KQL Beginner: how to centralize my logs

imrichard83 · ‎Oct 24 2019

Hi ,

I am a little new to azure Monitor and Log analytics and i am trying to find out how i can either bring all my data together to be queried or advise on better structuring.

specifically i have 11 subscriptions all with individual resources and resource groups etc all doing a variety of different things what i would like to do is be able to query things like cpu info , disk util across all virtual machines.

i see there is ways to connect virtual machines to work spaces and enable logging but these seems to point to an individual workspace

in short i am wanting to know if there is a global search point for the tenant or do i need to go through all resources in the subscription and point them all at the same workspace to achieve my goal ?

having scom monitoring all on premise servers i am wanting to be able to perform the same type of search function ie a perf graph showing everything which i can filter down for different groups in my Org

CliveWatson · ‎Oct 24 2019

@imrichard83

Two resources you may find handy.

https://techcommunity.microsoft.com/t5/Azure-Sentinel/Best-practices-for-designing-an-Azure-Sentinel...

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/design-logs-deployment

and

https://techcommunity.microsoft.com/t5/Azure-Log-Analytics/Log-Analytics-Workspace-with-Multiple-sub...

I cant see what Azure region you are in or where your users & services are located but typically if you were in EUROPE (for example) and have subscriptions in a single Directory/Tenant I'd start with one workspace and only add others by exception (Compliance, business factors etc...).

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

KQL Beginner: how to centralize my logs

KQL Beginner: how to centralize my logs

Re: KQL Beginner: how to centralize my logs