Author Posts

September 1, 2018 at 11:10 am

Hi Experts,
I have a script to export list of all alert rule created in OMS (Log Analytics). It is running fine and i can see result in my temp folder with name OMSAlert.csv. But when i am running same script in my another Azure subscription for a workspace i am getting error. Its bit strange and i am not ware why its is happening.
You can find the code block https://social.technet.microsoft.com/Forums/en-US/4d01d3b7-1924-4e6b-9b72-a7bfe4732d19/error-running-script-for-another-oms-workspace?forum=winserverpowershell here.
The error which i am getting is as below:-

convertfrom-json : Invalid JSON primitive: .
At C:\Users\kumar_g\Downloads\retrievealerts-oms.ps1:130 char:80
+ ... et "$($_.value.id)/actions?api-version=2015-03-20" | convertfrom-json
+                                                          ~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [ConvertFrom-Json], ArgumentException
+ FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.ConvertFromJsonCommand

Note:- Same script without any changes running fine for another subscription. I have also replaced api version from 2015-03-20 to 2016-04-01 but still no luck.

September 1, 2018 at 2:44 pm

The first thing I look at when I see this code:

param (
    #The subscription id where the OMS is located
    [Parameter(Mandatory)]
    [string]$SubscriptionId,  

    #The name of the OMS workspace.
    [Parameter(Mandatory)]
    [string]$WorkspaceID,

    #Notification Group shortname
    [string]$FilePath="c:\temp"
)

$ErrorActionPreference = "Stop"

#Variables

$OutPath=$FilePath + "\OMSalerts.csv"

#Getting all Workspaces

$allWorkspaces = armclient get "/subscriptions/$SubscriptionId/providers/Microsoft.OperationalInsights/workspaces?api-version=2015-03-20" | ConvertFrom-Json

ForEach($Workspace in $allWorkspaces.value)
{

    if($Workspace.name -eq $WorkspaceID)
    {
    
    $url = $Workspace.id

    }

}

Write-Host "Building table for results"  
  
#Build a table to format the results  
$table = New-Object system.Data.DataTable "Results"  
$col1 = New-Object system.Data.DataColumn Name,([string])  
$table.columns.add($col1)  
$col2 = New-Object system.Data.DataColumn Description,([string])  
$table.columns.add($col2)  
$col3 = New-Object system.Data.DataColumn Threshold,([string])  
$table.columns.add($col3)  
$col4 = New-Object system.Data.DataColumn Severity,([string])  
$table.columns.add($col4)
$col5 = New-Object system.Data.DataColumn Query,([string])  
$table.columns.add($col5)
$col6 = New-Object system.Data.DataColumn Interval,([string])  
$table.columns.add($col6)  
$col7 = New-Object system.Data.DataColumn QueryTimeSpan,([string])  
$table.columns.add($col7)  
$col8 = New-Object system.Data.DataColumn QueryEnabled,([boolean])  
$table.columns.add($col8)    

#Get all searches

Write-Host "Getting all searches for Workspace"  

$Searches = armclient get "$url/savedsearches?api-version=2015-03-20" | ConvertFrom-Json

if($Searches.value -ne $null)
{

Write-Output "Searches found: $($Searches.value.count)"

}

else
{

Write-Output "No searches found, exiting script"

Break

}

Write-Host "Getting schedules for Searches"  

$Searches.value.id | %{
    
    $search = armclient get "$_/?api-version=2015-03-20" | ConvertFrom-Json
    
    $schedules = armclient get "$_/schedules?api-version=2015-03-20" | ConvertFrom-Json

    $schedules | %{

    $schedule = $_.value.properties

    $actions = armclient get "$($_.value.id)/actions?api-version=2015-03-20" | convertfrom-json

    $actions | %{

        if ($_.value.properties.Type -eq "Alert"){

        Write-Host "Alert found: $($_.value.properties.Name)"  
        
        $Name=$_.value.properties.Name
        $Description=$_.value.properties.Description
        $Threshold=$_.value.properties.Threshold
        $Severity=$_.value.properties.Severity
        $Query=$search.properties.Query
        $Interval=$schedule.Interval
        $QueryTimeSpan=$schedule.QueryTimeSpan
        $QueryEnabled=$schedule.Enabled
           
        $row = $table.NewRow()  
        $row.Name = $Name
        $row.Description = $Description  
        $row.Threshold = $Threshold.Value 
        $row.Severity = $Severity
        $row.Query = $Query
        $row.Interval = $Interval
        $row.QueryTimeSpan = $QueryTimeSpan
        $row.QueryEnabled = $QueryEnabled  
        $table.Rows.Add($row)
        }
    }
        
    }
    }

Write-Host "Exporting results"  

$table | Export-Csv $OutPath -NoTypeInformation

This should be much more modular. You're performing specific functions like Get-Subscription, Get-Schedule where you should be checking to see what is coming back from the API calls. Then I thought, this really seems like there should already be cmdlets if this is Azure API calls and quick research nets:

Get-AzureRmSubscription
Get-AzureRmAutomationSchedule

Why are you not using the cmdLets for Azure that should already return what you want?

September 2, 2018 at 12:14 am

I am using the code which is pasted on the below link:-

https://blogs.technet.microsoft.com/manuelpuron/2017/07/14/export-all-alerts-created-in-a-oms-workspace-to-csv/#comment-2995

 

I am not sure how i can change this script.

September 2, 2018 at 6:29 am

Hi Sir,

These cmdlets are for selecting Azuresubscription and Scheduled Automation Task. But i am looking into OMS workspace and for its alert rules. So i think these cmdlets are not helpful here.

Get-AzureRmSubscriptionGet-AzureRmAutomationSchedule

And i am very strange that i can run this script for one workspace in subscription 1 but i cannot run for workspace in subscription 2.

September 2, 2018 at 1:47 pm

Even though the script works with one subscription, the exception you are seeing (System.ArgumentException,Microsoft.PowerShell.Commands.ConvertFromJsonCommand) typically indicates an issue with the JSON output.  The Convertfrom-Json command is expecting a single string as input.

As Rob mentioned, you could probably avoid the trouble with all the JSON conversion your script is performing by leveraging Powershell commands instead of using the ARMClient tool, which is conducting REST API calls against ARM and producing JSON output.

For example, you are doing this:


$allWorkspaces = armclient get "/subscriptions/$SubscriptionId/providers/Microsoft.OperationalInsights/workspaces?api-version=2015-03-20" | ConvertFrom-Json
$Searches = armclient get "$url/savedsearches?api-version=2015-03-20" | ConvertFrom-Json
$schedules = armclient get "$_/schedules?api-version=2015-03-20" | ConvertFrom-Json

Do this instead:


#Get all workspaces
$allworkspaces = Get-AzureRmOperationalInsightsWorkspace -Name "YourWorkspace" -ResourceGroupName "ResourceGroup"
#GET all searches
$searches = Get-AzureRmOperationalInsightsSavedSearch -ResourceGroupName "YourResourceGroup" -WorkspaceName "YourWorkspace"
#GET schedule
Get-AzureRmAutomationSchedule -AutomationAccountName "YourAccount" -Name "YourSchedule" -ResourceGroupName "ResourceGroup"

Otherwise, you can go through the trouble of fixing the script by adding some Try-Catch blocks in your code to narrow down the error.

 

 

 

 

September 3, 2018 at 2:45 am

Hi Thanks for the help Richard, But problem is "Get-AzureRmAutomationSchedule" cmdlet is for Azure automation account. So we cannot use this to fetch Azure Log Analytics Schedule and we could see its accepts parameter -AuotmationAccount Name and schedule name. where schedule name is like patching activities etc. whichever we have set in Automation account not in Log Analytics.

We need to fix this script that what is currently happening here. And since i am very new in PS so not able to deep dig it down.

Please explain your try and catch method where i need to modify the code and how.

I will be very thankful to you. 🙂