Computer groups in OMS


Summary: Learn how to create computer groups in OMS or import computer groups from Active Directory and WSUS.

Hi everyone, Leyla Kazemi here, and today I want to talk about new functionalities in Operations Management Suite (OMS) which help you both create computer groups in OMS, and import computer groups from Active Directory and Windows Server Update Services (WSUS).

Saved Computer Groups

The first functionality that I would like to announce is how to save a computer group in OMS. Saved computer groups are computer groups that are created from a search query. Any query in search that returns a list of computers can be saved as a saved computer group.

In order to create your saved computer group, go to OMS Search and enter a query that returns a list of computers. Here is an example query:

Computer=*Crepe*  | Distinct Computer

This query returns all computers that have the name, Crepe, in them and that are sending data to OMS. In order to save this computer group, all I need to do is to click the Save button from the task bar. This is a similar experience for saving a search.

Screenshot of Save button to save a computer group.

In the right pane, I save the search with a name and a category. In this example, here is the name category that I’m saving my search with:

Name: My Crepe Computers

Category: Leyla Groups

I then click the Yes button to save this as a computer group. Finally, I click Save to save the computer group.

Screenshot that shows the Yes button selected to save a query as a computer group.

In order to save a computer group, your query has to be piped into Distinct Computer. Here are few examples about how to create computer groups:

Example 1: Group of all computers

*| Distinct Computer

 

Example 2: Static group that includes both Computer A and Computer B

Computer=A OR Computer=B | Distinct Computer

Example 2 shows how you can create a static computer group by listing all the computers and using Distinct on them.

After the group is saved, you can find it on the Settings page in the Computer Groups tab. This page lists all the saved computer groups.

Screenshot of the Computer Groups tab that list saved groups.

The search icon for each of the groups will take you to search to return all the members of that group. To remove any group, click the Remove icon. Note that when you remove the group, you also remove the saved search for that group. Similarly, when you remove the saved search from the saved search page, you remove the corresponding saved group in this page.

How to use Saved Computer Groups in Search

You can use the computer group to narrow down your search results to a specific computer group. Here is the syntax you can use:

$ComputerGroups[Name]

OR

$ComputerGroups[Category: Name]

Note: The category name is required if two computer groups with the same name are saved in two different categories.

Let’s say that for the previous example that I want to find all the missing required updates for My Crepe Computers Group. Here is how I formulate the query:

Type:Update UpdateState=needed Optional=false Computer IN $ComputerGroups[My Crepe Computers]

 

Similarly, I want to find the hourly CPU average across all my computers in My Crepe Computers Group.

Type:Perf ObjectName=Processor CounterName="% Processor Time" InstanceName=_Total Computer IN $ComputerGroups[My Crepe Computers] | measure avg(CounterValue) by Computer interval 1HOUR

Screenshot that shows results of the two previous queries.

How to create saved computer groups using the Azure Resource Manager API

You can also create saved computer groups programmatically by using the Azure Resource Manager API. The steps can be found at Log Analytics Log Search API.

Import Computer Groups from Active Directory

Not only you can create your own computer groups in OMS, you can also import your computer groups from Active Directory. For any domain-joined computer that is connected to OMS, we can pull all the Active Directory security groups that the computer is a member of, and all those groups would be available to use in OMS.

In order to import computer groups from Active Directory, go to the Computer Groups tab under Settings, and click the Active Directory tab. When you select the checkbox and press Save, your Active Directory computer groups are imported to OMS. It may take about up to an hour for you to see the computer groups getting imported.

5

After discovery is enabled, the group membership information will be retrieved on an interval basis to keep the group memberships current. You can choose to disable discovery at any time.

After the groups are imported, you can see how many computers with group memberships have been detected. You can also see the number of groups that have been imported. When you click each one, you go to search which shows you all the imported groups and all computers that belong to each group.

Screenshot that shows computes with group memberships detected and imported groups.

I can now use the same syntax for using my Active Directory groups in the search query language. In this example, I want to look at all the error events for the Active Directory group, Corp Computers.

Type:Event EventLevelName=error Computer IN $ComputerGroups[Corp Computers]

Note: If an Active Directory group has the same name as a saved group, $ComputerGroups would return the result for the saved group query.

Import Computer Groups from WSUS

If you use the WSUS targeting groups, you can also import them. This is a similar experience to importing from Active Directory. All you need to do is to go to the WSUS tab under Computer Groups in Settings, and select the checkbox.

If client-side targeting is configured on your WSUS server, any computer that is connected to OMS and is part of any WSUS targeting groups will have its group membership imported to OMS. If you have configured your WSUS server-to-server side targeting, the OMS agent should be installed on the WSUS server itself in order for the group membership information to be imported to OMS.

Similar to Active Directory, after discovery is enabled, the group membership information will be retrieved on an interval basis. You can choose to disable the discovery at any time by unchecking the checkbox. After the groups are imported, you can get similar information to Active Directory groups, like all the computers that have been detected with group memberships. You can also see all the imported groups.

Screenshot that shows results when you import computer groups from WSUS.

Also, you can refer to any WSUS computer group by using the same syntax:

$ComputerGroups[WSUSGROUPNAME]

Similarly, if a WSUS group has the same name as the saved group, $ComputerGroups would return the result for the Saved Group query.

That is all I have for you today. Join me next time when I talk about what’s coming next with Groups in OMS.

Leyla Kazemi

Microsoft Operations Management Team

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Comments (11)

  1. Aurel AMEGAH says:

    Hello, does it work with OU ?

  2. Marco says:

    awesome

  3. Paul C says:

    Great article and very useful new feature.

    However are you aware that attempting to use the Group feature via the Powershell OMS Search API as described in this article does not work, any queries (static or dynamic), initiated that include the new group syntax return an empty result with no error (the queries work fine within OMS itself)?

    https://blogs.technet.microsoft.com/privatecloud/2016/04/05/using-the-oms-search-api-with-native-powershell-cmdlets/

    So for example if I have search query defined as this it works within OMS but not when called via the PS OMS Search API:
    Type=Event Computer IN $ComputerGroups[MyGroupName] | Distinct Computer
    Change the search query to this and it works fine:
    Type=Event | Distinct Computer

    Any idea if this will be addressed?

  4. Imran says:

    Hi Leyla, Can we search with having Subscription name in the log search, basically what I am looking is to query all computers in specific region having name some thing like *dev*.
    with out the regional clause, the query will return all the computers that have dev in their name, can we filter only computers in subscriptions from NA having name dev.

    1. Dugan Sheehan says:

      @Imran

      This is definitely a work around, but you may be able to use the coordinates from the heartbeat log to group computers by location. Some of the attributes in Type=Heartbeat are RemoteIPLongitude and RemoteIPLatitude.

      Example:
      Type=Heartbeat AND RemoteIPLongitude=-98.54 AND RemoteIPLatitude=29.47 | distinct Computer

  5. Lou says:

    Hey Leyla, is it possible to have two groups in the same query? I have unsuccessfully tried all sort of combinations. please advise.

    1. guy says:

      same problem here…

  6. Deepak says:

    How to edit the computer group? I want to add one new computer. Do I have to delete and recreate?

    1. guy says:

      unfortunately you cannot, you must delete and re-create it. this is a big problem for maintainability. There needs to be a better way soon I hope.

  7. blakebaker008 says:

    super article and really beneficial new function.

  8. vasavi says:

    i am trying to create a saved computer group using ARM Template. what is the key value pair to save a search query as a computer group

Skip to main content