SOLVED

Cannot query Azure load balancer diagnostic logs in log analytics

%3CLINGO-SUB%20id%3D%22lingo-sub-1528380%22%20slang%3D%22en-US%22%3ECannot%20query%20Azure%20load%20balancer%20diagnostic%20logs%20in%20log%20analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1528380%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20morning%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20setup%20diagnostic%20logs%20for%20my%20standard%20public%20load-balancer%20to%20go%20into%20log%20analytics%3A%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1528380%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1529736%22%20slang%3D%22en-US%22%3ERe%3A%20Cannot%20query%20Azure%20load%20balancer%20diagnostic%20logs%20in%20log%20analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1529736%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F11992%22%20target%3D%22_blank%22%3E%40Sebastian%20Maas%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ethe%20reason%20might%20simply%20be%20the%20LB%20not%20having%20yet%20generated%20logs.%20Log%20are%20generated%20only%20if%20alerts%20are%20raised%20or%20health%20probe%20status%20change.%20See%20docs%20details%20below.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20run%20this%20query%20to%20see%20if%20your%20LB%20logs%20are%20landing%20in%20some%20other%20table%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3Esearch%3C%2FSPAN%3E%20%3CSPAN%3E'*loadbalancername*'%3C%2FSPAN%3E%3CSPAN%3E%20%7C%20%3C%2FSPAN%3E%3CSPAN%3Edistinct%3C%2FSPAN%3E%20%3CSPAN%3E%24%3C%2FSPAN%3E%3CSPAN%3Etable%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22hspinto_0-1595009442438.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F206102i9C9ECD2671E3647A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22hspinto_0-1595009442438.png%22%20alt%3D%22hspinto_0-1595009442438.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1530647%22%20slang%3D%22en-US%22%3ERe%3A%20Cannot%20query%20Azure%20load%20balancer%20diagnostic%20logs%20in%20log%20analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1530647%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F11992%22%20target%3D%22_blank%22%3E%40Sebastian%20Maas%3C%2FA%3E%26nbsp%3BTake%20out%20the%20TimeGenerated%20line%20and%20change%20the%20time%20selection%20option%20(defaults%20to%2024%20hours)%20at%20the%20top%20to%20something%20like%206%20months%2C%20then%20just%20run%20AzureDiagnostics.%3C%2FP%3E%3CP%3ELike%20you%20say%2C%20the%20table%20is%20there%20so%20there%20is%20some%20data%20in%20it.%3C%2FP%3E%3CP%3EAlternatively%2C%20if%20you%20hover%20over%20the%20AzureDiagnostics%20table%2C%20on%20the%20right%20there%20is%20a%20little%20symbol%20(I%20always%20think%20it%20looks%20like%20an%20eye)%2C%20click%20that%20and%20it'll%20give%20you%20a%20sample%2010%20rows%20from%20the%20table.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Good morning,

 

I have setup diagnostic logs for my standard public load-balancer to go into log analytics:

la1.png

 

The log analytics workspace is setup to use resource-level and workspace permissions, I am contributor on both. I can also see, that the tables are created:

la2.png

 

Now when I want to query the logs, I receive the following error:

la3.png

 

I don't know what I'm missing here honestly, would appreciate any advice. Thank you very much!

2 Replies
Best Response confirmed by Sebastian Maas (Occasional Visitor)
Solution

@Sebastian Maas,

 

the reason might simply be the LB not having yet generated logs. Log are generated only if alerts are raised or health probe status change. See docs details below.

 

You can also run this query to see if your LB logs are landing in some other table:

 

search '*loadbalancername*' | distinct $table

 

hspinto_0-1595009442438.png

 

@Sebastian Maas Take out the TimeGenerated line and change the time selection option (defaults to 24 hours) at the top to something like 6 months, then just run AzureDiagnostics.

Like you say, the table is there so there is some data in it.

Alternatively, if you hover over the AzureDiagnostics table, on the right there is a little symbol (I always think it looks like an eye), click that and it'll give you a sample 10 rows from the table.