Home

Azure Log Analytics

114 Conversations

Latest Activity

Custom List Message Item

Hello,

 

How can I sum a column?

I have each row dcount with number of customers and I would like to know what is the total of customers.

I want to present a new row with the total number of customers

or even a new column that shows the same number on eac

... Read More
102 Views
4 Replies

Hi Tal,

To only get the sum of the dcount value, you can do something like the bottom line here:

Update
| summarize dcount(Product) by Computer
| summarize sum_dcount=sum
... Read More

Hello guys

 

I need your help. How can create a query to join a table "ConfigurationChange" and table "Perf" to know the % of CPU with a condition to have the same Publisher.

 

Thank you for your help

 
Read More
105 Views
5 Replies

Sure you can join!

Join is a very important and useful and powerful part of the language. See all details here: https://docs.loganalytics.io/docs/Language-Reference/Tabular-operators/join-operator

... Read More
Hi I am not quite sure what exactly you want to achieve. Can make a simple mockup how the first and the second table should look and how they should look after they are j... Read More

Hi, I can't seem to find the right syntax for this query:

 
ProtectionStatus
| summarize ThreatStatusRank = max(ThreatStatusRank) by Computer, Time = bin(todatetime(DateCollected), 10m)
| summarize(Time, ThreatStatusRank) = argmax(Time, ThreatStatusRank)
... Read More
94 Views
2 Replies
Hi, managed to get this working using the following:
 
ProtectionStatus
| where TimeGenerated > ago(1d)
| summarize ThreatStatusRank = max(ThreatStatusRank) by Computer,
... Read More
Best Response confirmed by Matthew Maguire (New Contributor)

The following documentation provides some example queries using Computer Groups:

Computer groups in Log Analytics log searches

 

I am attempting to run a query using some computer groups imported from SCCM. I have confirmed that the groups are available t

... Read More
89 Views
2 Replies

Hi Bob,

 

Please provide us some more details so we can help you.

Does the following queries provide any results?

 

  1. ComputerGroup | where GroupSource == "SCCM" and Group
... Read More

Hello,

 

I created a new function and saved it as "Function" on the right pane of saved queries.

How can I use/call this function on new queries Im creating?

 

(the function is not listed on the "functions" list on the left pane)

 

Thanks,

 

Read More
138 Views
5 Replies

Hi Tal,

A function is available almost immediately after you save it, even if it's not shown on the left pane (the left pane was probably loaded on login, and was not ref

... Read More

Hello,

 

I'm currently working on a query in Log Analytics which requires me to filter on properties which are in the ExtendedProperties field. See below example, I would like to use the ExtendedProperties[0].Value property in my query.

 

extendedproperties.png

 

Can someone p

... Read More
214 Views
5 Replies

Hi,

 

 

If I understand your question correctly, here is a query that is doing what you are looking for:

 

OfficeActivity | where RecordType == "AzureActiveDirectory" and

... Read More

You can access a specific item on the array using [1] or [2], and then access an item named "Value" is through ".Value" as shown here:

extend second_item_value = your_ar
... Read More
Copying @Satya Vel ; Maybe he knows someone that can assist.
Hi, You should be able to do | extend properties = parse_json(tostring(ExtendedProperties) ) | where tostring(properties.Name) == "XYZ" You might not be required to cast ... Read More

Hi all.

I'm a complete newbie to OMS.

I've been handled the task to create a dashboard that gets the CPU and RAM usage, returns the average and marks the servers that are overpowered (less than 10% usage over the last 30 days, for example).

I'm a bit (a l

... Read More
185 Views
3 Replies

Hi Dante,

You're right, it can take a while to get up to speed with all language features :) Take a look at the doc site to get started, specifically for your scenario I

... Read More

I am getting an error while trying to install the agent on two servers... I have one working just fine.

 

Invalid Azure Log Analytics Configuration

Unknown error was encountered during setup.  Please check log file: (%temp%\MonitoringAgent.log).

Capture.JPG

Any sugg

... Read More
121 Views
1 Reply
Ill answer my own here.... after messing with it for a day.... If you do not check the Connect the agent to Azure Log Analytics (OMS) on the initial install then go to th... Read More

I want to perform a subselect on a related set of data. That subdata needs to be filtered using data from the main query:

 

    customEvents
    | extend envId = tostring(customDimensions.EnvironmentId)
    | extend organisation = tostring(customDimensions.

... Read More
134 Views
1 Reply

It seems to me like you're actually doing a join, so this might be easier:

customEvents
    | extend envId = tostring(customDimensions.EnvironmentId)
    | extend organis
... Read More

In many functional programming languages there is a way to do pattern matching, like F# has `match expression with`.

 

In my use case, I'd like to match a string to a set of strings/regexes and returning a value(a string):

 

```

// path:string
iif(path
... Read More
86 Views
1 Reply

Hi,

 

One of the string operators is matches that allow you to perform regular expression matches.

There are also other methods to check regular expressions.

 

Thanks,

Me

... Read More

I'm trying to move some logic out of the main query into a lambda so the main query is easier to read.

 

 

So I want to take logic like this:

```

T //columns: operation_Name
extend path_Label = iif(operation_Name == '/''home', 'other')
//end up with
... Read More
92 Views
2 Replies

Hi,

 

The following query is working for me:

 

let translate_path = (operation_Name:string)
{
    iif(operation_Name == '/', 'home', 'other')
};
AzureActivity
| take 10
| exten

... Read More

Goal: Query AppInsights data for the pages a user has viewed over the course of their session.

The problem is that there are duplicate page views, each with the same timestamp. In the query below, I `sort by session_Id, timestamp` and that data shows a to

... Read More
107 Views
1 Reply
This seemed to do the job
 
```
pageViews
| summarize by session_Id, operation_Name, bin(timestamp, 1tick)
| sort by session_Id, timestamp asc

```

Read More

I am running
AzureDiagnostics
| where TimeGenerated  > ago(91d)
| where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayPerformance"

However, I am not getting more than 12 days "ago" of data.  Is this a limit to the tool, am I

... Read More
107 Views
2 Replies
Hi,

I have tried similar queries on our test data and I wasn't able to reproduce this behavior. Changing the Ago parameter changed the end results even in high numbers.

Tha... Read More

Hi,

 

Could you please add a "| count" at the end of your query to confirm how many rows are being returned? The Log Analytics UI will cut you off at 10,000 and when impo

... Read More

Hi,

I've connected Azure Data Factory to my Log Analytics account but I can't find any information about how to query this data in either Log Analytics or OMS. Has anyone got this working?

Thanks

James

LogImage.JPG

Read More
85 Views
1 Reply

Hi James,

 

The logs should appear under the Events and ETWEvent data types in your workspace. You can see more instructions here under "collect logs from Azure Storage":

... Read More

I have DSC linked to OMS to retrieve logs of machine status and whatnot. What I'm looking for is the ability to show the DSC compliance status of the machines connected.

 

So, let's say I have 4 machines (PC1, PC2, PC3 and PC4). I would like to know under

... Read More
96 Views
3 Replies

Hi Paul,

You're actually very close to the syntax you need, if I got you correctly I think this is it:

 
AzureDiagnostics
| summarize count() by Category, ResultType

 

You can try it on our playground

... Read More
Best Response confirmed by Paul MacKinnon (New Contributor)

At Ignite 2017, we announced the new IT Service Management (ITSM) Action in Azure Action Groups. As you might know, Action Groups is a reusable notification grouping for Azure alerts. Users can create an action group with functions such as sending an emai

... Read More
556 Views
5 Replies

Hi Pravin, this is the explanation I gathered so far:

"The exact integration is not available. However, the following can provide the equivalent: Set up alert in OMS to t

... Read More
Hi Pravin, we're looking into that and will reply as soon as we can. Thanks, Noa

Want to know if below workflow is supported with OMS and SNOW integration

 

Get filtered Incidents from SNOW to OMS -> OMS to invoke remediation runbook for specific Inci

... Read More

A common feedback for those trying to programmatically query their data has been the difficulty of using the APIs, given authentication schemes required. Expanding on the PowerShell cmdlets already available to you, we'd like to announce the availability

... Read More
72 Views
0 Reply

Working on an Azure online Course "Azure Security and Compliance" that has an online Hands-On lab called "Deep Analysis with Microsoft Azure Log Analytics". But when I go to the lab using this link it says the lab not available showing the following page.

... Read More
137 Views
1 Reply

Thank you Syed for letting us know.

I've contacted the course's content developer on the issue, hope it will be resolved soon.

Hello

 

1.Is it possible to join 2 tables without a common/shared column?

2. Is it possible to create a join inside a join? 

 

Thanks

152 Views
4 Replies
Hi,

1.
You always need to provide a common column but you can create a fabricated column that would simulate what you would like to achieve. For example:
Table1
| extend dum... Read More

I want to query logs, metrics, etc. on an Azure Load balancer resource.  I followed the directions in https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-monitor-log.  Except, I configured the Diagnostics settings to "Send to Log Analytics"

... Read More
163 Views
1 Reply
Hi,

These logs should appear in AzureDiagnostics type.

Thanks,
Meir

We have several cases of a 365 shared mailbox account logging in to a VM in Azure, according to log analytics.

 

We are Using Azure domain services. Event ID is 4624. OS is Windows server 2016.

 

I always thought it was impossible to log in to these accou

... Read More
73 Views
1 Reply

Twan,

 

We are happy to see that Azure Log Analytics provided you improved visibility to your environment.

I think this is not the right venue for this question. Azure AD

... Read More

The render operator documentation mentions a timepivot renderer as a visualization, and near the end of the document it even uses it as an exampe for the by operator

  • By is an optional list of columns that is used by some visualizations (e.g. timepivot) t
... Read More
86 Views
1 Reply
Hi, timepivot is not supported in the Azure Log Analytics portal as well as ladderchart. We will update our documentation.
Best Response confirmed by Scott Chamberlain (Occasional Visitor)

Hi all, i'm wondering where i am going wrong.

 

I've got a "log search" query setup

Perf
| where ( ObjectName == "Processor" )
| where CounterName == "% Processor Time"
| where CounterValue  >= 80

 

and i can't find the alert button as described here: https://blogs.technet.microsoft.com/msoms/2016/09/08/how-to-generate-an-alert-in-microsoft-oms-when-a-computer-is-down-or-unreachable/

... Read More
90 Views
1 Reply

Hi

the alert button is there. I would assume that you do not have permissions. May be you are read-only user. Also the query you've wrote is not good for alerting. It is

... Read More
Best Response confirmed by Stanislav Zhelyazkov (MVP)

Hello,

 

Basically I want to generate the report for all the tagged Virtual machine from Log analytics. I need to know which VMs are tagged and which are not. Could you please help me out to create the query in l;og analytics please.

 

Thanks,

 

Sachin

Read More
712 Views
5 Replies
There isn't a log out of the box that has information on tags for Virtual machines. I would suggest to develop something on your. Create a workflow that daily goes trough... Read More
Best Response confirmed by Stanislav Zhelyazkov (MVP)

Any help would be appreciated..

I used this basic query to find several computers that had the word LINK in their name:

 

Heartbeat | where Computer contains "LINK" | distinct Computer

 

It worked fine, just as I wanted.  My question is where can I find documentation on what the word he

... Read More
142 Views
5 Replies
Hi Seems like you are just starting with Log Analytics so in this case I suggest to start with going trough the documentation: https://docs.microsoft.com/en-us/azure/log-analytics/... Read More
Best Response confirmed by Stanislav Zhelyazkov (MVP)