Home

Azure Log Analytics

76 Conversations

Latest Activity

Custom List Message Item

I am running
AzureDiagnostics
| where TimeGenerated  > ago(91d)
| where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayPerformance"

However, I am not getting more than 12 days "ago" of data.  Is this a limit to the tool, am I

... Read More
19 Views
1 Reply

Hi,

 

Could you please add a "| count" at the end of your query to confirm how many rows are being returned? The Log Analytics UI will cut you off at 10,000 and when impo

... Read More

A common feedback for those trying to programmatically query their data has been the difficulty of using the APIs, given authentication schemes required. Expanding on the PowerShell cmdlets already available to you, we'd like to announce the availability

... Read More
10 Views
0 Reply

Working on an Azure online Course "Azure Security and Compliance" that has an online Hands-On lab called "Deep Analysis with Microsoft Azure Log Analytics". But when I go to the lab using this link it says the lab not available showing the following page.

... Read More
58 Views
1 Reply

Thank you Syed for letting us know.

I've contacted the course's content developer on the issue, hope it will be resolved soon.

Hello

 

1.Is it possible to join 2 tables without a common/shared column?

2. Is it possible to create a join inside a join? 

 

Thanks

85 Views
4 Replies
Hi,

1.
You always need to provide a common column but you can create a fabricated column that would simulate what you would like to achieve. For example:
Table1
| extend dum... Read More

Hello,

 

I'm currently working on a query in Log Analytics which requires me to filter on properties which are in the ExtendedProperties field. See below example, I would like to use the ExtendedProperties[0].Value property in my query.

 

extendedproperties.png

 

Can someone p

... Read More
75 Views
4 Replies

You can access a specific item on the array using [1] or [2], and then access an item named "Value" is through ".Value" as shown here:

extend second_item_value = your_ar
... Read More
Copying @Satya Vel ; Maybe he knows someone that can assist.
Hi, You should be able to do | extend properties = parse_json(tostring(ExtendedProperties) ) | where tostring(properties.Name) == "XYZ" You might not be required to cast ... Read More

I want to query logs, metrics, etc. on an Azure Load balancer resource.  I followed the directions in https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-monitor-log.  Except, I configured the Diagnostics settings to "Send to Log Analytics"

... Read More
48 Views
1 Reply
Hi,

These logs should appear in AzureDiagnostics type.

Thanks,
Meir

We have several cases of a 365 shared mailbox account logging in to a VM in Azure, according to log analytics.

 

We are Using Azure domain services. Event ID is 4624. OS is Windows server 2016.

 

I always thought it was impossible to log in to these accou

... Read More
30 Views
1 Reply

Twan,

 

We are happy to see that Azure Log Analytics provided you improved visibility to your environment.

I think this is not the right venue for this question. Azure AD

... Read More

The render operator documentation mentions a timepivot renderer as a visualization, and near the end of the document it even uses it as an exampe for the by operator

  • By is an optional list of columns that is used by some visualizations (e.g. timepivot) t
... Read More
37 Views
1 Reply
Hi, timepivot is not supported in the Azure Log Analytics portal as well as ladderchart. We will update our documentation.
Best Response confirmed by Scott Chamberlain (Occasional Visitor)

Hi all, i'm wondering where i am going wrong.

 

I've got a "log search" query setup

Perf
| where ( ObjectName == "Processor" )
| where CounterName == "% Processor Time"
| where CounterValue  >= 80

 

and i can't find the alert button as described here: https://blogs.technet.microsoft.com/msoms/2016/09/08/how-to-generate-an-alert-in-microsoft-oms-when-a-computer-is-down-or-unreachable/

... Read More
32 Views
1 Reply

Hi

the alert button is there. I would assume that you do not have permissions. May be you are read-only user. Also the query you've wrote is not good for alerting. It is

... Read More
Best Response confirmed by Stanislav Zhelyazkov (MVP)

At Ignite 2017, we announced the new IT Service Management (ITSM) Action in Azure Action Groups. As you might know, Action Groups is a reusable notification grouping for Azure alerts. Users can create an action group with functions such as sending an emai

... Read More
437 Views
4 Replies

Hi Pravin, this is the explanation I gathered so far:

"The exact integration is not available. However, the following can provide the equivalent: Set up alert in OMS to t

... Read More
Hi Pravin, we're looking into that and will reply as soon as we can. Thanks, Noa

Want to know if below workflow is supported with OMS and SNOW integration

 

Get filtered Incidents from SNOW to OMS -> OMS to invoke remediation runbook for specific Inci

... Read More

Hello,

 

Basically I want to generate the report for all the tagged Virtual machine from Log analytics. I need to know which VMs are tagged and which are not. Could you please help me out to create the query in l;og analytics please.

 

Thanks,

 

Sachin

Read More
527 Views
5 Replies
There isn't a log out of the box that has information on tags for Virtual machines. I would suggest to develop something on your. Create a workflow that daily goes trough... Read More
Best Response confirmed by Stanislav Zhelyazkov (MVP)

Any help would be appreciated..

I used this basic query to find several computers that had the word LINK in their name:

 

Heartbeat | where Computer contains "LINK" | distinct Computer

 

It worked fine, just as I wanted.  My question is where can I find documentation on what the word he

... Read More
71 Views
5 Replies
Hi Seems like you are just starting with Log Analytics so in this case I suggest to start with going trough the documentation: https://docs.microsoft.com/en-us/azure/log-analytics/... Read More
Best Response confirmed by Stanislav Zhelyazkov (MVP)

Disclaimer that i am new to OMS.  I am using the ods.opinsights.azure.com/api/logs?api-version=2016-04-01 endpoint to save log entries to OMS.  I am sending the messages as JSON which automatically creates new columns and filters for me in OMS.  The prope

... Read More
66 Views
3 Replies

Hi

When you send particular field/column to Log Analytics its name is changed based on the type. This is true for almost any field/column. However there are some fields/c

... Read More
Best Response confirmed by Stanislav Zhelyazkov (MVP)

The Custom Dimensions is data from Application Insights cannot be seen in OMS Log Analytics. Does it need any special configuration/settings to achieve?

 

41 Views
1 Reply

Hi,

You can actually query App Insights data from within a Log Analytics portal with the "app" keyword, see the documentation here.

Read More

 

 Hi,

 

I am working one of the customer enterprise environment azure cloud automation tasks. From azure perspective past couple of days working and trying to setup alert Management in OMS. We are using log search query to validate initially and then cre

... Read More
94 Views
5 Replies

Hi You will have to use string operators: https://docs.loganalytics.io/docs/Language-Reference/Scalar-operators/String-operators You can use matches regex but that might

... Read More
Best Response confirmed by Stanislav Zhelyazkov (MVP)

Hi, hope somebody can help me as I'm a bit stuck in my understanding of the query language.

So I'm trying to get some creation events for App Services, though there seems to be multiple entries for the same App. Therefore I'm trying to find a way to remov

... Read More
100 Views
9 Replies

Hi There is some basics that you need to understand about Log Analytics. Data in Log Analytics is stored with different time stamp (TimeGenerated column). So basically wh

... Read More

Hi all.

 

I'm not sure if this is the right place to ask, but here goes.

 

I have been asked to make a dashboard showing the count of users currently logged in to our local ad.

 

I have the data in oms, and i have made this query so fare:

 

SecurityEvent

... Read More
74 Views
2 Replies

Hi Jan,

 

 

Is this what you are looking for:

SecurityEvent

| where EventID == 4624
| where ( LogonTypeName == "3 - Network" )
| where ( Computer == "ad server" )
| where A

... Read More
Best Response confirmed by Jan Løbner Dam (New Contributor)

I have a new article on how you can tackle this problem with Log Analytics and of course the query used is a very good example on transforming data.

https://cloudadministrator.wordpress.com/2017/11/14/find-if-you-are-using-only-tls-1-2-protocol-with-log-analytics/

... Read More
32 Views
0 Reply

I want to Push my Syslog Server to Azure.  

I was going to Implement something like this: 

https://msandbu.wordpress.com/2016/02/22/monitoring-syslog-from-oms-with-non-oms-agents/

 

For my Non Agent Devices.  Though currently we have all of our Syslog Mes

... Read More
47 Views
1 Reply

Hey, not sure I got the environment restrictions right, but in principle there is this Log Analytics API you should try out if your machines can reach api.loganalytics.io

Read More
Best Response confirmed by azure (New Contributor)

I have published a PowerShell script for searching your Azure Log Analytics workspace using the new search API (https://dev.int.loganalytics.io).

To read the full article: https://blog.tyang.org/2017/11/14/searching-oms-using-the-new-search-language-kusto-rest-api-in-powershell/

... Read More
58 Views
1 Reply

Great post! Thank you for sharing Tao!

Hi everyone,

I'm trying to assist a customer with a query in Log Analytics to see whenever computers were turned on, by computer and by day.

I think I am on the right track in the Security Event table, going off of the Saved Search that Log Analytics offe

... Read More
92 Views
7 Replies
Hi Here we go search in (SecurityEvent) EventID == 4624 | summarize WindowsStartCount = count() by Computer, bin(TimeGenerated, 1d)
Best Response confirmed by Stanislav Zhelyazkov (MVP)

Hi.

 

We have OMS AD Replication Status solution, after the workspace upgrade, the solution shows generic visual information but when we want to search for more detailed info, all standard queries included break with an error like "A recognition error occur

... Read More
138 Views
6 Replies

Hi Héctor,

 

On the log search portal, we have a query conversor. Are you tried to use that to convert your old query?

 

image.png

Read More

Is there a way to come around some major limitations when creating Alerts? The biggest problem is the Time Window restriction. This restricts us from searching in data older than 24 hours when creating an alert. I expect a record for a custom MessageType 

... Read More
102 Views
2 Replies

I very much agree. The 24 hour limitation is pretty difficult to deal with. You could work around this with Powershell by doing your query there, and dropping a checkpoin

... Read More

Is there a convenient way to render two different timebuckets in the same chart?

 

...

| summarize avg(something) by bin(timegenerated size a, size b)?

 

Regards,

Henrik

73 Views
2 Replies

Hi,

 

You need to summarize them separately and union them to have a single chart:

 

union (
Heartbeat
| where TimeGenerated > ago(30d)
| summarize Col1=count() by bi
... Read More

With the new query language available in Log Search, we notice user queries develop and no longer fit into just one line. To accommodate longer queries we decided to make log search a multi-line editing area:

resize.pngso a few things have changed:

  • Run - to run th
... Read More
1,870 Views
6 Replies
Should Intellisense work in Azure Portal as well? It does not work there for me.

These improvements are great!