top:" + str(data["__metadata"]["top"]))
pprint (data["value"])

Next steps