Open
Description
The embedded KQL queries in blob/master/Workbooks/Storage/Overview/Overview.workbook, assume failure is indicated when StatusText is not equal to "Success", see sample query below. This assumes the protocol type is HTTP(S). However for SMB logs, no StatusText element is generated resulting in any SMB entries being to treated as failure conditions.
let serviceValues = dynamic(['*']);
let operationValues = dynamic(['*']);
let statusValues = dynamic(['*']);
StorageBlobLogs
| union StorageQueueLogs
| union StorageTableLogs
| union StorageFileLogs
| where StatusText != "Success"
| where "*" in ('*') or ServiceType in ('*')
| where "*" in ('*') or OperationName in ('*')
| where "*" in ('*') or StatusText in ('*')
| extend Service = ServiceType
| extend AuthType = AuthenticationType
| extend CallerIpAddress = split(CallerIpAddress, ":")[0]
| summarize ErrorCount = count()
by
Service,
OperationName,
StatusText,
StatusCode,
AuthType,
tostring(CallerIpAddress),
Uri
| sort by ErrorCount desc
Suggest "where" clause adjusted to include protocol e.g.
| where (StatusText != "Success" and Protocol in ("HTTPS", "HTTP")) or (StatusCode != 0 and Protocol in ("SMB"))
Metadata
Metadata
Assignees
Labels
No labels