Handling JSON payload from upgraded Log Analytics workspaces; New issues

For a month I have complained about the missing documentation of handling the new JSON format used by Log Analytics (v2) when an alert is sent to a webhook.

Finally, Microsoft have provided an example of converting the payload to PowerShell objects!

param ( 

$RequestBody = ConvertFrom-JSON -InputObject $WebhookData.RequestBody

# Get all metadata properties    
$AlertRuleName = $RequestBody.AlertRuleName
$AlertThresholdOperator = $RequestBody.AlertThresholdOperator
$AlertThresholdValue = $RequestBody.AlertThresholdValue
$AlertDescription = $RequestBody.Description
$LinktoSearchResults =$RequestBody.LinkToSearchResults
$ResultCount =$RequestBody.ResultCount
$Severity = $RequestBody.Severity
$SearchQuery = $RequestBody.SearchQuery
$WorkspaceID = $RequestBody.WorkspaceId
$SearchWindowStartTime = $RequestBody.SearchIntervalStartTimeUtc
$SearchWindowEndTime = $RequestBody.SearchIntervalEndtimeUtc
$SearchWindowInterval = $RequestBody.SearchIntervalInSeconds

# Get detailed search results
if($RequestBody.SearchResult -ne $null)
    $SearchResultRows    = $RequestBody.SearchResult.tables[0].rows 
    $SearchResultColumns = $RequestBody.SearchResult.tables[0].columns;

    foreach ($SearchResultRow in $SearchResultRows)
        $Column = 0
        $Record = New-Object –TypeName PSObject 

        foreach ($SearchResultColumn in $SearchResultColumns)
            $Name = $SearchResultColumn.name
            $ColumnValue = $SearchResultRow[$Column]
            $Record | Add-Member –MemberType NoteProperty –Name $name –Value $ColumnValue -Force


        # Include code to work with the record. 
        # For example $Record.Computer to get the computer property from the record.


Reference: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-alerts-actions

I have tested it myself and yes – it works, and I now have the payload converted to a PSObject.

But there is another problem – or inexpedient outcome. The picture above is only the first part of the converted payload. Every object includes all fields of every log types in the workspace.

For that reason an object looks like this

$table                            : Perf
TenantId                          : 214fc5a7-9a4e-4818-a600-xxxxxxxxxxxx
Computer                          : servername
TimeGenerated                     : 2017-10-27T06:42:48.137Z
SourceSystem                      : OpsManager
Type                              : Perf
ObjectName                        : Network Adapter
CounterName                       : Bytes Sent/sec
InstanceName                      : Microsoft Hyper-V Network Adapter
CounterValue                      : 0
CounterPath                       : \\servername\Network Adapter(Microsoft Hyper-V Network Adapter)\Bytes Sent/sec
MG                                : 00000000-0000-0000-0000-000000000001
Min                               : 
Max                               : 
SampleCount                       : 
BucketStartTime                   : 
BucketEndTime                     : 
StandardDeviation                 : 
Source                            : 
EventLog                          : 
EventLevel                        : 
EventLevelName                    : 
ParameterXml                      : 
EventData                         : 
EventID                           : 
RenderedDescription               : 
AzureDeploymentID                 : 
Role                              : 
EventCategory                     : 
UserName                          : 
Message                           : 
ManagementGroupName               : 
ConfigChangeType                  : 

And it goes on… 495 fields.

I know these fields can be excluded when converting the JSON payload, but I’m concerned about the amount of excess data included in every alert sent from OMS.

The test was performed on a OMS workspace with no custom-made fields (except for those created by the few solutions added). Now Imagine if you have created hundreds of custom fields. They will all be included in every payload send from OMS alerting.

I hope Microsoft can or will make a change to the way the payload is build.

Soren is an IT Professional based in Copenhagen, Denmark.

His primary work areas are system design, deployment, migration and administration of business-critical IT infrastructure.

Leave a Reply

Your email address will not be published. Required fields are marked *