I can run the 2 queries below to view the logs for a certain time, separately.
AppServiceConsoleLogs | where TimeGenerated >= datetime('2021-04-10 14:00')
AppServiceHTTPLogs | where TimeGenerated >= datetime('2021-04-10 14:00')
How do I combine these into a single query to view the logs together?
The union operator does the job to show all records from the specified tables.
I used the query below and no the problems you mentioned:
union requests, traces
| where timestamp > ago(1d)
The screenshot of the query result:
If you still have the problem, please share us the screenshot and more detailed info.
Related
I am trying to query For Remote Code Execution Attempt alerts, Does anyone have an idea how to go about this.
SecurityAlert
| where TimeGenerated >= ago(20d)
| where AlertName contains "Remote code execution attempt"
| extend Entities = tostring(parse_json(Entities)[0])
| project Entities, AlertName, Status
I am trying to output the Hostnames and other information
I have a simple question for kusto language expert for rejecting Custom values from requests and binding with an exception I am seeing these values from simple queries but in the below queries:
I have only 2 custom fields :
source
subject
How can I add this result? What am I missing? I made some research for an answer by googling but I didn`t find any exact answer.
requests
| extend source= tostring(customDimensions["source"]), orderID= tostring(customDimensions["subject"])
| where timestamp > ago(30d)
| where success == False
| project name, operation_Id, StartTime=timestamp, orderID, source
| join ( exceptions
| project timestamp, problemId,type,method,outerMessage,outerMethod,innermostType,innermostMessage,severityLevel,details,customDimensions,operation_Name,operation_Id,operation_ParentId
) on operation_Id
| evaluate autocluster()
I have used your query to reproduce. I am able to fetch the required result.
Workaround follows:
The result before Join the request and exception
No. of False Success Result in my AI
Using Join:
Using left join
use join kind=leftsemi. It returns the left which match with the right. Refer MS-Doc for join flavor to do require join operation.
I would like to have query that would return something like for single vm. So query should be showing results of single vm and what kinda log type / solutions it has used and how much.
I don't know if this is even possible to do anything similar maybe? Tips?
With this query I'm able to list total usage for all vm's reporting to laws but I would like to have more details about a single vm
find where TimeGenerated > ago(30d) project _BilledSize, _IsBillable, Computer
| where _IsBillable == true
| extend computerName = tolower(tostring(split(Computer, '.')[0]))
| summarize BillableDataBytes = sum(_BilledSize) by computerName
| sort by BillableDataBytes nulls last
Mostly you would be able to accomplish it by querying standard columns or properties _BilledSize, Type, _IsBillable and Computer.
Below is the sample query for your reference:
union withsource=tt *
| where TimeGenerated between (ago(7d) .. now())
| where _IsBillable == true
| where isnotempty(Computer)
| where Computer == "MM-VM-RHEL-7"
| summarize BillableDataBytes = sum(_BilledSize) by Computer, _IsBillable, Type
| render piechart
Below is the screenshot for illustration:
Related references:
Log data usage - Understanding ingested data volume
Standard columns in logs
I am trying to trigger an alert when the columns in the AzureDiagnostic Table in Log Analytics is >400 since there is a 500 column limit to the table where records will start dropping.
The issue is Alerts expects and AggregatedValue and a TimeGenerated. Since this is a schema there is not a true Time Generated. I've tried a "time" metric and renaming the column to be "TimeGenerated" but get the following error:
Search Query should contain 'AggregatedValue' and 'bin(TimeGenerated,
[roundTo])' for Metric alert type
This is the alert query I have:
AzureDiagnostics
| getschema
| summarize AggregatedValue = count(ColumnName) by bin(1d, 5m)
|project AggregatedValue, TimeGenerated=Column1
And I get these results:
I changed my logic to return a record or not. It will return a record only if the threshold has been met of 400 columns and then set my alert Threshold value to > 0.
AzureDiagnostics
| getschema
| summarize count(ColumnName)
| where count_ColumnName >400
Alert:
I'm from the Azure Monitor Log Analytics team. We are actively working in Azure Log Analytics to avoid it all together. We are working now to have dedicated tables for most of Azure resource so it wouldn't overpopulate the AzureDiagnostics table. Some Azure resource like Azure Data Factory have options to control whether it would use the dedicated tables or AzureDiagnistcs. See #4 here: https://learn.microsoft.com/en-us/azure/data-factory/monitor-using-azure-monitor#monitor-data-factory-metrics-with-azure-monitor
I have data in azure Insights saved in custom events formats.
Now I need to create a dashboard page in my website that will pull data from insights and will show graphs on that data.
Questions is that how I can filter data from the customEvents based on data saved there. like based on custom events or custom data.
Provide me any resource from where I can see that how $filer, $search,$query works?
I am here https://dev.applicationinsights.io/quickstart but not looks like enough.
I tried to add filter like
startswith(customEvent/name, 'BotMessageReceived')
in https://dev.applicationinsights.io/apiexplorer/events
but it not working. is says "Something went wrong while running the query",
I have customEvents which name start with BotMessageReceived
Thanks
Dalvir
update:
There is no like operator, if you wanna use timestamp as a filter, you should use one of the three methods below:
customEvents
| where timestamp >= datetime('2018-11-23T00:00:00.000') and timestamp <=
datetime('2018-11-23T23:59:00.000')
customEvents
| where tostring(timestamp) contains "2018-12-11"
customEvents
| where timestamp between(datetime('2018-11-23T00:00:00.000') ..
datetime('2018-11-23T23:59:00.000') )
Please use this:
customEvents
| where name startswith "BotMessageReceived"
And if you use the api you metioned above, you can use:
https://api.applicationinsights.io/v1/apps/Your_application_id/query?
query=customEvents | where name startswith "BotMessageReceived"
It works at my side.