Azure Log Analytics · Arazzo Workflow

Azure Log Analytics Resolve Workspace by Resource Group and Run KQL

Version 1.0.0

Narrow workspaces to a resource group, resolve one, then run a KQL query.

1 workflow 2 source APIs 1 provider
View Spec View on GitHub AnalyticsAzureCloudLoggingMonitoringArazzoWorkflows

Provider

azure-log-analytics

Workflows

resolve-workspace-and-run-kql
List resource-group workspaces, resolve one, and execute a KQL query.
Lists the Log Analytics workspaces in a resource group, reads the management record for the chosen workspace to obtain its customer (workspace) ID, and submits a KQL query to the Log Analytics query endpoint for that workspace.
3 steps inputs: managementApiVersion, query, resourceGroupName, subscriptionId, timespan, workspaceId, workspaceName outputs: customerId, tables
1
listWorkspacesByResourceGroup
listWorkspacesByResourceGroup
List the Log Analytics workspaces within the resource group so the target workspace can be confirmed before resolving it.
2
getWorkspace
getWorkspace
Read the management record for the chosen workspace to obtain its customer (workspace) ID.
3
runQuery
postQuery
Execute the KQL query against the resolved workspace and return the tabular results.

Source API Descriptions

openapi
managementApi https://raw.githubusercontent.com/api-evangelist/azure-log-analytics/refs/heads/main/openapi/azure-log-analytics-management-api.yaml
openapi
queryApi https://raw.githubusercontent.com/api-evangelist/azure-log-analytics/refs/heads/main/openapi/azure-log-analytics-query-api.yaml

Arazzo Workflow Specification

azure-log-analytics-resolve-workspace-and-run-kql-workflow.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: Azure Log Analytics Resolve Workspace by Resource Group and Run KQL
  summary: Narrow workspaces to a resource group, resolve one, then run a KQL query.
  description: >-
    A scoped discovery pattern for teams that organize Log Analytics workspaces
    by resource group. The workflow lists the workspaces within a single
    resource group, reads the management record for the chosen workspace to
    obtain its customer (workspace) ID, and then executes a Kusto Query Language
    query against that workspace. Every step spells out its request inline so the
    flow can be read and executed without opening the underlying OpenAPI
    descriptions.
  version: 1.0.0
sourceDescriptions:
- name: managementApi
  url: ../openapi/azure-log-analytics-management-api.yaml
  type: openapi
- name: queryApi
  url: ../openapi/azure-log-analytics-query-api.yaml
  type: openapi
workflows:
- workflowId: resolve-workspace-and-run-kql
  summary: List resource-group workspaces, resolve one, and execute a KQL query.
  description: >-
    Lists the Log Analytics workspaces in a resource group, reads the management
    record for the chosen workspace to obtain its customer (workspace) ID, and
    submits a KQL query to the Log Analytics query endpoint for that workspace.
  inputs:
    type: object
    required:
    - subscriptionId
    - resourceGroupName
    - workspaceName
    - workspaceId
    - query
    properties:
      subscriptionId:
        type: string
        description: The ID of the target Azure subscription.
      resourceGroupName:
        type: string
        description: The resource group whose workspaces are listed.
      workspaceName:
        type: string
        description: The management name of the Log Analytics workspace to resolve.
      workspaceId:
        type: string
        description: The customer (workspace) GUID used by the query endpoint.
      query:
        type: string
        description: The KQL query to execute against the workspace.
      timespan:
        type: string
        description: Optional ISO 8601 duration limiting the query window (e.g. P7D).
      managementApiVersion:
        type: string
        description: The management API version to use.
        default: '2025-02-01'
  steps:
  - stepId: listWorkspacesByResourceGroup
    description: >-
      List the Log Analytics workspaces within the resource group so the target
      workspace can be confirmed before resolving it.
    operationId: listWorkspacesByResourceGroup
    parameters:
    - name: subscriptionId
      in: path
      value: $inputs.subscriptionId
    - name: resourceGroupName
      in: path
      value: $inputs.resourceGroupName
    - name: api-version
      in: query
      value: $inputs.managementApiVersion
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      workspaces: $response.body#/value
  - stepId: getWorkspace
    description: >-
      Read the management record for the chosen workspace to obtain its
      customer (workspace) ID.
    operationId: getWorkspace
    parameters:
    - name: subscriptionId
      in: path
      value: $inputs.subscriptionId
    - name: resourceGroupName
      in: path
      value: $inputs.resourceGroupName
    - name: workspaceName
      in: path
      value: $inputs.workspaceName
    - name: api-version
      in: query
      value: $inputs.managementApiVersion
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      customerId: $response.body#/properties/customerId
      location: $response.body#/location
  - stepId: runQuery
    description: >-
      Execute the KQL query against the resolved workspace and return the
      tabular results.
    operationId: postQuery
    parameters:
    - name: workspaceId
      in: path
      value: $inputs.workspaceId
    requestBody:
      contentType: application/json
      payload:
        query: $inputs.query
        timespan: $inputs.timespan
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      tables: $response.body#/tables
  outputs:
    customerId: $steps.getWorkspace.outputs.customerId
    tables: $steps.runQuery.outputs.tables