Blog Post

Azure Observability Blog
3 MIN READ

Analyze data using Log Analytics Simple mode

Ilana_Waitser's avatar
Ilana_Waitser
Icon for Microsoft rankMicrosoft
May 26, 2024

Introduction 

Azure Monitor Logs offers a powerful set of capabilities for users to explore their logs and derive meaningful insights from their data estate.

Until now, Azure Monitor Logs relied on KQL for users to express their questions as queries.
KQL is a powerful, easy to learn query language, however, as any query language it requires some knowledge to operate.

Simple mode experience was created to bridge this knowledge gap - allowing most popular KQL operators and actions to be utilized using a very simple, point-and-click experience requiring no KQL knowledge at all!  

KQL Mode gives advanced users the full power of Kusto Query Language (KQL) to derive deeper insights from their logs.

 

Here's a video that provides a quick overview of how to query logs in Log Analytics using both Simple and KQL modes:

 

 

 

 

Try Log Analytics Simple mode

Simple Mode is now the default view for some users. If it’s not enabled by default for you, simply select Try the new Log Analytics at the top-right corner of the query editor. You can switch back to the classic Log Analytics experience at any time. 

 

Explore and analyze data in Simple mode

Let’s look at the example:

I am an SRE (Site Reliability Engineer), troubleshooting infrastructure issues. For that, I want to understand which Kubernetes pods failed to run.

 

I just clicked "Run" on the KubePodInventory table, which brought up the 1000 latest results.

Now, all I need to do is click on Add, under Filter section, search for PodStatus column, select Pending and click Apply. 

 

This brings all pods which have failed to run 

Now, I can easily aggregate by Name and see all pod names and how many times they have failed: 

 

I achieved all this without needing to write any KQL code!  

Moreover, whenever I select a filter or an operator in Simple Mode, the query runs automatically; there's no need to click on the "Run" button. This functionality allows for a more fluent experience.

 

Switch modes

What if you want to make changes to the query and use more advanced operators that are not supported in Simple Mode? No problem! 

 
To do so, we allow to switch from Simple Mode to KQL mode, which allows access to the full power of KQL. 

Once I switch to KQL mode, I can see KQL query generated. I can then edit and continue working with the query. 

Once I am done with editing, I can switch back to Simple mode and continue the exploration using again the Simple mode on updated query.

 

Additional Improvements

You will notice some changes aimed at making the UI simple, clean, easy to use, and focused on what matters most – the result set.

One of the changes is organizing the most frequently used actions under separate menus: Save and Share – each of these has sub-actions under it, such as Copy link and Export.

You can find additional actions under '...', such as New Alert or Log Analytics Settings, which enable you to customize behavior according to your needs. 

 

Summary

The new Log Analytics with Simple mode and additional improvements is a huge leap forward in our experiences and we hope you will enjoy using it.

To learn more, we recommend reviewing the feature's official documentation here

 

Feedback

We appreciate your feedback! 

Please leave comments on this blog post or use the "Give feedback" in Azure Monitor Logs to share your thoughts with us:

 

 

 

 

 

 

 

Updated Nov 14, 2024
Version 6.0
application monitoring
azure monitor
Microsoft Build 2024
  • RajkumarRamasamy's avatar
    RajkumarRamasamy
    Brass Contributor
    Nov 26, 2024

    Ilana_Waitser,

    Thanks for the blog post,

    Will it be possible to ingress the data about the process with respect to file activity, command line used on that process from the windows VM, as like as the Process Monitor data.


     

    Regards,

    Rajkumar

  • Ilana_Waitser's avatar
    Ilana_Waitser
    Icon for Microsoft rankMicrosoft
    Jun 17, 2024

    @mdowst,

    thanks for your feedback! As Tim mentioned, you can set KQL to be your default mode. Given the feedback that users don't find this option in settings, we consider suggesting this option for users who switch to KQL mode more than x times.

  • Tim_Dahl's avatar
    Tim_Dahl
    Copper Contributor
    Jun 17, 2024

    mdowst You can set KQL to be the default in the settings. Right above where you select Simple/KQL mode you can find three dots, and from there you can select Log Analytics Settings. 

  • mdowst's avatar
    mdowst
    Copper Contributor
    Jun 14, 2024

    Please let us set KQL as the default mode. Or at the very least have it use the same mode when creating new tabs. This is adding extra clicks every time I want to type a query.