Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
Logic app to get the alert log search rule result via mail
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 93%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Siva
646
Reputation points
Hi Team,
I am unable to pass the query from alert rule result to logic app for attaching the logsearch results in the alert mail.
Failed with below error. can any one assist on this?
{ "ResultStatus": "BadRequest", "Content": { "error": { "message": "The request had some invalid properties", "code": "BadArgumentError", "correlationId": "958a7146-30f0-45a4-a6a7-e5109acc8b37", "innererror": { "code": "SemanticError", "message": "A semantic error occurred.", "innererror": { "code": "SEM0002", "message": "No tabular expression statement found" } } } }, "Message": "Failed to get HTTP response because of invalid input (DRAFT, queryData). Bad request input. Please Check user input parameters (query syntax, chart type or other resource input)\r\nclientRequestId: b2933854-7dcd-461e-bff4-cf5e31dd6ceb"}
{
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"triggers": {
"When_an_HTTP_request_is_received": {
"type": "Request",
"kind": "Http",
"inputs": {
"schema": {
"type": "object",
"properties": {
"SubscriptionId": {
"type": "string"
},
"AlertRuleName": {
"type": "string"
},
"SearchQuery": {
"type": "string"
},
"SearchIntervalStartTimeUtc": {
"type": "string"
},
"SearchIntervalEndtimeUtc": {
"type": "string"
},
"AlertThresholdOperator": {
"type": "string"
},
"AlertThresholdValue": {
"type": "integer"
},
"ResultCount": {
"type": "integer"
},
"SearchIntervalInSeconds": {
"type": "integer"
},
"LinkToSearchResults": {
"type": "string"
},
"LinkToFilteredSearchResultsUI": {
"type": "string"
},
"LinkToSearchResultsAPI": {
"type": "string"
},
"LinkToFilteredSearchResultsAPI": {
"type": "string"
},
"Description": {
"type": "string"
},
"Severity": {
"type": "string"
},
"SearchResult": {
"type": "object",
"properties": {
"tables": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"columns": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"type": {
"type": "string"
}
},
"required": [
"name",
"type"
]
}
},
"rows": {
"type": "array",
"items": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"required": [
"name",
"columns",
"rows"
]
}
},
"dataSources": {
"type": "array",
"items": {
"type": "object",
"properties": {
"resourceId": {
"type": "string"
},
"region": {
"type": "string"
},
"tables": {
"type": "array",
"items": {
"type": "string"
}
}
},
"required": [
"resourceId",
"region",
"tables"
]
}
}
}
},
"WorkspaceId": {
"type": "string"
},
"ResourceId": {
"type": "string"
},
"AlertType": {
"type": "string"
}
}
}
}
}
},
"actions": {
"Initialize_variables": {
"runAfter": {},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "AffectedResource",
"type": "array",
"value": "@split(triggerBody()?['data']?['essentials']?['alertTargetIDs'][0], '/')"
}
]
}
},
"Read_a_resource": {
"runAfter": {
"Initialize_variables": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['arm']['connectionId']"
}
},
"method": "get",
"path": "/subscriptions/@{encodeURIComponent(variables('AffectedResource')[2])}/resourcegroups/@{encodeURIComponent(variables('AffectedResource')[4])}/providers/@{encodeURIComponent(variables('AffectedResource')[6])}/@{encodeURIComponent(concat(variables('AffectedResource')[7], '/', variables('AffectedResource')[8]))}",
"queries": {
"x-ms-api-version": "2018-07-10"
}
}
},
"Compose": {
"runAfter": {
"Run_query_and_list_results": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "@body('Run_query_and_list_results')"
},
"Send_an_email_(V2)": {
"runAfter": {
"Create_CSV_table": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['outlook']['connectionId']"
}
},
"method": "post",
"body": {
"To": "******@gmail.com",
"Subject": "testmail",
"Body": "<p class=\"editor-paragraph\">@{body('Create_CSV_table')}</p>",
"Importance": "Normal"
},
"path": "/v2/Mail"
}
},
"Run_query_and_list_results": {
"runAfter": {
"Read_a_resource": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuremonitorlogs-1']['connectionId']"
}
},
"method": "post",
"body": "@triggerBody()?['SearchQuery']",
"path": "/queryData",
"queries": {
"subscriptions": "28e1e42a-4438-4c30-9a5f-7d7b488fd883",
"resourcegroups": "1-ad9bb353-playground-sandbox",
"resourcetype": "Log Analytics Workspace",
"resourcename": "LAworkspace",
"timerange": "Set in query"
}
}
},
"Create_CSV_table": {
"runAfter": {
"Compose": [
"Succeeded"
]
},
"type": "Table",
"inputs": {
"from": "@outputs('Compose')",
"format": "CSV"
}
}
},
"outputs": {},
"parameters": {
"$connections": {
"type": "Object",
"defaultValue": {}
}
}
},
"parameters": {
"$connections": {
"type": "Object",
"value": {
"arm": {
"id": "/subscriptions/28e1e42a-4438-4c30-9a5f-7d7b488fd883/providers/Microsoft.Web/locations/southcentralus/managedApis/arm",
"connectionId": "/subscriptions/28e1e42a-4438-4c30-9a5f-7d7b488fd883/resourceGroups/1-ad9bb353-playground-sandbox/providers/Microsoft.Web/connections/arm",
"connectionName": "arm"
},
"outlook": {
"id": "/subscriptions/28e1e42a-4438-4c30-9a5f-7d7b488fd883/providers/Microsoft.Web/locations/southcentralus/managedApis/outlook",
"connectionId": "/subscriptions/28e1e42a-4438-4c30-9a5f-7d7b488fd883/resourceGroups/1-ad9bb353-playground-sandbox/providers/Microsoft.Web/connections/outlook",
"connectionName": "outlook"
},
"azuremonitorlogs-1": {
"id": "/subscriptions/28e1e42a-4438-4c30-9a5f-7d7b488fd883/providers/Microsoft.Web/locations/southcentralus/managedApis/azuremonitorlogs",
"connectionId": "/subscriptions/28e1e42a-4438-4c30-9a5f-7d7b488fd883/resourceGroups/1-ad9bb353-playground-sandbox/providers/Microsoft.Web/connections/azuremonitorlogs-1",
"connectionName": "azuremonitorlogs-1"
}
}
}
}
}
Azure Logic Apps
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 79%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
Rupesh Asati 780 Reputation points Microsoft External Staff Moderator2025-10-22T16:43:43.2833333+00:00 Hello Siva
Thanks for reaching out on Microsoft Q&A and really appreciate your patience while we looked into this.
Understand from description that you're running into a "BadRequest" error when trying to pass the query from your alert rule to your Logic App. The error message indicates that some invalid properties were included in your request, specifically pointing out a "semantic error," which typically means that the query syntax or structure might be off.
Steps:
- Check Query Syntax: Make sure that the query you are passing in SearchQuery is well-formed and matches the expected format in Azure Monitor. You can refer to the Kusto Query Language (KQL) documentation to ensure your query is correctly structured.
- Run the Query Independently: Before sending it to your Logic App, try running your query directly in the Azure Monitor Logs workspace. This way, you can confirm that the query itself returns the expected results.
- Review Alert Rule Configuration: If your alert rule is using dimensions, make sure they are defined correctly. You can find guidance on configuring dimensions in your alert rule here.
- Using Logic Apps for Custom Payload: If you aim to include log results in your alert notifications, consider using Logic Apps to fetch the results based on your alert. You can follow the Logic Apps documentation for setting up a custom payload in your emails.
- Error Correction: The section "A semantic error occurred. No tabular expression statement found" implies that your query might need a tabular format in its results. Ensure your query is designed to return tabular data.
- Validate Connection: Ensure that your Logic App has the correct connections set up to Azure Monitor Logs and Outlook (or whichever email service you are using).
- Monitor Alert Not Sending Search Results in Azure
- Customize alert notifications by using Logic Apps
- Troubleshoot and Configure Log Search Alerts for Azure App Service Plans
I hope this helps in resolving the issue, do let me know if you have any further questions on this.
Thanks
-
Siva 646 Reputation points
2025-10-24T01:44:37.28+00:00 Hi Rupesh Asatish,
Thanks for your assistance, I have verified the KQL query it is running fine, as you mentioned, dimension i have removed and filtered in the query itself. I need output of the alertrule instead of search result link, search result query output in the mail. So i have tried in both csv and html, both are not working as its search query is not passed to logic app, it is getting error during runtime. outlook configuration is fine. so i need assistance on the logic app need to get the search query whenever alert created on the logic.
-
Rupesh Asati 780 Reputation points Microsoft External Staff Moderator
2025-10-24T13:29:42.59+00:00 Hello Siva
Thanks for reaching out on Microsoft Q&A and really appreciate your patience while we looked into this.
Thanks for the clarification on the issue. Based on your description, it sounds like the search query output is not being passed correctly to the Logic App, and that’s why the email is not receiving the results as expected.
If you're looking for the full result set in the email, consider using the Create CSV table action to format your results as CSV and attach that to your email. Ensure that the output from the Run_query_and_list_results action is correctly referenced in the Create CSV table.
Please refer the below documents:
https://free.blessedness.top/en-us/azure/azure-monitor/alerts/alerts-logic-apps?tabs=send-email
- Tutorial: Create a log search alert for an Azure resource
- Performance and monitoring - alerts and metrics
I hope this helps in resolving the issue, do let me know if you have any further questions on this.
Thanks
Sign in to comment
Sign in to answer