Forum Discussion
Need assistance on KQL query for pulling AKS Pod logs
I am trying to pull historical pod logs using below kql query. Looks like joining the tables; containerlog and KubePodInventory didn't go well as i see lot of duplicates in the output. ContainerLog ...
Thanks for the reply luchete. The reason i am giving service name; pods are ephemeral right, sometimes i had to pull the logs for the pods that were already killed whose name i may not know.
In my case, just chosen logs for last 30 min and it gave me 30k+ rows of data which shouldn't be the case. By looking at the results, comma separated strings in logentry are getting split into multiple rows. Not sure how to tackle it?
Hello Ashok42470,
I understand the challenge with ephemeral pods. To prevent logs from being split across rows, you can aggregate them using summarize. Here’s an updated query that groups the logs into a single entry per container:
ContainerLog
| join kind=inner (
KubePodInventory
| where ServiceName == "<<servicename>>"
) on $left.ContainerID == $right.ContainerID
| summarize Logs = make_list(LogEntry, 1000) by ContainerID, TimeGenerated, ServiceName, Namespace
| extend CombinedLogs = strcat_array(Logs, " ") // Joins logs into a single string
| project TimeGenerated, Namespace, ContainerID, ServiceName, CombinedLogs
| sort by TimeGenerated ascThis should eliminate duplicates and keep the log messages intact. If you’re pulling logs for killed pods, consider adjusting your time range or adding filters for PodName.
Regards!
