Azure Log Analytics · Arazzo Workflow

Azure Log Analytics Validate then Save a KQL Query

Version 1.0.0

Run a KQL query to validate it, then persist it as a saved search.

1 workflow 2 source APIs 1 provider
View Spec View on GitHub AnalyticsAzureCloudLoggingMonitoringArazzoWorkflows

Provider

azure-log-analytics

Workflows

promote-query-to-saved-search
Validate a KQL query by running it, then persist it as a saved search.
Executes a KQL query against the workspace to confirm it returns results, then creates or updates a saved search holding the same query so it becomes a curated, reusable search on the workspace.
2 steps inputs: category, displayName, managementApiVersion, query, resourceGroupName, savedSearchId, subscriptionId, timespan, workspaceId, workspaceName outputs: savedSearchName, validationTables
1
validateQuery
postQuery
Execute the KQL query against the workspace to confirm it parses and returns tabular results before it is persisted.
2
saveSearch
createOrUpdateSavedSearch
Persist the validated query as a saved search on the workspace so it can be rerun and shared later.

Source API Descriptions

openapi
queryApi https://raw.githubusercontent.com/api-evangelist/azure-log-analytics/refs/heads/main/openapi/azure-log-analytics-query-api.yaml
openapi
managementApi https://raw.githubusercontent.com/api-evangelist/azure-log-analytics/refs/heads/main/openapi/azure-log-analytics-management-api.yaml

Arazzo Workflow Specification

azure-log-analytics-promote-query-to-saved-search-workflow.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: Azure Log Analytics Validate then Save a KQL Query
  summary: Run a KQL query to validate it, then persist it as a saved search.
  description: >-
    Promotes an ad hoc KQL query into a reusable saved search, but only after
    confirming the query is valid by executing it against the workspace. The
    workflow runs the query on the query endpoint, and on success stores the same
    query text as a named saved search through the management API so it can be
    rerun later. Every step spells out its request inline so the flow can be read
    and executed without opening the underlying OpenAPI descriptions.
  version: 1.0.0
sourceDescriptions:
- name: queryApi
  url: ../openapi/azure-log-analytics-query-api.yaml
  type: openapi
- name: managementApi
  url: ../openapi/azure-log-analytics-management-api.yaml
  type: openapi
workflows:
- workflowId: promote-query-to-saved-search
  summary: Validate a KQL query by running it, then persist it as a saved search.
  description: >-
    Executes a KQL query against the workspace to confirm it returns results,
    then creates or updates a saved search holding the same query so it becomes a
    curated, reusable search on the workspace.
  inputs:
    type: object
    required:
    - workspaceId
    - query
    - subscriptionId
    - resourceGroupName
    - workspaceName
    - savedSearchId
    - category
    - displayName
    properties:
      workspaceId:
        type: string
        description: The customer (workspace) GUID used by the query endpoint.
      query:
        type: string
        description: The KQL query to validate and persist.
      timespan:
        type: string
        description: Optional ISO 8601 duration used when validating the query (e.g. P1D).
      subscriptionId:
        type: string
        description: The ID of the target Azure subscription.
      resourceGroupName:
        type: string
        description: The resource group that contains the workspace.
      workspaceName:
        type: string
        description: The management name of the Log Analytics workspace.
      savedSearchId:
        type: string
        description: The ID to assign the new or updated saved search.
      category:
        type: string
        description: The category to file the saved search under (e.g. General Exploration).
      displayName:
        type: string
        description: The display name for the saved search.
      managementApiVersion:
        type: string
        description: The management API version to use.
        default: '2025-02-01'
  steps:
  - stepId: validateQuery
    description: >-
      Execute the KQL query against the workspace to confirm it parses and
      returns tabular results before it is persisted.
    operationId: postQuery
    parameters:
    - name: workspaceId
      in: path
      value: $inputs.workspaceId
    requestBody:
      contentType: application/json
      payload:
        query: $inputs.query
        timespan: $inputs.timespan
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      tables: $response.body#/tables
  - stepId: saveSearch
    description: >-
      Persist the validated query as a saved search on the workspace so it can
      be rerun and shared later.
    operationId: createOrUpdateSavedSearch
    parameters:
    - name: subscriptionId
      in: path
      value: $inputs.subscriptionId
    - name: resourceGroupName
      in: path
      value: $inputs.resourceGroupName
    - name: workspaceName
      in: path
      value: $inputs.workspaceName
    - name: savedSearchId
      in: path
      value: $inputs.savedSearchId
    - name: api-version
      in: query
      value: $inputs.managementApiVersion
    requestBody:
      contentType: application/json
      payload:
        properties:
          category: $inputs.category
          displayName: $inputs.displayName
          query: $inputs.query
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      savedSearchName: $response.body#/name
      savedQuery: $response.body#/properties/query
  outputs:
    savedSearchName: $steps.saveSearch.outputs.savedSearchName
    validationTables: $steps.validateQuery.outputs.tables