SOLVED

How to group computers based on where they reside: Azure VM or Datacenter

Brass Contributor

I used this basic query to find several computers that had the word LINK in their name:

 

Heartbeat | where Computer contains "LINK" | distinct Computer

 

It worked fine, just as I wanted.  My question is where can I find documentation on what the word here, capitalized: Computer is, in the context of the query language?  IOW, what is the computer data type?  Does it have metadata I can search through?  More importantly, where can find a good guide to go and look up these things myself without having to ask here?

 

I would like to search through not just the list of computers I've installed the MMA on or connected to within Azure, but also list, for example, the above query, but only for those with LINK in the name that are Azure VMs, but not real systems or VMs in the datacenter.  Where is that value, if it exists at all, stored?

5 Replies
best response confirmed by Stanislav Zhelyazkov (MVP)
Solution
Hi Seems like you are just starting with Log Analytics so in this case I suggest to start with going trough the documentation: https://docs.microsoft.com/en-us/azure/log-analytics/ Also good way to learn is the documentation for the query language: https://docs.loganalytics.io/index There is also link to demo environment you can access to try out. There is also free OMS book available which was written when there was only the old search syntax but the concepts are the same: https://gallery.technet.microsoft.com/Inside-the-Operations-2928e342 To answer your question shortly: Data in Log Analytics is stored in tables. Those tables have different columns that could be string, integer, etc. The tables are filled with data by different solution by using different data sources. For example data source could be windows agent and performance counter or diagnostic logs from Azure Monitor. That is the short answer for more details you will have to do some readings on the links I've posted to you.

Thanks, Stanislav!

 

Looks like your book was recently updated to version 2.

 

Appreciate it, but would love to see a complete reference to a terms in the LA query language!

 

Dave

Hi At some point we will update the book with the new language as well but we will not be doing full reference of the language in the book like in the current version. This is because you have full reference in the link I've pasted. The documentation site for the new query language contains everything you need for examples to tutorials and full references. We did reference for the old language because we thought that it was not well documented and the documentation was not very well structured.

Thanks for that reply.  I should tell you, as we're both MVPs, I have a lot less experience on data manipulation than infrastructure, but I am fascinated by this subject!

 

Also, I should have entitled my question here as HOW DO I group computers on where they reside: Azure or Datacenter? <-- with that important question mark!

 

So, how do I?  In other words, I have a number of Azure VMs, all connected to Log Analytics, and also a number of VMs running on physical hosts in my datacenter, that are all running the MMA.  How can I find without already knowing aspects like names or domain, which are in Azure and which are in the datacenter?  I thought there might be a single point of data that this information is kept. 

 

If the answer is there is no such data point, then fine, I just can't find one, but that sure doesn't mean there isn't one.   I suppose I could use a subnet address or ensure a naming convention that would keep some distinction. 

 

Dave

 

 

Hi

Log Analytics knows which Computers are Azure and which are not.

Azure Computers

 

Heartbeat |  where ComputerEnvironment == 'Azure' | distinct Computer

Non-Azure Computers

Heartbeat |  where ComputerEnvironment != 'Azure' | distinct Computer

Hope this helps. ComputerEnvironment field is present in other tables as well.

1 best response

Accepted Solutions
best response confirmed by Stanislav Zhelyazkov (MVP)
Solution
Hi Seems like you are just starting with Log Analytics so in this case I suggest to start with going trough the documentation: https://docs.microsoft.com/en-us/azure/log-analytics/ Also good way to learn is the documentation for the query language: https://docs.loganalytics.io/index There is also link to demo environment you can access to try out. There is also free OMS book available which was written when there was only the old search syntax but the concepts are the same: https://gallery.technet.microsoft.com/Inside-the-Operations-2928e342 To answer your question shortly: Data in Log Analytics is stored in tables. Those tables have different columns that could be string, integer, etc. The tables are filled with data by different solution by using different data sources. For example data source could be windows agent and performance counter or diagnostic logs from Azure Monitor. That is the short answer for more details you will have to do some readings on the links I've posted to you.

View solution in original post