Home

Azure Log Analytics

62 Conversations

Latest Activity

Custom List Message Item

Hi all.

 

I'm not sure if this is the right place to ask, but here goes.

 

I have been asked to make a dashboard showing the count of users currently logged in to our local ad.

 

I have the data in oms, and i have made this query so fare:

 

SecurityEvent

... Read More
3 Views
0 Reply

I have a new article on how you can tackle this problem with Log Analytics and of course the query used is a very good example on transforming data.

https://cloudadministrator.wordpress.com/2017/11/14/find-if-you-are-using-only-tls-1-2-protocol-with-log-analytics/

... Read More
16 Views
0 Reply

I want to Push my Syslog Server to Azure.  

I was going to Implement something like this: 

https://msandbu.wordpress.com/2016/02/22/monitoring-syslog-from-oms-with-non-oms-agents/

 

For my Non Agent Devices.  Though currently we have all of our Syslog Mes

... Read More
20 Views
1 Reply

Hey, not sure I got the environment restrictions right, but in principle there is this Log Analytics API you should try out if your machines can reach api.loganalytics.io

Read More

I have published a PowerShell script for searching your Azure Log Analytics workspace using the new search API (https://dev.int.loganalytics.io).

To read the full article: https://blog.tyang.org/2017/11/14/searching-oms-using-the-new-search-language-kusto-rest-api-in-powershell/

... Read More
29 Views
1 Reply

Great post! Thank you for sharing Tao!

Hi everyone,

I'm trying to assist a customer with a query in Log Analytics to see whenever computers were turned on, by computer and by day.

I think I am on the right track in the Security Event table, going off of the Saved Search that Log Analytics offe

... Read More
66 Views
7 Replies
Hi Here we go search in (SecurityEvent) EventID == 4624 | summarize WindowsStartCount = count() by Computer, bin(TimeGenerated, 1d)
Best Response confirmed by Stanislav Zhelyazkov (MVP)

Hi.

 

We have OMS AD Replication Status solution, after the workspace upgrade, the solution shows generic visual information but when we want to search for more detailed info, all standard queries included break with an error like "A recognition error occur

... Read More
119 Views
6 Replies

Hi Héctor,

 

On the log search portal, we have a query conversor. Are you tried to use that to convert your old query?

 

image.png

Read More

Is there a way to come around some major limitations when creating Alerts? The biggest problem is the Time Window restriction. This restricts us from searching in data older than 24 hours when creating an alert. I expect a record for a custom MessageType 

... Read More
80 Views
2 Replies

I very much agree. The 24 hour limitation is pretty difficult to deal with. You could work around this with Powershell by doing your query there, and dropping a checkpoin

... Read More

Is there a convenient way to render two different timebuckets in the same chart?

 

...

| summarize avg(something) by bin(timegenerated size a, size b)?

 

Regards,

Henrik

51 Views
2 Replies

Hi,

 

You need to summarize them separately and union them to have a single chart:

 

union (
Heartbeat
| where TimeGenerated > ago(30d)
| summarize Col1=count() by bi
... Read More

With the new query language available in Log Search, we notice user queries develop and no longer fit into just one line. To accommodate longer queries we decided to make log search a multi-line editing area:

resize.pngso a few things have changed:

  • Run - to run th
... Read More
1,003 Views
6 Replies
Should Intellisense work in Azure Portal as well? It does not work there for me.

These improvements are great! 

Hello Community,

 

I work in a team which manages monitoring for our on-prem Linux environment. We have been asked to manage the monitoring for the cloud-based solution that our internal BU's are progressing with. We have noticed a massive lag in the thresh

... Read More
69 Views
5 Replies

For near real time alerting scenarios on metrics, we have announced a public preview https://azure.microsoft.com/en-au/blog/get-alerts-faster-with-near-real-time-alerting-for-azure-platform-metrics/

... Read More

Hi James,

 

Can you post your query? I think you may be doing something in the query that is causing that level of lag. I'd say 20 minutes is a pretty reliable level of l

... Read More

You can use OMS for monitoring and give near real time monitoring for metrics. OMS also can generate alerts.

 

I'm querying Alerts from OMS. I'd like to get the results from the Alerts for every alert so that I can get that data somewhere other than an email. I'm stumped on how to do a sub query based upon the contents of the Query field.

 

Here's my base query:

A

... Read More
55 Views
1 Reply

Hi Jason,

 

I'm not sure I understand what you are looking to do. In general, the query field is a text field that you can handle like any other text field. For example:

... Read More
Best Response confirmed by Jason Dempsey (Microsoft)

I'm trying to create a new Log Analytics workspace in the West Central US region. However, when creating a new workspace through the Azure portal, I do not see an option for West Central US. So, I tried creating it using PowerShell, but when I run the New

... Read More
50 Views
2 Replies

Hi Matthew,

 

Due to load and capacity planning considerations we took a decision to temporary limit the number of new customers on West Center US region. Meanwhile, you

... Read More
Hello Mattew! I've been researching Log Analytics in the region you've spoken to. Although it is already available for use, the Azure calculator does not yet recognize th... Read More

I am experimenting with creating alerts using the new query language against data uploaded through the data collector API.

I am consistently seeing a 10 minute delay between when an alert query is run and when the alert email is sent. With tight time restr

... Read More
146 Views
3 Replies

I run into this problem periodically (there are a variety of factors that can delay the data sources). Here's a query to check the latest in Hearbeat, but if you replace

... Read More
This seems to be a bug. I've notified the responsible team for this and hopefully they will get it fixed.
Best Response confirmed by Stanislav Zhelyazkov (MVP)

Hi there, I have a problem about alert webhook integration with slack.

 

My query of alert is the following

```

AzureActivity | where OperationName == "Update resource group" and ActivityStatus == "Succeeded"

```

 

And my JSON payload of webhook is here

`

... Read More
51 Views
0 Reply

Hi everyone, I'm very excited to join this community! :)

 

I'm regularly using Azure Monitor and I was looking into moving to Log Analytics, but I'm having some troubles. Here's a summary of what I've done so far:

  • Created a Log Analytics resource from my Azu
... Read More
63 Views
3 Replies
Hi, Are you sure that logs are generated for these resources? The easiest way for sending logs for azure resource to Log Analytics is trough Azure Monitor blade. You woul... Read More

I'm trying to set up computer groups in my OMS environment, but running into some issues. Has anyone used computer groups successfully with the new query language?

 

I see the created computer groups in settings, and can view members of the group from there

... Read More
283 Views
8 Replies

Please refer to the documentation.  Please refer to the "Notes" section that refers to the new query language.

Read More

I was able to get this to work in my subscription:
Heartbeat | where Computer contains "<name>" | distinct Computer

 

I then saved the query, made a function of it, and us

... Read More

Hi there,

 

Anyone know how I can get the values from the query into a webhook instead of just posting a link?

 

Want to make it easier for our non-techy coworkers

 

 

 

Thanks

Read More
148 Views
9 Replies

Adding @Brian Wren

I have been following the tutorial simple-look-at-oms-alert-remediation-with-runbooks, however no data is returned by "$Webhookboday.SearchResults.Value".  I can see data from 

$WebhookData.RequestBody but thats it.  Were using a V2 log search webspace, do
... Read More
28 Views
0 Reply

Hi,

 

I have a data set that when I use the summarize/bin over a 1 min interval has gaps in the data (hours) and when the timechart renders the graph the line goes directly from the last value in one set to the first value in the next set (so it looks like

... Read More
68 Views
1 Reply

Hi,

 

Please check out the make-series function to achieve this. For example, instead of saying:

Heartbeat
| where TimeGenerated > ago(1d)
| summarize count() by Compute
... Read More
Best Response confirmed by Blane Nelson (Visitor)

I'm trying to use OMS alerts for heartbeat of my servers. On the old Log analytics, i readed an article saying thats the agent reports each 60 seconds for the OMS and the results of the queries is normally, obeying the frequency of agent reports.

After mig

... Read More
263 Views
6 Replies

I've noticed a little bit of a larger delay in event and heartbeat data being recorded in OMS - in some testing I saw heartbeat data taking up to 8 minutes to show up in

... Read More

 (Type=Event) (EventID=7036) Source=”Service Control Manager” what is the error cant run this

58 Views
2 Replies

Your workspace must have been upgraded.   You can use the legacy converter to convert your query to new language.2017-11-05_18h44_07.png

 

 

Read More
Event | where (EventID == "7036") | where ( Source == "Service Control Manager" )

I have logs with multiple tables which has customerID in all the tables. Now I need to join the CustomerId with master table (Customer table) so that I can display the result with Customer Name by joining both tables. I was able to create new table Custom

... Read More
158 Views
8 Replies
Hi, Instead of using the filter from the UI why not filter on the time range directly in your queries. The time range in your queries will override the one chosen from th... Read More

Wanted to see if anyone has this too. I couldn't find any docs about how to maintain consistent agent versions. If anyone knows please chime in :)

Capture.PNG

 

 

 

Read More
111 Views
2 Replies

If you're using OMS for checking updates already, the agents will get often get updated in optional Windows updates. So the answer that I've found is: update my boxes to

... Read More
Usually the agent updates are small one containing bug fixes. You can maintain the same version using several methods - Using Windows Update to install the latest version... Read More
Best Response confirmed by Stanislav Zhelyazkov (MVP)

 Hi,

 

Using different examples online and snippets from previous deployments i am putting together a ARM template for deploying OMS/Log Analytics.

 

I am trying to configure solutions during deployment, in particular Azure Activity logs and 365. In the attac

... Read More
84 Views
1 Reply

Got the Azure Activity Logs working. Seems that i had missed the section where the activity log configuration (subscription id etc) in the worskspace resources.

 

 

        
... Read More

Hello all,

 

I have a log analytics workspace automation account running a runbook against a hybrid worker group. The group has multiple on-prem machines and the runas account is the same across the machines within the worker group. However, the runbook exi

... Read More
61 Views
1 Reply
Hi When runbook is started it runs only against one hybrid worker from a hybrid worker group. This is the expected behavior. You have multiple hybrid workers in a hybrid ... Read More
Best Response confirmed by Stanislav Zhelyazkov (MVP)