You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1. You need to view the error events from a table named Event. Which query should you run in Workspace1?
A.
Get-Event Event | where {$_.EventType == "error"}
B.
search in (Event) "error"
C.
select * from Event where EventType == "error"
D.
search in (Event) * | where EventType -eq "error"
B. search in (Event) "error" is a valid KQL statement.
It tells Log Analytics to search for the word “error” in the Event table, across all fields.
It’s useful when you're unsure about the exact field but want to do a full-text search.
Why not the others?
A. Get-Event Event | where {$_.EventType == "error"}
This is PowerShell syntax, not KQL. It won't work in Log Analytics.
C. select * from Event where EventType == "error"
This is SQL syntax, not valid in Log Analytics.
D. search in (Event) * | where EventType -eq "error"
-eq is PowerShell-style comparison, not KQL.
In KQL, you'd use == for comparison, not -eq.
Got curious because I've never used such syntax in KQL so I tested.
A is a powershell type query, while C is a SQL type. Strangely enough B worked and is the correct answer.
Correct B
// 1. Simple term search over all unrestricted tables and views of the database in scope
search "billg"
// 2. Like (1), but looking only for records that match both terms
search "billg" and ("steveb" or "satyan")
// 3. Like (1), but looking only in the TraceEvent table
search in (TraceEvent) and "billg"
// 4. Like (2), but performing a case-sensitive match of all terms
search "BillB" and ("SteveB" or "SatyaN")
// 5. Like (1), but restricting the match to some columns
search CEO:"billg" or CSA:"billg"
// 6. Like (1), but only for some specific time limit
search "billg" and Timestamp >= datetime(1981-01-01)
// 7. Searches over all the higher-ups
search in (C*, TF) "billg" or "davec" or "steveb"
// 8. A different way to say (7). Prefer to use (7) when possible
union C*, TF | search "billg" or "davec" or "steveb"
The correct option in Kusto Query Language (KQL) is C:
Option C: select * from Event where EventType == "error"
This command selects all rows from the table named “Event” where the value of the column “EventType” is equal to “error”.
The other options are not syntactically correct in KQL:
Option A: Get-Event Event | where {$_.EventType == "error"}
This is not a valid syntax in KQL. The “Get-Event” command does not exist in KQL.
Option B: search in (Event) "error"
Although it resembles KQL, it is not a valid syntax. The keyword “search” is not used this way in KQL.
Option D: search in (Event) * | where EventType -eq "error"
Similar to option B, the “search” keyword is not used this way in KQL. Additionally, the comparison should be with “==”, not “-eq”.
The correct correct answer would be :
D. search in (Event) * | where EventType -eq "error"
Log Analytics Workspace has its root usage with the querying of data/logs specifically using the KQL. Option D represents the correct syntax for querying using KQL.
The correct query to run in Workspace1 to view the error events from a table named Event is:
B. search in (Event) “error”
This query will search for the term “error” in the Event table. The other options are not valid queries for Azure Log Analytics. Azure Log Analytics uses a version of the Kusto query language, and these queries do not conform to the correct syntax. For example, the ‘select’ statement is not used in Kusto, and PowerShell-style syntax (like option A) is not applicable here. Option D is incorrect because it attempts to use a mix of Kusto and PowerShell syntax.
OpenAI
"The correct query to view the error events from the table named Event in the Azure Log Analytics workspace Workspace1 is:
D. search in (Event) * | where EventType -eq "error"
Explanation:
Option A is a PowerShell command, not a Log Analytics query language (KQL) command.
Option B is not a valid KQL query. The correct syntax for searching for events in a Log Analytics workspace is "search <query>".
Option C is a valid KQL query, but it is not the best option since it selects all columns from the Event table. It is recommended to select only the necessary columns to improve the query performance.
Option D is a valid KQL query that searches for all events in the Event table where the EventType column equals "error". This is the correct query to view the error events from the Event table."
Apologies for the confusion. You are correct. The correct query to view the error events from the "Event" table in Azure Log Analytics Workspace1 is:
B. search in (Event) "error"
This query uses the 'search' operator to search for the keyword "error" within the "Event" table in Azure Log Analytics Workspace1. It will return all the events that contain the keyword "error".
This section is not available anymore. Please use the main Exam Page.AZ-104 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
GepeNova
Highly Voted 3 years, 7 months agodjhyfdgjk
1 year, 3 months agoNaoVaz
Highly Voted 2 years, 8 months agokhamrumunnu
Most Recent 1 week, 3 days agoIvanvazovv
2 months, 2 weeks agoRVivek
6 months, 4 weeks agoSifon_n
7 months agohapppieee
7 months, 1 week agomcc
8 months, 1 week agoMCLC2021
8 months, 1 week ago[Removed]
8 months, 3 weeks agoNeel2211
8 months, 4 weeks agoWojer
1 year, 2 months agoricardona
1 year, 7 months agoMehedi007
1 year, 10 months agoAndreas_Czech
2 years agoMysystemad
2 years agoExilic
2 years ago[Removed]
1 year, 7 months agoNana1990
1 year, 11 months agoxRiot007
2 years ago