You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1. You need to view the error events from a table named Event. Which query should you run in Workspace1?
A.
Get-Event Event | where {$_.EventType == "error"}
B.
search in (Event) "error"
C.
select * from Event where EventType == "error"
D.
search in (Event) * | where EventType -eq "error"
This is a valid KQL query used in Azure Log Analytics to:
Search within the Event table.
Filter only records where EventType is "error".
Other options use incorrect syntax (PowerShell or SQL) or don’t filter accurately.
https://learn.microsoft.com/en-us/kusto/query/search-operator?view=azure-data-explorer&preserve-view=true
https://learn.microsoft.com/en-us/kusto/query/where-operator?view=azure-data-explorer&preserve-view=true
A. Incorrect: This is PowerShell syntax, not KQL.
Log Analytics requires KQL for queries inside the workspace.
B. Incorrect / Incomplete: This will search for the string "error" in the Event table, but:
It doesn’t filter specifically on the EventType field.
Could return unrelated results where "error" appears anywhere.
C. Incorrect: This is SQL-style syntax, not valid KQL.
D. Correct KQL syntax:
search in (Event) *: Pulls all records from the Event table.
| where EventType -eq "error": Filters where EventType equals "error".
B. search in (Event) "error" is a valid KQL statement.
It tells Log Analytics to search for the word “error” in the Event table, across all fields.
It’s useful when you're unsure about the exact field but want to do a full-text search.
Why not the others?
A. Get-Event Event | where {$_.EventType == "error"}
This is PowerShell syntax, not KQL. It won't work in Log Analytics.
C. select * from Event where EventType == "error"
This is SQL syntax, not valid in Log Analytics.
D. search in (Event) * | where EventType -eq "error"
-eq is PowerShell-style comparison, not KQL.
In KQL, you'd use == for comparison, not -eq.
Got curious because I've never used such syntax in KQL so I tested.
A is a powershell type query, while C is a SQL type. Strangely enough B worked and is the correct answer.
Correct B
// 1. Simple term search over all unrestricted tables and views of the database in scope
search "billg"
// 2. Like (1), but looking only for records that match both terms
search "billg" and ("steveb" or "satyan")
// 3. Like (1), but looking only in the TraceEvent table
search in (TraceEvent) and "billg"
// 4. Like (2), but performing a case-sensitive match of all terms
search "BillB" and ("SteveB" or "SatyaN")
// 5. Like (1), but restricting the match to some columns
search CEO:"billg" or CSA:"billg"
// 6. Like (1), but only for some specific time limit
search "billg" and Timestamp >= datetime(1981-01-01)
// 7. Searches over all the higher-ups
search in (C*, TF) "billg" or "davec" or "steveb"
// 8. A different way to say (7). Prefer to use (7) when possible
union C*, TF | search "billg" or "davec" or "steveb"
The correct option in Kusto Query Language (KQL) is C:
Option C: select * from Event where EventType == "error"
This command selects all rows from the table named “Event” where the value of the column “EventType” is equal to “error”.
The other options are not syntactically correct in KQL:
Option A: Get-Event Event | where {$_.EventType == "error"}
This is not a valid syntax in KQL. The “Get-Event” command does not exist in KQL.
Option B: search in (Event) "error"
Although it resembles KQL, it is not a valid syntax. The keyword “search” is not used this way in KQL.
Option D: search in (Event) * | where EventType -eq "error"
Similar to option B, the “search” keyword is not used this way in KQL. Additionally, the comparison should be with “==”, not “-eq”.
The correct correct answer would be :
D. search in (Event) * | where EventType -eq "error"
Log Analytics Workspace has its root usage with the querying of data/logs specifically using the KQL. Option D represents the correct syntax for querying using KQL.
The correct query to run in Workspace1 to view the error events from a table named Event is:
B. search in (Event) “error”
This query will search for the term “error” in the Event table. The other options are not valid queries for Azure Log Analytics. Azure Log Analytics uses a version of the Kusto query language, and these queries do not conform to the correct syntax. For example, the ‘select’ statement is not used in Kusto, and PowerShell-style syntax (like option A) is not applicable here. Option D is incorrect because it attempts to use a mix of Kusto and PowerShell syntax.
This section is not available anymore. Please use the main Exam Page.AZ-104 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
GepeNova
Highly Voted 3 years, 10 months agodjhyfdgjk
1 year, 6 months agoNaoVaz
Highly Voted 2 years, 11 months agoahmadniknam
Most Recent 4 weeks, 1 day ago09734b4
1 month, 3 weeks agokhamrumunnu
3 months agoIvanvazovv
5 months, 1 week agoRVivek
9 months, 2 weeks agoSifon_n
9 months, 3 weeks agohapppieee
10 months agomcc
11 months agoMCLC2021
11 months agoNeel2211
11 months, 2 weeks agoWojer
1 year, 5 months agoricardona
1 year, 9 months agoMehedi007
2 years agoAndreas_Czech
2 years, 3 months agoMysystemad
2 years, 3 months ago