How to optimize queries in Azure Monitor logs
Have you ever considered improving the performance of your queries in Azure Monitor Logs? There are some cases where you can dramatically improve your query performance with some small changes to the operators/functions used and the order of operations. This video explains performance considerations in Azure Monitor Logs and shows several techniques for improving query performance and reducing run times. More details available in documentation: https://docs.microsoft.com/azure/azure-monitor/logs/query-optimization Thanks to Meir_Mendelovich and thebitstreamerANNOUNCEMENT: free query language course now available
The Kusto Query Language (KQL) is used across a wide range of Microsoft services including Azure Application Insights, Azure Log Analytics, Azure Security Center, Windows Defender Advanced Threat Protection, and more. It is an immensely powerful language, and a simple one to use once you get going. However, we are very often asked two questions by users of all skill levels: How do I get started? What are the full capabilities of the language? To answer these questions and more, we’ve partnered with Pluralsight to create a course taking you from the very basics of KQL all the way to advanced constructs such as machine learning and time series analysis. We’re excited to announce today that the course is live and available for free to everyone! Simply click below to access the course: https://www.pluralsight.com/courses/kusto-query-language-kql-from-scratch As mentioned, the course is free to anyone under Azure's partnership with Pluralsight. Simply click above and select "register and start for free" to get instant access to the course! We are extremely excited to have the course up and running, and hope you find it helpful in your KQL journey! -EvgenyBlog Post: Top 10 Charts in Azure Log Analytics and Application Insights
I've written blog post that I think it might be interested for the audience here: I’ve recently stumbled on forum question asking for chart that list only the top 10 resources or computers. Such chart is of course used a lot in performance metrics where for example you want to get the top 10 computers with CPU usage and list them in time chart. Check the full blog post here.
Recent Logic Apps Failures with Defender ATP Steps – "TimeGenerated" No Longer Recognized
Hi everyone, I’ve recently encountered an issue with Logic Apps failing on Defender ATP steps. Requests containing the TimeGenerated parameter no longer work—the column seems to be unrecognized. My code hasn’t changed at all, and the same queries run successfully in Defender 365’s Advanced Hunting. For example, this basic KQL query: DeviceLogonEvents | where TimeGenerated >= ago(30d) | where LogonType != "Local" | where DeviceName !contains ".fr" | where DeviceName !contains "shared-" | where DeviceName !contains "gdc-" | where DeviceName !contains "mon-" | distinct DeviceName Now throws the error: Failed to resolve column or scalar expression named 'TimeGenerated'. Fix semantic errors in your query. Removing TimeGenerated makes the query work again, but this isn’t a viable solution. Notably, the identical query still functions in Defender 365’s Advanced Hunting UI. This issue started affecting a Logic App that runs weekly—it worked on May 11th but failed on May 18th. Questions: Has there been a recent schema change or deprecation of TimeGenerated in Defender ATP's KQL for Logic Apps? Is there an alternative column or syntax we should use now? Are others experiencing this? Any insights or workarounds would be greatly appreciated!
Use time range value in kusto query to calculate % uptime
Is there a way to access time range selected from azure portal in log/app analytics query to help calculate the % uptime ? I am able to calculate the the downtime in minutes using our custom logic in the query , in order to calculate the % uptime , I need to know the variable/function which can give time range selected. Thanks, Abhijit
Conversion of epoch / unixtimestamps within Log Analytics
we re using a lot of epoch / unixtimestamps (seconds since 1970-1-1) in our solution and are wondering right now if there is the possibilty to convert those timestamps to datetime objects within loganalytics queries? Unfortunately we couldn't find anything in the documentation on that matter. Would be great if someone could point us in the right direction.
