KQL Beginner: how to centralize my logs

%3CLINGO-SUB%20id%3D%22lingo-sub-943558%22%20slang%3D%22en-US%22%3EKQL%20Beginner%3A%20how%20to%20centralize%20my%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-943558%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20a%20little%20new%20to%20azure%20Monitor%20and%20Log%20analytics%20and%20i%20am%20trying%20to%20find%20out%20how%20i%20can%20either%20bring%20all%20my%20data%20together%20to%20be%20queried%20or%20advise%20on%20better%20structuring.%26nbsp%3B%3C%2FP%3E%3CP%3Especifically%20i%20have%2011%20subscriptions%20all%20with%20individual%20resources%20and%20resource%20groups%20etc%20all%20doing%20a%20variety%20of%20different%20things%20what%20i%20would%20like%20to%20do%20is%20be%20able%20to%20query%20things%20like%26nbsp%3B%20cpu%20info%20%2C%20disk%20util%20across%20all%20virtual%20machines.%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20see%20there%20is%20ways%20to%20connect%20virtual%20machines%20to%20work%20spaces%20and%20enable%20logging%20but%20these%20seems%20to%20point%20to%20an%20individual%20workspace%26nbsp%3B%3C%2FP%3E%3CP%3Ein%20short%20i%20am%20wanting%20to%20know%20if%20there%20is%20a%20global%20search%20point%20for%20the%20tenant%20or%20do%20i%20need%20to%20go%20through%20all%20resources%20in%20the%20subscription%20and%20point%20them%20all%20at%20the%20same%20workspace%20to%20achieve%20my%20goal%20%3F%3C%2FP%3E%3CP%3Ehaving%20scom%20monitoring%20all%20on%20premise%20servers%20i%20am%20wanting%20to%20be%20able%20to%20perform%20the%20same%20type%20of%20search%20function%20ie%20a%20perf%20graph%20showing%20everything%20which%20i%20can%20filter%20down%20for%20different%20groups%20in%20my%20Org%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-943558%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-946004%22%20slang%3D%22en-US%22%3ERe%3A%20KQL%20Beginner%3A%20how%20to%20centralize%20my%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-946004%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F405932%22%20target%3D%22_blank%22%3E%40imrichard83%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETwo%20resources%20you%20may%20find%20handy.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%3CU%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FBest-practices-for-designing-an-Azure-Sentinel-or-Azure-Security%2Fba-p%2F832574%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FBest-practices-for-designing-an-Azure-Sentinel-or-Azure-Security%2Fba-p%2F832574%3C%2FA%3E%3C%2FU%3E%3CU%3E%26nbsp%3B%3C%2FU%3E%3CU%3E%3C%2FU%3E%3C%2FP%3E%0A%3CP%3E%3CU%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdesign-logs-deployment%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdesign-logs-deployment%3C%2FA%3E%3C%2FU%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3Eand%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Log-Analytics%2FLog-Analytics-Workspace-with-Multiple-subscription%2Fm-p%2F324805%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Log-Analytics%2FLog-Analytics-Workspace-with-Multiple-subscription%2Fm-p%2F324805%3C%2FA%3E%3CBR%20%2F%3E%3C%2FU%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20cant%20see%20what%20Azure%20region%20you%20are%20in%20or%20where%20your%20users%20%26amp%3B%20services%20are%20located%20but%20typically%20if%20you%20were%20in%20EUROPE%20(for%20example)%20and%20have%20subscriptions%20in%20a%20single%20Directory%2FTenant%20I'd%20start%20with%20one%20workspace%20and%20only%20add%20others%20by%20exception%20(Compliance%2C%20business%20factors%20etc...).%3CBR%20%2F%3E%3CBR%20%2F%3E%3CU%3E%3CBR%20%2F%3E%3C%2FU%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi , 

 

I am a little new to azure Monitor and Log analytics and i am trying to find out how i can either bring all my data together to be queried or advise on better structuring. 

specifically i have 11 subscriptions all with individual resources and resource groups etc all doing a variety of different things what i would like to do is be able to query things like  cpu info , disk util across all virtual machines. 

i see there is ways to connect virtual machines to work spaces and enable logging but these seems to point to an individual workspace 

in short i am wanting to know if there is a global search point for the tenant or do i need to go through all resources in the subscription and point them all at the same workspace to achieve my goal ?

having scom monitoring all on premise servers i am wanting to be able to perform the same type of search function ie a perf graph showing everything which i can filter down for different groups in my Org 

 

 

1 Reply

@imrichard83 

 

Two resources you may find handy.

https://techcommunity.microsoft.com/t5/Azure-Sentinel/Best-practices-for-designing-an-Azure-Sentinel... 

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/design-logs-deployment

 

and 

https://techcommunity.microsoft.com/t5/Azure-Log-Analytics/Log-Analytics-Workspace-with-Multiple-sub...

 

I cant see what Azure region you are in or where your users & services are located but typically if you were in EUROPE (for example) and have subscriptions in a single Directory/Tenant I'd start with one workspace and only add others by exception (Compliance, business factors etc...).