Forum Widgets
Latest Discussions
Geolocation query from IP address
Hi, Any idea if that's possible (and if yes - how) to add resolving of IP address to geolocation and any other IP information in a query in Log Analytics? For example, part of the message body I have in custom log is IP address, I would like to add a column (e.g. - extend) that resolves this IP address to its location in the world. Alternatively, if there was an option to call a rest service during query, I could call something like ipstack, and receive the required information. An example of simple query: MyEvents | extend IPAddress = extractjson("$.request.ipaddress", Message) | extend Country = extractgeo("$.country", IPAddress) Hopefully that was clear enough 🙂 Thanks! P.S. In PowerBI this can be achieved with Json.Document(Web.Contents("rest service url")....Alert "Monitor Condition" never changes
We're starting our journey from SCOM to Azure Monitor and have run into an issue with Azure Alerts (sorry for posting this in Azure Log Analytics, but there is no Azure Monitor Tech Community). I've noticed that when an Azure Alert is generated, that the Monitor Condition never changes from "Fired" to "Resolved". According to the https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-unified-alerts#alert-rules, the Monitor Condition, "Indicates whether the condition that created a metric alert has been resolved. Metric alert rules sample a particular metric at regular intervals. If the criteria in the alert rule is met, then a new alert is created with a condition of "fired." When the metric is sampled again, if the criteria is still met, then nothing happens. If the criteria is not met, then the condition of the alert is changed to "resolved." The next time that the criteria is met, another alert is created with a condition of "fired."" Despite the condition no longer being met (for instance, a service down), the Monitor Condition never changes. Am I missing something?
Machine not sedning pings
Kusto query Heartbeat | where TimeGenerated > ago(24h) | where Computer != "NH-CMVMAAZ.networkhg.org.uk" and Computer != "UAT-WVD-REL86-0.networkhg.org.uk" | summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment | where LastCall < ago(10m I need assistance with this query, I don't want to be reported for the following servers in not sending pings, those severs get shutdown at 10:00pm UK time and starts at 6:00am uk time. I don't want those servers to be reported from 10:00pm to 6:00am, how can I amend my existing query and make this possible
Table count from custom log
Hello, I would like to get the count of table name reference in my custom log which is pushed to the Log analytics. The custom log structure is given below. 020-08-31 16:15:38 ProxyEngine [INFO] api invoked by user abcd with db user as default api user 2020-08-31 16:15:38 JdbcTemplateService [DEBUG] getting basic api user userapi 2020-08-31 16:15:38 SqlTrigger [INFO] sql fired is select * from table_1 2020-08-31 16:15:39 SqlTrigger [INFO] total records found 301 2020-08-31 16:15:39 SqlTrigger [INFO] done fetching of data 2020-08-31 16:15:50 ProxyEngine [INFO] api invoked by user xyz with db user as default api user 2020-08-31 16:15:50 JdbcTemplateService [DEBUG] getting basic api user userapi 2020-08-31 16:15:50 SqlTrigger [INFO] sql fired is select * from table_2 2020-08-31 16:15:51 SqlTrigger [INFO] total records found 305 2020-08-31 16:15:51 SqlTrigger [INFO] done fetching of data 2020-08-31 16:16:02 ProxyEngine [INFO] api invoked by user abcd with db user as default api user 2020-08-31 16:16:02 JdbcTemplateService [DEBUG] getting basic api user userapi 2020-08-31 16:16:02 SqlTrigger [INFO] sql fired is select * from table_1 2020-08-31 16:16:34 SqlTrigger [INFO] total records found 301 2020-08-31 16:16:34 SqlTrigger [INFO] done fetching of data The expected output Table name count table_1 2 table_2 1 Can someone provide the KQL query to get the above output? thanks in advance.
KQL question
AzureActivity | summarize LastActivity = max(TimeGenerated) by ResourceProvider, ResourceGroup | join kind = innerunique( AzureActivity | summarize Operations = count() by ResourceGroup, ResourceProvider) on ResourceGroup, ResourceProvider |project ResourceProvider, ResourceGroup, Operations, LastActivity |sort by Operations The above KQL is used to print 4 columns I need to print the fifth column as well that highlights the percentage of operations per Resource Group and Resource provider. There have to 5 columns in the result Resource Provider, Resource Group,Number of Operations (Activities), Last activity time, Percentage Can someone help me with this?After change log analytics workspace VM shows "Enabling - Waiting for data" for hours
Hello, after changing the Log Analytics Worspace, the Azure Monitor shows "Enabling - Waiting for data" for my VMs This display has been up for several hours. The VMs are also not monitored in the display. As soon as I request values via the query, they are displayed correctly. What can I do to see the display in Azure Monitor correctly again? Thanks Regards Stefan
