Are you getting the most out of your Azure Log Analytics Workspace (LAW) investment?

Using a LAW is a great way to consolidate various types of data (performance, events, security, etc.) and signals from multiple sources. That's the easy part - mining this data for actionable insights is often the real challenge.

One way we did this was by surfacing events related to disks across our physical server estate. We were already sending event data to our LAW; it was just a matter of parsing it with KQL and adding to a Power Bi dashboard for additional visibility.

The snippet from the Power Bi dashboard shows when the alert was first triggered and when the disk was eventually replaced.

Here's the KQL query we came up with.

let start_time=ago(30d);
let end_time=now();
Event
| where TimeGenerated > start_time and TimeGenerated < end_time
| where EventLog contains 'System'
| where Source contains 'Storage Agents'
| where RenderedDescription contains 'Drive Array Physical Drive Status Change'
| parse kind=relaxed RenderedDescription with * 'Drive Array Physical Drive Status Change. The ' Drive ' with serial number ""' Serial '"", has a new status of ' Status '. (Drive status values:'*
| project Computer, Drive, Serial, Status, TimeGenerated, EventLevelName

You can of course set up alerting with Alerts for Azure Monitor.

I hope this example helps you get more value from your LAW.