Home

Azure Log Analytics

118 Conversations

Latest Activity

Custom List Message Item

We have several cases of a 365 shared mailbox account logging in to a VM in Azure, according to log analytics.

 

We are Using Azure domain services. Event ID is 4624. OS is Windows server 2016.

 

I always thought it was impossible to log in to these accou

... Read More
74 Views
1 Reply

Twan,

 

We are happy to see that Azure Log Analytics provided you improved visibility to your environment.

I think this is not the right venue for this question. Azure AD

... Read More

The render operator documentation mentions a timepivot renderer as a visualization, and near the end of the document it even uses it as an exampe for the by operator

  • By is an optional list of columns that is used by some visualizations (e.g. timepivot) t
... Read More
86 Views
1 Reply
Hi, timepivot is not supported in the Azure Log Analytics portal as well as ladderchart. We will update our documentation.
Best Response confirmed by Scott Chamberlain (Occasional Visitor)

Hi all, i'm wondering where i am going wrong.

 

I've got a "log search" query setup

Perf
| where ( ObjectName == "Processor" )
| where CounterName == "% Processor Time"
| where CounterValue  >= 80

 

and i can't find the alert button as described here: https://blogs.technet.microsoft.com/msoms/2016/09/08/how-to-generate-an-alert-in-microsoft-oms-when-a-computer-is-down-or-unreachable/

... Read More
90 Views
1 Reply

Hi

the alert button is there. I would assume that you do not have permissions. May be you are read-only user. Also the query you've wrote is not good for alerting. It is

... Read More
Best Response confirmed by Stanislav Zhelyazkov (MVP)

Hello,

 

Basically I want to generate the report for all the tagged Virtual machine from Log analytics. I need to know which VMs are tagged and which are not. Could you please help me out to create the query in l;og analytics please.

 

Thanks,

 

Sachin

Read More
719 Views
5 Replies
There isn't a log out of the box that has information on tags for Virtual machines. I would suggest to develop something on your. Create a workflow that daily goes trough... Read More
Best Response confirmed by Stanislav Zhelyazkov (MVP)

Any help would be appreciated..

I used this basic query to find several computers that had the word LINK in their name:

 

Heartbeat | where Computer contains "LINK" | distinct Computer

 

It worked fine, just as I wanted.  My question is where can I find documentation on what the word he

... Read More
143 Views
5 Replies
Hi Seems like you are just starting with Log Analytics so in this case I suggest to start with going trough the documentation: https://docs.microsoft.com/en-us/azure/log-analytics/... Read More
Best Response confirmed by Stanislav Zhelyazkov (MVP)

Disclaimer that i am new to OMS.  I am using the ods.opinsights.azure.com/api/logs?api-version=2016-04-01 endpoint to save log entries to OMS.  I am sending the messages as JSON which automatically creates new columns and filters for me in OMS.  The prope

... Read More
143 Views
3 Replies

Hi

When you send particular field/column to Log Analytics its name is changed based on the type. This is true for almost any field/column. However there are some fields/c

... Read More
Best Response confirmed by Stanislav Zhelyazkov (MVP)

The Custom Dimensions is data from Application Insights cannot be seen in OMS Log Analytics. Does it need any special configuration/settings to achieve?

 

144 Views
1 Reply

Hi,

You can actually query App Insights data from within a Log Analytics portal with the "app" keyword, see the documentation here.

Read More

 

 Hi,

 

I am working one of the customer enterprise environment azure cloud automation tasks. From azure perspective past couple of days working and trying to setup alert Management in OMS. We are using log search query to validate initially and then cre

... Read More
188 Views
5 Replies

Hi You will have to use string operators: https://docs.loganalytics.io/docs/Language-Reference/Scalar-operators/String-operators You can use matches regex but that might

... Read More
Best Response confirmed by Stanislav Zhelyazkov (MVP)

Hi, hope somebody can help me as I'm a bit stuck in my understanding of the query language.

So I'm trying to get some creation events for App Services, though there seems to be multiple entries for the same App. Therefore I'm trying to find a way to remov

... Read More
254 Views
9 Replies

Hi There is some basics that you need to understand about Log Analytics. Data in Log Analytics is stored with different time stamp (TimeGenerated column). So basically wh

... Read More

Hi all.

 

I'm not sure if this is the right place to ask, but here goes.

 

I have been asked to make a dashboard showing the count of users currently logged in to our local ad.

 

I have the data in oms, and i have made this query so fare:

 

SecurityEvent

... Read More
138 Views
2 Replies

Hi Jan,

 

 

Is this what you are looking for:

SecurityEvent

| where EventID == 4624
| where ( LogonTypeName == "3 - Network" )
| where ( Computer == "ad server" )
| where A

... Read More
Best Response confirmed by Jan Løbner Dam (New Contributor)

I have a new article on how you can tackle this problem with Log Analytics and of course the query used is a very good example on transforming data.

https://cloudadministrator.wordpress.com/2017/11/14/find-if-you-are-using-only-tls-1-2-protocol-with-log-analytics/

... Read More
84 Views
0 Reply

I want to Push my Syslog Server to Azure.  

I was going to Implement something like this: 

https://msandbu.wordpress.com/2016/02/22/monitoring-syslog-from-oms-with-non-oms-agents/

 

For my Non Agent Devices.  Though currently we have all of our Syslog Mes

... Read More
88 Views
1 Reply

Hey, not sure I got the environment restrictions right, but in principle there is this Log Analytics API you should try out if your machines can reach api.loganalytics.io

Read More
Best Response confirmed by azure (New Contributor)

I have published a PowerShell script for searching your Azure Log Analytics workspace using the new search API (https://dev.int.loganalytics.io).

To read the full article: https://blog.tyang.org/2017/11/14/searching-oms-using-the-new-search-language-kusto-rest-api-in-powershell/

... Read More
111 Views
1 Reply

Great post! Thank you for sharing Tao!

Hi everyone,

I'm trying to assist a customer with a query in Log Analytics to see whenever computers were turned on, by computer and by day.

I think I am on the right track in the Security Event table, going off of the Saved Search that Log Analytics offe

... Read More
212 Views
7 Replies
Hi Here we go search in (SecurityEvent) EventID == 4624 | summarize WindowsStartCount = count() by Computer, bin(TimeGenerated, 1d)
Best Response confirmed by Stanislav Zhelyazkov (MVP)

Hi.

 

We have OMS AD Replication Status solution, after the workspace upgrade, the solution shows generic visual information but when we want to search for more detailed info, all standard queries included break with an error like "A recognition error occur

... Read More
214 Views
6 Replies

Hi Héctor,

 

On the log search portal, we have a query conversor. Are you tried to use that to convert your old query?

 

image.png

Read More

Is there a way to come around some major limitations when creating Alerts? The biggest problem is the Time Window restriction. This restricts us from searching in data older than 24 hours when creating an alert. I expect a record for a custom MessageType 

... Read More
145 Views
2 Replies

I very much agree. The 24 hour limitation is pretty difficult to deal with. You could work around this with Powershell by doing your query there, and dropping a checkpoin

... Read More

Is there a convenient way to render two different timebuckets in the same chart?

 

...

| summarize avg(something) by bin(timegenerated size a, size b)?

 

Regards,

Henrik

102 Views
2 Replies

Hi,

 

You need to summarize them separately and union them to have a single chart:

 

union (
Heartbeat
| where TimeGenerated > ago(30d)
| summarize Col1=count() by bi
... Read More

With the new query language available in Log Search, we notice user queries develop and no longer fit into just one line. To accommodate longer queries we decided to make log search a multi-line editing area:

resize.pngso a few things have changed:

  • Run - to run th
... Read More
2,362 Views
6 Replies
Should Intellisense work in Azure Portal as well? It does not work there for me.

These improvements are great! 

Hello Community,

 

I work in a team which manages monitoring for our on-prem Linux environment. We have been asked to manage the monitoring for the cloud-based solution that our internal BU's are progressing with. We have noticed a massive lag in the thresh

... Read More
180 Views
5 Replies

For near real time alerting scenarios on metrics, we have announced a public preview https://azure.microsoft.com/en-au/blog/get-alerts-faster-with-near-real-time-alerting-for-azure-platform-metrics/

... Read More

Hi James,

 

Can you post your query? I think you may be doing something in the query that is causing that level of lag. I'd say 20 minutes is a pretty reliable level of l

... Read More

You can use OMS for monitoring and give near real time monitoring for metrics. OMS also can generate alerts.

 

I'm querying Alerts from OMS. I'd like to get the results from the Alerts for every alert so that I can get that data somewhere other than an email. I'm stumped on how to do a sub query based upon the contents of the Query field.

 

Here's my base query:

A

... Read More
103 Views
1 Reply

Hi Jason,

 

I'm not sure I understand what you are looking to do. In general, the query field is a text field that you can handle like any other text field. For example:

... Read More
Best Response confirmed by Jason Dempsey (Microsoft)

I'm trying to create a new Log Analytics workspace in the West Central US region. However, when creating a new workspace through the Azure portal, I do not see an option for West Central US. So, I tried creating it using PowerShell, but when I run the New

... Read More
167 Views
2 Replies

Hi Matthew,

 

Due to load and capacity planning considerations we took a decision to temporary limit the number of new customers on West Center US region. Meanwhile, you

... Read More
Hello Mattew! I've been researching Log Analytics in the region you've spoken to. Although it is already available for use, the Azure calculator does not yet recognize th... Read More

I am experimenting with creating alerts using the new query language against data uploaded through the data collector API.

I am consistently seeing a 10 minute delay between when an alert query is run and when the alert email is sent. With tight time restr

... Read More
200 Views
3 Replies

I run into this problem periodically (there are a variety of factors that can delay the data sources). Here's a query to check the latest in Hearbeat, but if you replace

... Read More
This seems to be a bug. I've notified the responsible team for this and hopefully they will get it fixed.
Best Response confirmed by Stanislav Zhelyazkov (MVP)

Hi there, I have a problem about alert webhook integration with slack.

 

My query of alert is the following

```

AzureActivity | where OperationName == "Update resource group" and ActivityStatus == "Succeeded"

```

 

And my JSON payload of webhook is here

`

... Read More
81 Views
0 Reply

Hi everyone, I'm very excited to join this community! :)

 

I'm regularly using Azure Monitor and I was looking into moving to Log Analytics, but I'm having some troubles. Here's a summary of what I've done so far:

  • Created a Log Analytics resource from my Azu
... Read More
140 Views
3 Replies
Hi, Are you sure that logs are generated for these resources? The easiest way for sending logs for azure resource to Log Analytics is trough Azure Monitor blade. You woul... Read More

I'm trying to set up computer groups in my OMS environment, but running into some issues. Has anyone used computer groups successfully with the new query language?

 

I see the created computer groups in settings, and can view members of the group from there

... Read More
573 Views
8 Replies

Please refer to the documentation.  Please refer to the "Notes" section that refers to the new query language.

Read More

I was able to get this to work in my subscription:
Heartbeat | where Computer contains "<name>" | distinct Computer

 

I then saved the query, made a function of it, and us

... Read More