openapi: 3.1.0 info: title: Azure Monitor Logs API description: >- Query and retrieve log data from Azure Monitor Logs and Application Insights using the Kusto Query Language (KQL). Provides access to Log Analytics workspace data and Application Insights telemetry. version: '2022-10-27' contact: name: Microsoft Azure Support url: https://azure.microsoft.com/en-us/support/options/ license: name: Microsoft API License url: https://azure.microsoft.com/en-us/support/legal/ servers: - url: https://api.loganalytics.io/v1 description: Azure Log Analytics data plane API - url: https://api.applicationinsights.io/v1 description: Application Insights data plane API security: - oauth2: - https://api.loganalytics.io/.default tags: - name: Metadata description: Operations for retrieving workspace and table metadata - name: Query description: Operations for querying log data using KQL paths: /workspaces/{workspaceId}/query: get: operationId: Query_Get summary: Azure Monitor Execute a Log Analytics query via GET description: >- Executes an Analytics query for data from a Log Analytics workspace using Kusto Query Language (KQL). The query is provided as a query parameter. tags: - Query parameters: - $ref: '#/components/parameters/WorkspaceIdParameter' - name: query in: query required: true description: The Analytics query in KQL format. schema: type: string - name: timespan in: query required: false description: >- The timespan over which to query data in ISO 8601 duration format. schema: type: string responses: '200': description: Successful query response containing table results. content: application/json: schema: $ref: '#/components/schemas/QueryResults' default: description: Error response describing why the operation failed. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' post: operationId: Query_Execute summary: Azure Monitor Execute a Log Analytics query via POST description: >- Executes an Analytics query for data from a Log Analytics workspace using Kusto Query Language (KQL). The query is provided in the request body along with optional parameters. tags: - Query parameters: - $ref: '#/components/parameters/WorkspaceIdParameter' requestBody: description: The Analytics query body containing query text and parameters. required: true content: application/json: schema: $ref: '#/components/schemas/QueryBody' responses: '200': description: Successful query response containing table results. content: application/json: schema: $ref: '#/components/schemas/QueryResults' default: description: Error response describing why the operation failed. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' /workspaces/{workspaceId}/metadata: get: operationId: Metadata_Get summary: Azure Monitor Get workspace metadata description: >- Gets metadata information about the Log Analytics workspace including available tables, functions, and schemas. tags: - Metadata parameters: - $ref: '#/components/parameters/WorkspaceIdParameter' responses: '200': description: Successful request to get workspace metadata. content: application/json: schema: $ref: '#/components/schemas/MetadataResults' default: description: Error response describing why the operation failed. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' components: securitySchemes: oauth2: type: oauth2 flows: clientCredentials: tokenUrl: https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token scopes: https://api.loganalytics.io/.default: Access Log Analytics API parameters: WorkspaceIdParameter: name: workspaceId in: path required: true description: >- ID of the workspace. This is the Workspace ID from the Properties blade in the Azure portal. schema: type: string format: uuid schemas: QueryBody: type: object required: - query properties: query: type: string description: The Analytics query in KQL format. timespan: type: string description: >- The timespan over which to query data in ISO 8601 duration format. workspaces: type: array items: type: string description: >- A list of workspaces included in cross-workspace queries. applications: type: array items: type: string description: >- A list of Application Insights applications for cross-application queries. QueryResults: type: object required: - tables properties: tables: type: array items: $ref: '#/components/schemas/Table' description: The list of tables, columns and rows returned by the query. Table: type: object required: - name - columns - rows properties: name: type: string description: The name of the table. columns: type: array items: $ref: '#/components/schemas/Column' description: The list of columns in this table. rows: type: array items: type: array items: {} description: >- The resulting rows from this query. Each row is an array of values. Column: type: object properties: name: type: string description: The name of this column. type: type: string enum: - bool - datetime - dynamic - int - long - real - string - guid - decimal - timespan description: The data type of this column. MetadataResults: type: object properties: tables: type: array items: $ref: '#/components/schemas/MetadataTable' description: The list of tables in the workspace. functions: type: array items: $ref: '#/components/schemas/MetadataFunction' description: The list of saved functions in the workspace. MetadataTable: type: object properties: id: type: string description: The ID of the table. name: type: string description: The name of the table. description: type: string description: The description of the table. columns: type: array items: $ref: '#/components/schemas/Column' description: The columns in the table. MetadataFunction: type: object properties: id: type: string description: The ID of the function. name: type: string description: The name of the function. body: type: string description: The KQL body of the function. description: type: string description: The description of the function. ErrorResponse: type: object properties: error: type: object properties: code: type: string description: Error code. message: type: string description: Error message. required: - code - message