Forum Discussion
Getting Logs data across different components/ name
We have two Log Analytics Workspace
and under this workspace , we have two names eastusprodanalytics and westusprodanalytics
Which query should i use to union data across two names at category level logs
6 Replies
This show how to get the EVENTS table from two workspaces.
union withsource = SourceApp workspace('eastusprodanalytics').Event, workspace('westusprodanalytics-IT').Event | parse SourceApp with * "('" applicationName "')" * // add query hereYou could add:
union withsource = SourceApp workspace('Fabrikamltdprod').SecurityEvent, workspace('contosoretail-IT').SecurityEvent | parse SourceApp with * "('" applicationName "')" * | summarize count() by applicationName, EventIDYou could also SAVE the first example as a Function to call in other queries
For more see: https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/cross-workspace-queryUnion within a workspace is here: https://docs.microsoft.com/en-us/azure/kusto/query/unionoperator
Thanks CliveWatson
I mistakenly put as workspace.
I have two resources Under LogAnalytics workspace group. and under those two resources, there are two names . For eg:
Log Analytics workspaces
-> Name Type
eastusprodloganlytics eastus-prod-rg
westusprodloganlytics west-prod-rgIs there a way to union till name and type
Are you really asking for a Union? This will Union the Table called Event with the Table called SecurityEvent (using 10 records from each)
union isfuzzy=true (Event | limit 10), (SecurityEvent | limit 10)
This is a great question to ask, if you supply the data in a datatable:, are you trying to concatenate the two values?
let dummyData = datatable(Name:string, Type:string) [ "eastusprodloganlytics" , "eastus-prod-rg" , "westusprodloganlytics" , "west-prod-rg" ]; dummyData | where Name !="" | project theMergedStringIs = strcat(Name, " " , Type)If this isn't right, can you share a screenshot, as its hard to tell what your data looks like and what you want it to change to? e.g.
Thanks Clive
