OMS: JSON Payload to Webhooks is Broken after Workspace is Upgraded to Kusto Query

Microsoft released an option to upgrade OMS to use the Kusto for querying data in Log Analytics. The release is in public preview so bugs are still expected.

One bug I discovered breaks the whole automation part of OMS. I’m currently performing a PoC at a customer, where OMS alerts must kick-off Azure Automation Runbooks. The JSON payload is vital in this project. Unfortunately, the payload is broken!

The issue

The payload looked like this before the upgrade:

Now, it looks like this:

The format of the payload has changed scientifically, and I haven’t found any solution to make the payload usable in Automation Runbooks – besides of extensive static mapping.

If you are thinking “this look like a recent bug in the OMS PowerShell Module?”, then yes – until recently, there has been a similar issue in the AzureRM.OperationalInsights module. The issue was fixed in version 3.3.1, released 16th August 2017.


I have tried creating new alerts and new runbooks. I have even tried creating new OMS workspaces – same issue; the WebhookData input is broken.

A workaround for this could be to extract the Kusto Query used to generate the alert, and then use it in a Get-AzureRmOperationalInsightsSearchResults cmdlet. It is not an effective nor pretty solution, but we will be able to reach our target; get some usable JSON.

But unfortunately, Get-AzureRmOperationalInsightsSearchResults does not support Kusto – only the old query language 🙁

*** UPDATE 05/09/2017 ***

I have created a github issue regarding this issue. Read more here.

Kusto Query:

Native/Old Query

So, now I’m stuck..

The issue has been reported to the product team. Stay tuned.

Soren is an IT Professional based in Copenhagen, Denmark.

His primary work areas are system design, deployment, migration and administration of business-critical IT infrastructure.

Leave a Reply

Your email address will not be published. Required fields are marked *