KQL bug in Events queries #257
Description
The query for "Warning events" has a case-sensitive KQL error and does not retrieve any results.
Events
| where EventLevelName == "warning" // this does not work
| sort by TimeGenerated desc
Sampled values for the EventLevelName field are "Information", "Warning", "Error".
A likely source of this code sample is the Azure Monitor Reference page for the Event table.
I propose using a case-insensitive match for the field:
Events
| where EventLevelName =~ "Warning"
The pattern can be found in several query files in this repo, for example:
- Azure Services/Virtual machines/Queries/Errors/Error event on computer missing security co critical update.kql
- Solutions/LogManagement/Queries/Diagnostics/Count of warning events.kql
- Solutions/LogManagement/Queries/Diagnostics/Warning events.kql
Here are screenshots illustrating the values of EventLevelName.
