Forum Discussion

Hairy_Zeus's avatar
Hairy_Zeus
Copper Contributor
Jul 29, 2021

Log Analytics Querying Access Multiple Workspaces when Using Join

Hello all,

 

I'm new to log analytics queries so hoping I can get some help with query syntax. I have the following query that I am using to pull % free space and Free Megabytes from windows servers. It's working great, however I need to be able to query across multiple workspaces. I normally use "union" and specify the workspace IDs for this but for this particular query )that is using "join") I can't seem to get the syntax right. 

 

----- Working query -----

let disk_free_space_percent=
Perf
| where TimeGenerated > ago(1d)
| where ObjectName == "LogicalDisk" and CounterName == "% Free Space"
| summarize (TimeGenerated, Free_Space_Percent)=arg_max(TimeGenerated, CounterValue) by Computer, InstanceName
| where strlen(InstanceName) ==2 and InstanceName contains ":";
let disk_free_MB=
Perf
| where TimeGenerated > ago(1d)
| where ObjectName == "LogicalDisk" and CounterName == "Free Megabytes"
| summarize (TimeGenerated, Free_MB)=arg_max(TimeGenerated, CounterValue) by Computer, InstanceName
| where strlen(InstanceName) ==2 and InstanceName contains ":";
disk_free_space_percent
| join (
disk_free_MB
) on Computer, InstanceName
| project Computer, InstanceName, Free_Space_Percent, Free_MB

----- Working query -----

 

-----Not working query----

union
workspace('xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx').Perf,
workspace('xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx').Perf,
workspace('xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx').Perf
let disk_free_space_percent=
| where TimeGenerated > ago(1d)
| where ObjectName == "LogicalDisk" and CounterName == "% Free Space"
| summarize (TimeGenerated, Free_Space_Percent)=arg_max(TimeGenerated, CounterValue) by Computer, InstanceName
| where strlen(InstanceName) ==2 and InstanceName contains ":";
let disk_free_MB=
| where TimeGenerated > ago(1d)
| where ObjectName == "LogicalDisk" and CounterName == "Free Megabytes"
| summarize (TimeGenerated, Free_MB)=arg_max(TimeGenerated, CounterValue) by Computer, InstanceName
| where strlen(InstanceName) ==2 and InstanceName contains ":";
disk_free_space_percent
| join (
disk_free_MB
) on Computer, InstanceName
| project Computer, InstanceName, Free_Space_Percent, Free_MB

-----Not working query----

 

Thanks in advance!

azure monitor
No RepliesBe the first to reply