Operations Management Suite – Custom Fields / Extract Data Feature

I’ve been waiting for this OMS feature with anticipation. At first sight you might think that this is a feature that is nothing worth to be excited but quite contrary. This feature allows you to extract additional insights from your logs. Why? Many of the logs like SysLog and Event Log stuff many of the data into one field which makes that data when ingested hard to search. Inside that filed the data is structured in some form like xml or just text. With this feature you can with a few easy clicks turn parts of that data into searchable fields. The OMS team already explained into detailed blog post how to do that. What I want is to take again trough this feature by provide a couple of more examples.

In a previous post I’ve showed you how you can audit PowerShell with OMS but let’s expand on that and make our audit more granular by using this new feature.

First step: Execute the query:

EventID=4103 EventLog=”Microsoft-Windows-PowerShell/Operational”


Second step: Click on the hamburger menu against the field you want to extract data.


Third Step: Make sure that you’ve selected the fields you want to filter. Than highlight the area that you want to be example for your data. In my case I’ve highlighted the value after “Command Name”. When the value is highlighted Name the field with name would be easy for everyone working with OMS to understand. Click Extract.


Fourth step: When extract is clicked this will lead you to samples of the results you will see if save that extraction. If you see some results that should not be that way you can edit them individually or ignore them. That will help the extraction algorithm to provide you with better results. Once you are ok with the results you can click Save extraction. Be carefully as currently there is no way to delete extraction that has already been saved. Not that will somehow tamper your data but might be confusing when other people are working with your OMS workspace.


Fifth step: Remember that this extraction will be applied to new results so depending with what velocity that log is generated you will have to wait some time. But eventually you will see the results.


Sixth step: Now that you have that field available you can search on it.

EventID=4103 EventLog=”Microsoft-Windows-PowerShell/Operational” | measure count() by PowerShellCommand_CF


We can go trough the same procedure for the same log and extract also the user who was executing the commands.



EventID=4103 EventLog=”Microsoft-Windows-PowerShell/Operational” | measure count() by PowerShellUser_CF


Second example is if we take the log for successfully installed updates:

Type=Event (EventLog=System) (Source=”Microsoft-Windows-WindowsUpdateClient”) (EventID=19)




and of course the results:


So I hope this examples will inspire you to think of more data that you can extract and use to provide value to your company.

Remember that couple MVPs and me have a PowerShell module for OMS on GitHub that can be imported in Azure Automation and used for more advanced scenarios.  The module is also available on the PowerShell Gallery that now allows you to import PowerShell Modules into Azure Automation:


I hope that was useful information for you.


One thought on “Operations Management Suite – Custom Fields / Extract Data Feature

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s