fabiocannas · December 9, 2024 15:59
diff --git a/ARG_AZ_RSV_backup_jobs_failures.kql b/ARG_AZ_RSV_backup_jobs_failures.kql
 arg('').RecoveryServicesResources
 | where type in~ ('microsoft.recoveryservices/vaults/backupjobs')  
 | extend vaultName = case(type =~ 'microsoft.dataprotection/backupVaults/backupJobs', properties.vaultName, type =~ 'Microsoft.RecoveryServices/vaults/backupJobs', split(split(id, '/Microsoft.RecoveryServices/vaults/')[1], '/')[0], '--')  
 | extend friendlyName = case(type =~ 'microsoft.dataprotection/backupVaults/backupJobs', strcat(properties.dataSourceSetName, '/', properties.dataSourceName), type =~ 'Microsoft.RecoveryServices/vaults/backupJobs', properties.entityFriendlyName, '--')  
 | extend dataSourceType = case(type =~ 'Microsoft.RecoveryServices/vaults/backupJobs', properties.backupManagementType, type =~ 'microsoft.dataprotection/backupVaults/backupJobs', properties.dataSourceType, '--')  
 | extend protectedItemName = split(split(properties.backupInstanceId, 'protectedItems')[1], '/')[1]  
 | extend vaultId = tostring(split(id, '/backupJobs')[0])  
 | extend vaultSub = tostring(split(id, '/')[2])  
 | extend
    jobStatus = properties.status,
    operation = case(type =~ 'microsoft.dataprotection/backupVaults/backupJobs' and tolower(properties.operationCategory) =~ 'backup' and properties.isUserTriggered == 'true', strcat('adhoc', properties.operationCategory), type =~ 'microsoft.dataprotection/backupVaults/backupJobs', tolower(properties.operationCategory), type =~ 'Microsoft.RecoveryServices/vaults/backupJobs' and tolower(properties.operation) =~ 'backup' and properties.isUserTriggered == 'true', strcat('adhoc', properties.operation), type =~ 'Microsoft.RecoveryServices/vaults/backupJobs', tolower(properties.operation), '--'),
    startTime = todatetime(properties.startTime),
    endTime = properties.endTime,
    duration = properties.duration   
 | where startTime >= ago(24h)  
 | where jobStatus in ("Failed", "Cancelled", "Suspended", "TimedOut", "CompletedWithWarnings")  
 | project vaultSub, vaultId, protectedItemName, startTime, endTime, jobStatus, operation
	arg('').RecoveryServicesResources
	\| where type in~ ('microsoft.recoveryservices/vaults/backupjobs')
	\| extend vaultName = case(type =~ 'microsoft.dataprotection/backupVaults/backupJobs', properties.vaultName, type =~ 'Microsoft.RecoveryServices/vaults/backupJobs', split(split(id, '/Microsoft.RecoveryServices/vaults/')[1], '/')[0], '--')
	\| extend friendlyName = case(type =~ 'microsoft.dataprotection/backupVaults/backupJobs', strcat(properties.dataSourceSetName, '/', properties.dataSourceName), type =~ 'Microsoft.RecoveryServices/vaults/backupJobs', properties.entityFriendlyName, '--')
	\| extend dataSourceType = case(type =~ 'Microsoft.RecoveryServices/vaults/backupJobs', properties.backupManagementType, type =~ 'microsoft.dataprotection/backupVaults/backupJobs', properties.dataSourceType, '--')
	\| extend protectedItemName = split(split(properties.backupInstanceId, 'protectedItems')[1], '/')[1]
	\| extend vaultId = tostring(split(id, '/backupJobs')[0])
	\| extend vaultSub = tostring(split(id, '/')[2])
	\| extend
	jobStatus = properties.status,
	operation = case(type =~ 'microsoft.dataprotection/backupVaults/backupJobs' and tolower(properties.operationCategory) =~ 'backup' and properties.isUserTriggered == 'true', strcat('adhoc', properties.operationCategory), type =~ 'microsoft.dataprotection/backupVaults/backupJobs', tolower(properties.operationCategory), type =~ 'Microsoft.RecoveryServices/vaults/backupJobs' and tolower(properties.operation) =~ 'backup' and properties.isUserTriggered == 'true', strcat('adhoc', properties.operation), type =~ 'Microsoft.RecoveryServices/vaults/backupJobs', tolower(properties.operation), '--'),
	startTime = todatetime(properties.startTime),
	endTime = properties.endTime,
	duration = properties.duration
	\| where startTime >= ago(24h)
	\| where jobStatus in ("Failed", "Cancelled", "Suspended", "TimedOut", "CompletedWithWarnings")
	\| project vaultSub, vaultId, protectedItemName, startTime, endTime, jobStatus, operation