If a cluster in your workspace has disappeared or been deleted, you can identify which user deleted it by running a query in the Log Analytics workspaces service in the Azure portal.
- Load the Log Analytics workspaces service in the Azure portal.
- Click the name of your workspace.
- Click Logs.
- Look for the following text: Type your query here or click one of the example queries to start.
- Enter the following query:
DatabricksClusters | where ActionName == "permanentDelete" and Response contains "\"statusCode\":200" and RequestParams contains "\"cluster_id\":\"0210-024915-bore731\"" // Add cluster_id filter if cluster id is known and TimeGenerated between(datetime("2020-01-25 00:00:00") .. datetime("2020-01-28 00:00:00")) // Add timestamp (in UTC) filter to narrow down the result. | extend id = parse_json(Identity) | extend requestParams = parse_json(RequestParams) | project UserEmail=id.email,clusterId = requestParams.cluster_id, SourceIPAddress, EventTime=TimeGenerated - Edit the cluster_id as required.
- Edit the datetime values to filter on a specific time range.
- Click Run to execute the query.
The results (if any) display below the query box.
If you are still unable to find who deleted the cluster, create a support case with Microsoft Support. Provide details such as the workspace id and the time range of the event (including your time zone). Microsoft Support will review the corresponding backend activity logs.