Log Analytics or Azure Sentinel – how schedule a report
In this post I show how you can schedule a report to run, using a Log Analytics query, its a frequent ask and one I have answered a few times in posts like this:
Question: Can I schedule a query to run in Azure Monitor Logs / Log Analytics (or even for Azure Sentinel) and email the results?
Answer: Yes, I think there are two ways. The first which I don’t go into detail about here is to provide a Azure Monitor Workbook – that way anyone with access can see the data whenever they need (you can also enable a download control if required).
However if you do need automation, please use a Logic App (playbook). These are great for running a Daily/Weekly/ Monthly report schedule.
This is one of mine as a example:
1. The Recurrence – sets the schedule, this one runs on Friday at 23:00 – you decide when.
2. We use the “Run query..” to send the KQL commands and create a output. I actually run two queries, as I need a Capacity report (shown) and a Performance report. By adding a parallel branch you can do more or less.
3. Use an email connector like “send an email…” – as I use O365, to send the output to the desired people/team.
Step 1: example
Step 2
I used a time chart, you can see the other options here:
Step 3
I send a very simple email, with the output as an attachment. You could also send via Microsoft Teams, or any other supported messaging or social platforms – Logic Apps has 100’s of 3rd party connectors? You use Dynamic content (click from a list, to fill in the Attachment Content / Name field)
Please see more details: https://docs.microsoft.com/en-us/azure/logic-apps/tutorial-process-email-attachments-workflow
