I use Log Analaytics Workspace in order to add logs from my application and use kusto query as follows:
ApplicationLog_CL
| order by TimeGenerated desc
What does this ApplicationLog_CL indicate? Is there a way to add another log type?
The 'ApplicationLog_CL' is a reference to the Table in Log Analytics you are querying with KQL.
The postfix of '_CL' indicates that it's a Custom Table and will most likely also have the type of 'Custom Table' if you look in the Log Analytics Workspace under Tables.
When trying to create a custom table in LAW through e.g. Bicep or the Azure CLI and you do not add the postfix '_CL' to the table, the creation of the table fails.
It specifies here that the table needs to postfixed with '_CL'.
If creating the table through the Azure Portal, Azure will postfix the table with '_CL' automatically.
Related
I am looking for a way to get all custom log tables from an Azure log analytics workspace through PowerShell code.
Below is an example of three custom log tables of which I would like to see the names in an object (array/list/...).
I am able to create a custom log table, insert and check data in it, but I am not able to upfront check if the table already exists, before I query on it.
I am using the Invoke-AzOperationalInsightsQuery PowerShell cmdlet to query on the custom log table, but this fails if the log does not exist yet. Hence the question.
Thanks for your input.
I have created sample custom log tables
and executed the below command
Get-AzOperationalInsightsDataSource -Kind CustomLog -ResourceGroupName RGName -WorkspaceName LogAnalyticsWorkSpaceName
Get-AzOperationalInsightsDataSource - Gets datasources under Azure Log Analytics workspace.
I am trying to bring in Azure Synapse logs into Loganalytics to create dashboards on usage level.
I have already setup in diagnostic settings to pass on the logs to my loganalytics workspace.
But while trying to execute queries from below documentation, I am getting error saying -
Query -
//Chart the most active resource classes
AzureDiagnostics | where Category contains "ExecRequests" | where
Status_s == "Completed" | summarize totalQueries = dcount(RequestId_s)
by ResourceClass_s | render barchart
Error:
'where' operator: Failed to resolve column or scalar expression named 'Status_s'...
Documentation link for queries : https://learn.microsoft.com/en-us/azure/synapse-analytics/sql-data-warehouse/sql-data-warehouse-monitor-workload-portal
Please let me know if there is something I am missing. I am directly logging to loganalytics workspace and running these queries inside a workbook...
Also i didnt find any proper documentation/blogs/links for connecting synapse to loganalytics, please let me know if anyone has that..
The documentation linked in your post appears to be out of date even though the last update date is recent.
See this link:
Azure services that use resource-specific mode store data in a table
specific to that service and do not use the AzureDiagnostics
table.
The link also lists a number of resource-specific tables for Synapse. "SynapseSqlPoolExecRequests" and "SynapseSqlPoolSqlRequests" are a few examples that might provide the info you're seeking.
I would like to have the user select the log analytics workspace as a parameter in an Azure Monitor notebook to perform a query, similar to what is explained in the parameter documentation. However, I can't resolve the log analytics workspace using a variable.
What I would like to do is something like:
let event_table = workspace({parameter}).Event;
event_table
| take 5
The following query using a string literal is successful in both an azure monitor notebook and in a log query:
let event_table = workspace("name_of_work_space").Event;
event_table
| take 5
The following fails with the error "Unknown function 'workspace'. in both an azure monitor notebook and a log query:
let logAnalyticsWorkspaceName = "name_of_work_space";
let event_table = workspace(logAnalyticsWorkspaceName).Event;
event_table
| take 5
It seems that only string literals are allowed as arguments to the workspace() function.
Additionally, iff() and case() functions only return scalars so I cannot use iff() and case() to conditionally return a table or workspace based on a Azure Notebook parameter.
How do I supply a parameter to an Azure Monitor Notebook to query against a particular log analytics workspace?
Dynamically setting the workspace be accomplished using a parameter. Create a parameter for Workspaces where the parameter type is Resource picker (from Azure Resource Graph). That parameter will then appear as an option in the Log Analytics drop down for downstream controls. A demonstration appears in the video "How to build tabs and alerts in Azure workbooks | Azure Portal" at 5:00.
I want to get the fully qualified instance id(Ex-:"/subscriptions/9xxxxxx5-6xxe-4xxc-8xx4-2xxxxxxxxx5/resourceGroups/test/providers/Microsoft.Compute/virtualMachines/vm-test")which is stored in storage account table in Azure.
I have enabled guest level monitoring in my virtual machine and exported metrics to a Storage account table. In that table, instance id column (PARTITIONKEY) shows like below.
":002Fsubscriptions:002F9xxxxxx5:002D6xxe:002D4xxc:002D8xx4:002D2xxxxxxxxx5:002FresourceGroups:002Ftest:002Fproviders:002FMicrosoft:002ECompute:002FvirtualMachines:002Fvm:002Dtest"
Not sure how to convert instance id column PARTITIONKEY into like a instance Id.
However, for your purpose to get vm memory related metrics. It's recommended to use Log Analytics. Search Log Analytics workspace resource in the Azure portal then narrow down to your specific VM scope then run the query language.
Perf
| where ObjectName == "Memory"
Or, you can execute an Analytics query using Query - Get
For more information, you could read these docs.
https://learn.microsoft.com/en-us/azure/azure-monitor/log-query/get-started-portal
https://learn.microsoft.com/en-us/azure/azure-monitor/log-query/log-query-overview
Hope this could help you.
We want to see activity logs initiated by all the users from the organization(like users#mycompamy.com). We don't want to see the activity initiated by platform(by azure policy, by backup management, etc).
On the Azure portal, there is only two option: Either select 'All' or type a single user's name. I tried '*#mycompany.com' but it didn't work. Is there any way to get this.
thanks
Updated:
In azure monitor -> Logs, you can write the query like below:
AzureActivity
| where Caller contains "#mycompamy.com"
Add a screenshot for this:
Original answer:
A simple way is that just type the #mycompany.com in the search box. The screenshot is as below:
Another more advanced method is that nav to azure monitor -> logs -> then use kusto query, then you can query what you like as per the condition like use this where clause EventInitiatedBy contains "#mycompany.com".