Need assistance on KQL query for pulling AKS Pod logs

I am trying to pull historical pod logs using below kql query. Looks like joining the tables; containerlog and KubePodInventory didn't go well as i see lot of duplicates in the output. ContainerLog ...

Azure Log Analytics

Container Insights

Log Analytics

Ashok42470

Copper Contributor

Feb 21, 2025

Thanks for the reply luchete. The reason i am giving service name; pods are ephemeral right, sometimes i had to pull the logs for the pods that were already killed whose name i may not know.

In my case, just chosen logs for last 30 min and it gave me 30k+ rows of data which shouldn't be the case. By looking at the results, comma separated strings in logentry are getting split into multiple rows. Not sure how to tackle it?

luchete

Iron Contributor

Feb 22, 2025

Hello Ashok42470,

I understand the challenge with ephemeral pods. To prevent logs from being split across rows, you can aggregate them using summarize. Here’s an updated query that groups the logs into a single entry per container:

ContainerLog
| join kind=inner (
    KubePodInventory
    | where ServiceName == "<<servicename>>"
) on $left.ContainerID == $right.ContainerID
| summarize Logs = make_list(LogEntry, 1000) by ContainerID, TimeGenerated, ServiceName, Namespace
| extend CombinedLogs = strcat_array(Logs, " ") // Joins logs into a single string
| project TimeGenerated, Namespace, ContainerID, ServiceName, CombinedLogs
| sort by TimeGenerated asc

This should eliminate duplicates and keep the log messages intact. If you’re pulling logs for killed pods, consider adjusting your time range or adding filters for PodName.

Regards!

Forum Discussion

Need assistance on KQL query for pulling AKS Pod logs

Resources