To learn more, visit the Azure documentation.

Parameters

ParameterDescription
FilterReduces the set of data collected.This argument is required and it also requires at least the start date/time.The **filterargumentisveryrestrictedandallowsonlythefollowingpatterns.Listeventsforaresourcegroup:filter** argument is very restricted and allows only the following patterns.- *List events for a resource group*: filter=eventTimestamp ge ‘2014-07-16T04:36:37.6407898Z’ and eventTimestamp le ‘2014-07-20T04:36:37.6407898Z’ and resourceGroupName eq ‘resourceGroupName’.
  • List events for resource: $filter=eventTimestamp ge ‘2014-07-16T04:36:37.6407898Z’ and eventTimestamp le ‘2014-07-20T04:36:37.6407898Z’ and resourceUri eq ‘resourceURI’.
  • List events for a subscription in a time range: $filter=eventTimestamp ge ‘2014-07-16T04:36:37.6407898Z’ and eventTimestamp le ‘2014-07-20T04:36:37.6407898Z’.
  • List events for a resource provider: $filter=eventTimestamp ge ‘2014-07-16T04:36:37.6407898Z’ and eventTimestamp le ‘2014-07-20T04:36:37.6407898Z’ and resourceProvider eq ‘resourceProviderName’.
  • List events for a correlation Id: $filter=eventTimestamp ge ‘2014-07-16T04:36:37.6407898Z’ and eventTimestamp le ‘2014-07-20T04:36:37.6407898Z’ and correlationId eq ‘correlationID’.NOTE: No other syntax is allowed. | | Subscription ID | The Azure subscription Id. |

Example Output

{    "nextLink": "Provides the link to retrieve the next set of events.",    "value": [        {            "authorization": {                "action": "the permissible actions. For instance: microsoft.support/supporttickets/write",                "role": "the role of the user. For instance: Subscription Admin",                "scope": "the scope."            },            "caller": "the email address of the user who has performed the operation, the UPN claim or SPN claim based on availability.",            "category": {                "localizedValue": "the locale specific value.",                "value": "the invariant value."            },            "claims": {},            "correlationId": "the correlation Id, usually a GUID in the string format. The correlation Id is shared among the events that belong to the same uber operation.",            "description": "the description of the event.",            "eventDataId": "the event data Id. This is a unique identifier for an event.",            "eventName": {                "localizedValue": "the locale specific value.",                "value": "the invariant value."            },            "eventTimestamp": "the timestamp of when the event was generated by the Azure service processing the request corresponding the event. It in ISO 8601 format.",            "httpRequest": {                "clientIpAddress": "the client Ip Address",                "clientRequestId": "the client request id.",                "method": "the Http request method.",                "uri": "the Uri."            },            "id": "the Id of this event as required by ARM for RBAC. It contains the EventDataID and a timestamp information.",            "level": "the event level",            "operationId": "It is usually a GUID shared among the events corresponding to single operation. This value should not be confused with EventName.",            "operationName": {                "localizedValue": "the locale specific value.",                "value": "the invariant value."            },            "properties": {},            "resourceGroupName": "the resource group name of the impacted resource.",            "resourceId": "the resource uri that uniquely identifies the resource that caused this event.",            "resourceProviderName": {                "localizedValue": "the locale specific value.",                "value": "the invariant value."            },            "resourceType": {                "localizedValue": "the locale specific value.",                "value": "the invariant value."            },            "status": {                "localizedValue": "the locale specific value.",                "value": "the invariant value."            },            "subStatus": {                "localizedValue": "the locale specific value.",                "value": "the invariant value."            },            "submissionTimestamp": "the timestamp of when the event became available for querying via this API. It is in ISO 8601 format. This value should not be confused eventTimestamp. As there might be a delay between the occurrence time of the event, and the time that the event is submitted to the Azure logging infrastructure.",            "subscriptionId": "the Azure subscription Id usually a GUID.",            "tenantId": "the Azure tenant Id"        }    ]}

Workflow Library Example

List Activity Logs with Azure and Send Results Via Email

Preview this Workflow on desktop