Introduction
Log Analytics is Azure portals' native way to edit and run log queries over data collected by Azure Monitor Logs and interactively analyze their results.
Log Analytics' language is KQL queries - both simple and complex, KQL queries are used to create meaningful insights from the mountains of valuable data in your logs.
As your queries become more complex and interesting - the need grows to save, reuse and share those quires with your peers and colleagues.
To address this we have announced in Microsoft Build the introduction of a new way to save, share and manage queries in Log Analytics - Query packs.
Log Analytics query packs
A log Analytics query pack is a container for queries, designed to store and manage queries in an effective way.
Query Packs are ARM objects - allowing users to granularly control various aspects of the query pack including permissions, where it is stored, deployment etc.
Query packs exist at the subscription level - meaning your queries stored in a Query Pack are available to your users across Log Analytics resources and workspaces - eliminating silos. Save your query once, and use it everywhere in Log Analytics.
Managing your query packs
Query packs are designed as ARM objects.
As such they allow:
1. Management of permissions at the Query Pack level.
2. Deploy by code - to your subscription or others.
3. Export Query Pack.
4. Manage Query Packs via API.
API
Query pack operations may also be carried out through our API.
This enables deployment and management of query packs via code.
Using the Query Packs API to programmatically save queries and Query packs opens additional possibilities that are not available in the UI, for example, when using the API you may define additional tags for your queries.
As those advanced capabilities have a profound effect on the user experience of queries in Log Analytics, we have only enabled them using the API - so users and organizations choosing to leverage the more advanced capabilities of Query packs will have consideration and agency when extending their tags and terminology.
To learn more about the query pack API click here.
RBAC and access control
As query packs are ARM objects you can control their permissions and access granularly - as you would any other Azure resource.
To control a Query Packs' permissions, go to the IAM menu in the Query Packs' resource menu:
Please note that all queries in the Query Pack will inherit permissions from the Query pack.
To learn more about query pack permissions management click here.
Queries in Log Analytics query packs
Queries stored in Log Analytics Query Packs have many advantages over legacy queries stored in a workspace:
1. Query packs are cross Log Analytics - use your query packs queries everywhere, including resource centric scenarios
2. Metadata - Query packs queries allow for tags and additional metadata making query discovery easier and more intuitive.
3. Permission control - Queries in Query Packs inherit the Query Packs' permissions so you can manage who can see your queries and use them, and who can edit and contribute to the query pack, on a Query Pack basis.
To learn more about query metadata click here.
Discovering queries in Log Analytics
Query packs Queries are an integral part of the queries dialog and the queries sidebar.
When you enter Log Analytics, query experiences will load query packs content, right in the queries dialog and sidebar:
By default, Log Analytics will load the default query pack in the subscription. However, you can change the Query Packs loaded and Log Analytics will remember your choice:
The Log Analytics UI is contextual and will automatically choose the best queries to show in context. For example, when loading queries in a specific resource, the Log Analytics UI will automatically filter your queries by resource type, building on the queries 'resource type' tag - defined when saving the queries to only show queries relevant for the context you are in.
The Log Analytics experience allows you to choose how to organize your queries and how to filter them - to help you get the queries you are looking for - fast:
To learn more about the Query Packs discovery experience - click here.
Saving queries to a query pack
Saving a query to a query pack is quick and easy. Use Log Analytics query editor to create your query and click "save"->"Save as Log Analytics Query".
When you save your query you will be asked to provide some metadata for your query:
1. Query name - your query's name - that will be shown in the UI
2. Query description - a short description of your query's functionality
3. Resource type - select the relevant resource types form a list, you may select more then one relevant resource type
4. Category - select the relevant category from a list, you may select more then one category
5. Label - this is a user controlled field. Each query pack has a set of user managed labels. You may choose an existing label or create a new one.
Once you are done click "Save" - Log Analytics will inform you that saving the query was successful.
Note: as Query Packs are permission controlled - you must have sufficient permissions to save and update queries in a Query Pack.
Advanced aspects in saving a query to a Query Pack:
By default, your query will be saved to the Default Query Pack. The default query pack is an automatically generated Query Pack that will be created for you by Log Analytics when a query is first saved to the subscription.
However, Log Analytics allows you to choose what Query Pack you want to use when saving queries.
To do this, simply remove the check mark from the "save to the default Query Pack" setting under the "path" section of the Query save blade.
You will now be able to choose the path for your query:
Note: Query packs are permission controlled, therefore you must have sufficient permissions to change or add queries to a query pack.
To learn more about saving a query to a Query Pack click here.
Editing a query and it's metadata
To edit a query or its metadata - load the query to a blank Log Analytics tab.
Change your query as needed and click "Edit Query Details" under the "Save" menu to access the query metadata edit screen.
Make your adjustments and save. Your query will be updated.
Note: as a query is linked to a specific query pack, you will not be able to change the query pack when updating details. To move a query between query packs, save the query to the new Query Pack and delete the old query.
Query Explorer Queries - Legacy Queries
In the long run, Query Packs will replace the old Query Explorer queries.
In the interim, Query Explorer queries will coincide and will continue to work side by side with Query Packs queries.
Next releases will unify the consumption experiences so Query Explorer queries - now named Legacy Queries will be loaded in the same, upgraded UI as all Log Analytics queries.
We encourage you to start transferring your queries to Query Packs and enjoy the advanced functionality they offer.
Summary
Query Packs are a huge leap forward for Log Analytics. Query Packs break the silos in the organization and allows query creators and Log Analytics users to share knowledge and build on the accumulated knowledge of the organization - re using queries and assets.
Query Packs also offer the organization an opportunity to create custom experiences in Log Analytics using the API. Your organization can create queries and organize them according to the terminology and taxonomy right for you.
Permission controls and code based deployments make Query Packs perfect for the larger organizations while keeping things simple and easy with strong defaults and one click save to the default Query Pack.
We hope you enjoy Query Packs and urge you to save your first query today.
Feedback
We appreciate your feedback! comment on this blog post and let us know what you think of the this feature.
You may also use our in app feedback feature to provide us with additional feedbacks:
