Andrew Posted on 8:00 am

Find Failed Create Operations in Azure using KQL

Welcome to another journey through the Azure skies! 🚀 Today, we embark on a thrilling quest through the Azure cosmos to uncover the secrets of failed create operations using Kusto Query Language (KQL). Whether you’re a seasoned cloud explorer or a curious newcomer, this guide will equip you with the knowledge to track down those elusive “create” mishaps.

Why Seek Out Failures?

Imagine this: You’re managing your bustling Azure subscription, and suddenly, a resource creation goes awry. Was it a cosmic hiccup? A misaligned stardust configuration? Fear not! By mastering KQL, you’ll be the cosmic detective, unraveling the mysteries of failed creations.

Another, more nefarious reason, is that someone is trying to create resources that does not have the correct the permissions, or seeing if they can sneak resources into your Azure tenant that don’t belong!

The KQL Constellation

Our journey begins within the AzureActivity table of your Log Analytics Workspace. Here, activity logs find their celestial home when exported via Diagnostic Settings. Now, let’s don our virtual spacesuits and craft our KQL queries:

Failed Creations in your Universe:

AzureActivity | where OperationName == "Create" | where ActivityStatusValue == "Failure" 

This query reveals all records involving failed creation attempts.

Pretty wide open, but this gives a place to start investigating.

Incident Clues:

AzureActivity | where OperationName == "Create" | where ActivityStatusValue == "Failure" | extend Temp = split(_ResourceId, '/') | extend Failed_Resource = Temp[-1] | extend Failed_ResourceType = Temp[-2] | order by TimeGenerated desc 

This query provides essential details about the failed creations.

I think we can add one nice feature to our KQL to make switching dates a lot faster:

AzureActivity
| where TimeGenerated > ago(120d) // adjust the time range as needed
| where OperationName == "Create"
| where ActivityStatusValue == "Failure"
| extend Temp = split(_ResourceId, '/')
| extend Failed_Resource = Temp[-1]
| extend Failed_ResourceType = Temp[-2]
| order by TimeGenerated desc

I usually like to set my time boundary in the query as it makes it faster to switch from 1h or 30m to 120d ago as we explore our data.

Your Cosmic Adventure Awaits

So, grab your KQL telescope, and let’s explore the Azure nebula. Whether safeguarding virtual machines or nurturing fledgling storage accounts, KQL will be your trusty starship.

Stay tuned for more Azure escapades right here on AzureTracks.com!


Explore more Azure insights on AzureTracks.com. Until next time, may your queries be precise and your incidents well-contained! ☁️🔍