Edit

Share via


Run search jobs in Azure Monitor

A search job is an asynchronous query you run on any data in your Log Analytics - in both analytics and long-term retention - that makes the query results available for interactive queries in a new search table within your workspace. The search job uses parallel processing and can run for hours across large datasets. This article describes how to create a search job and how to query its resulting data.

This video explains when and how to use search jobs:

Permissions required

Action Permissions required
Run a search job Microsoft.OperationalInsights/workspaces/tables/write and Microsoft.OperationalInsights/workspaces/searchJobs/write permissions to the Log Analytics workspace, for example, as provided by the Log Analytics Contributor built-in role.

Note

Cross-tenant search jobs aren't supported. Azure Lighthouse delegated access is also not supported for search jobs even when a delegated role is assigned which includes the searchJobs/write permission.

When to use search jobs

Use search jobs to:

What does a search job do?

A search job scans data and sends its results to a new table in the same workspace as the source data. The results table is available as soon as the search job begins, but it may take time for results to begin to appear. A cost is incurred based on the pricing model of scanned data and the size of the ingested results. Before a search job is run, a cost estimation is available to help you decide whether to run the job.

Screenshot showing cost estimation preview.

The search job results table is an Analytics table that is available for log queries and other Azure Monitor features that use tables in a workspace. The table uses the retention value set for the workspace, but you can modify this value after the table is created.

The search results table schema is based on the source table schema and the specified query. The following other columns help you track the source records:

Column Value
_OriginalType Type value from source table.
_OriginalItemId _ItemID value from source table.
_OriginalTimeGenerated TimeGenerated value from source table.
TimeGenerated Time at which the search job ran.

Queries on the results table appear in log query auditing but not the initial search job.

Run a search job

Run a search job to fetch records from large datasets into a new search results table in your workspace.

Tip

You incur charges for running a search job. Write and optimize your query in interactive query mode before running the search job. Use the cost estimation preview to understand the potential costs.

To run a search job, in the Azure portal:

  1. From the Log Analytics workspace menu, select Logs.

  2. Type a search job query or just select the table you want.

  3. Select the ellipsis menu on the right-hand side of the screen and select Search job.

    Screenshot of the Logs screen with the Search job menu item highlighted.

  4. Specify the search job date range using the time picker. Choose any period within the total retention period.

    If your Kusto query also specifies a time range, the union of the time ranges is used for the search job.

    Screenshot that shows the search job interface prompting for time range and the search job results table.

  5. Enter a name for the search job result table and select Run a search job.

    Azure Monitor Logs runs the search job and creates a new table in your workspace for your search job results.

  6. When the new table is ready, select View '<searchtablename>_SRCH' to view the table in Log Analytics.

    Search job results are available as they begin flowing into the newly created search job results table.

    Screenshot that shows search job results table with data.

    Azure Monitor Logs shows a Search job is done message when it's completed. When you see that message or the progress shows 100%, the results table is now ready with all the records that match the search query.

Get search job status and details

  1. From the Log Analytics workspace menu, select Logs.

  2. From Tables > Search results, hover over your search results table to view the progress.

    The icon on the search job results table displays an update indicator icon until the search job is completed.

    Screenshot that shows the Tables tab on Logs screen in the Azure portal with the search results tables listed under Search results.

Delete a search job table

We recommend you delete the search job table when you're done querying the table. This best practice reduces workspace clutter and extra charges for data retention.

Considerations

Search jobs are subject to the following considerations:

  • Optimized to query one table at a time
  • Search date range is any period within the total retention
  • Supports long running searches up to a 24-hour time-out
  • Results are limited to 100 million records in the record set - if limit is surpassed, Azure Monitor aborts the job with a status of partial success, and the table contains only records ingested up to that point
  • Concurrent execution is limited to ten search jobs per workspace.
  • Limited to 200 search results tables per workspace
  • Limited to 200 search job executions per day per workspace
  • Cross-tenant search jobs aren't supported
  • Azure Lighthouse delegated access isn't supported for search jobs even if the delegation contains the proper searchJobs/write permission - fails with error message:
    User <managing-tenant-userId> does not maintain access to action Microsoft.OperationalInsights/workspaces/searchJobs/write at scope <delegated-workspace-resourceID>.

KQL query considerations

Search jobs are intended to scan large volumes of data in a specific table, so search job queries must always start with a table name. To enable asynchronous execution using distribution and segmentation, the query supports a subset of KQL, including these tabular operators:

All functions and binary operators within these operators are usable.

The contains string operator is blocked from use in search jobs since advanced text matches have significant impact on performance. Instead, use the has string operator. For more information on performance considerations, see Optimize log queries in Azure Monitor.

Pricing model

The search job charge is based on:

  • Search job execution:

    • Analytics plan - The amount of data the search job scans that's in long-term retention. There's no charge for scanning data that's in analytics retention in Analytics tables.

    • Basic or Auxiliary plans - All data the search job scans in long-term retention.

      The data scanned is defined as the volume of data in the table that you run the search job on, within the time range you specified. For more information about analytics and long-term retention, see Manage data retention in a Log Analytics workspace.

  • Search job results - The amount of data the search job finds and is ingested into the results table, based on the data ingestion rate for Analytics tables.

For example, if a search on a Basic table spans 30 days and the table holds 500 GB of data per day, you're charged for 15,000 GB of scanned data. If the search job returns 1,000 records, you're charged for ingesting these 1,000 records into the results table.

For more information, see Azure Monitor pricing.