Update Kusto Graph Explorer Queries.md

awsles · web-flow · commit d4039217cceb · 2021-07-09T10:57:18.000+01:00
diff --git a/AZURE/Kusto Graph Explorer Queries.md b/AZURE/Kusto Graph Explorer Queries.md
@@ -18,6 +18,49 @@ These can be increased to 5 joins and 4 mv-expands for your tenant, in order to
 which is used by everything EXCEPT for the Azure Resource Graph Explorer, which has an anomalous limit of 4 joins and 3 mv-expands.
 However, you can build and save the query in the portal, and run it under Azure Resource Graph queries (which does use the REST API).
 
+To test for the query limits on your tenant, try the following in a PowerShell window (after doing Login-AzAccount):
+```
+$q = 'Resources
+| where type =~ "microsoft.network/networkinterfaces"
+| mv-expand ipConfigurations = properties.ipConfigurations
+| extend ipCount = array_length(properties.ipConfigurations)
+| extend privateIPType = tostring(ipConfigurations.properties["privateIPAllocationMethod"])
+| extend privateIP = tostring(ipConfigurations.properties["privateIPAddress"])
+| extend subnetId = tostring(ipConfigurations.properties.subnet["id"])
+| extend publicIPid = tostring(ipConfigurations.properties["publicIPAddress"].id)
+| extend nicId = tostring(id)
+| join kind=leftouter (ResourceContainers | where type=~ "microsoft.resources/subscriptions" 
+       | project subscriptionName=name, subscriptionId) on subscriptionId 
+| join kind=leftouter (Resources  
+       | where type contains "publicIPAddresses" and isnotempty(properties.ipAddress)
+       | extend publicIP = tostring(properties.ipAddress),
+              publicIPid = tostring(id)) on publicIPid
+| join kind=leftouter (Resources | where type =~ "microsoft.network/networksecuritygroups"
+       | mv-expand nics = properties.networkInterfaces
+       | extend nicId = tostring (nics.id),
+              nicNSG = name,
+              nicNSGgroup = resourceGroup  ) on nicId
+| join kind=leftouter (Resources
+       | where type =~ "microsoft.compute/virtualmachines" and isnotempty(properties.networkProfile.networkInterfaces)
+       | extend vmName = name
+       | extend vmSize = tostring(properties.hardwareProfile.vmSize)
+       | extend osType = tostring(properties.storageProfile.osDisk.osType)
+       | mv-expand nics = properties.networkProfile.networkInterfaces
+       | extend nicId = tostring (nics.id) ) on nicId
+| join kind=leftouter (Resources | where type =~ "microsoft.network/networksecuritygroups"
+       | mv-expand subnets = properties.subnets
+       | extend subnetId = tostring(subnets.id),
+              vnetName = split(tostring(subnets.id),"/")[8],
+              subnetName = split(tostring(subnets.id),"/")[10],
+              subnetNSG = name,
+              subnetNSGgroup = resourceGroup
+       ) on subnetId
+| project subscriptionId, subscriptionName, nicName=name, resourceGroup, vmName, vmSize, osType, vnetName, subnetName, nicNSG, subnetNSG, location, ipCount, privateIPType, privateIP, publicIP, tags, subnetId, nicId'
+
+Search-AzGraph -First 1000 -Query $Q | ft
+```
+If you get an error, then there is a quota limit in place.
+
 The document (https://docs.microsoft.com/en-us/azure/governance/resource-graph/concepts/query-language#supported-tabulartop-level-operators)
 does state the max joins allowed is 3, however, production team overrides the limit to 4 for queries used in Azure Portal.
 
