Connect with experts and redefine what’s possible at work – join us at the Microsoft 365 Community Conference May 6-8. Learn more >

Query Language

246 Topics

Help with Disk query in Log Analytics
Hi I was wondering if I could get some help with Log analytics. New to this so bear with me. I'm trying to create a query that will provide informtaion on disk utilisation in Azure. I've gottwo commands (below), however I'm not able to merge them as I would like one query which gives me % free space, overall size of disk, name of vm and name of disk. Anything else I can get in terms of disk usage would be great, not overly concerned with IOPs at the moment. The commands are: Thsi proivides info on free space: search ObjectName == "LogicalDisk" and CounterName == "% Free Space" This one provides information on free Mb remaining. search ObjectName == "LogicalDisk" and CounterName == "Free Megabytes" I have tried this which helps, but again information is quite limited search ObjectName == "LogicalDisk" and CounterName == "Free Megabytes" and TimeGenerated > ago(1d) | summarize FreeSpace = min(CounterValue) by Computer, InstanceName | where strlen(InstanceName) ==2 and InstanceName contains ":" Thanks in advance 🙂
Solved
Rajinder Rahul
May 22, 2024 Place Azure Observability
57KViews
0likes
15Comments
Geolocation query from IP address
Hi, Any idea if that's possible (and if yes - how) to add resolving of IP address to geolocation and any other IP information in a query in Log Analytics? For example, part of the message body I have in custom log is IP address, I would like to add a column (e.g. - extend) that resolves this IP address to its location in the world. Alternatively, if there was an option to call a rest service during query, I could call something like ipstack, and receive the required information. An example of simple query: MyEvents | extend IPAddress = extractjson("$.request.ipaddress", Message) | extend Country = extractgeo("$.country", IPAddress) Hopefully that was clear enough 🙂 Thanks! P.S. In PowerBI this can be achieved with Json.Document(Web.Contents("rest service url")....
philip-patrick
Mar 13, 2024 Place Azure Observability
42KViews
0likes
25Comments
Include workspace name in query output
Is there a way to systematically collect the workspace name and include it in the output of a log analytics query? We are working on an event management project and the json output includes the workspaceID but not the name. Our CMDB currently doesn't populate the workspaceID. I am looking for a way to map the triggered alerts to a support group without having to hardcode mappings. I was hoping I could use something like extend WS = workspace('uid').Name to add this data in.
Solved
StephenMorrison
Feb 21, 2024 Place Azure Observability
3.1KViews
0likes
3Comments
query multiple "contains"
Greetings Community, I'm trying to come up with a way to query for multiple computers, but I have different strings to search for. For example: Heartbeat | where TimeGenerated >= ago(1h) | where Computer contains 'ACOMPUTER1' | summarize max(TimeGenerated) by Computer I can run this query but I have to execute it for a different string each time: Heartbeat | where TimeGenerated >= ago(1h) | where Computer contains 'ACOMPUTER1' | summarize max(TimeGenerated) by Computer Heartbeat | where TimeGenerated >= ago(1h) | where Computer contains 'SERVERABC' | summarize max(TimeGenerated) by Computer Heartbeat | where TimeGenerated >= ago(1h) | where Computer contains 'THISMACHINE_B' | summarize max(TimeGenerated) by Computer Is there a way to go through multiple "contains" or "has" statements in a single query? Was thinking that I'd have to build an array in a function or something... any help is appreciated.
Solved
ScottAllison
Nov 09, 2023 Place Azure Observability
107KViews
0likes
11Comments
Remove duplicates from query
Hi, hope somebody can help me as I'm a bit stuck in my understanding of the query language. So I'm trying to get some creation events for App Services, though there seems to be multiple entries for the same App. Therefore I'm trying to find a way to remove duplicates on a column but retain the rest of the columns in the output / or a defined set of columns. Though after dodging distinct on a specific column only this is retained in the output. This is my query: AzureActivity | where OperationName == 'Delete website' and ActivityStatus == 'Succeeded' and ResourceProvider == 'Azure Web Sites' Though this produces two entires for the same deletion, so I tired this: AzureActivity | where OperationName == 'Delete website' and ActivityStatus == 'Succeeded' and ResourceProvider == 'Azure Web Sites' | distinct CorrelationId Though this only leaves the CorrelationId in the output but I need the Resource, ResourceID,OperationName also to be shown in the output. Any tips on how to get the syntax correct? Thanks
Solved
Morten Lerudjordet
Nov 01, 2023 Place Azure Observability
101KViews
1like
11Comments
Create stored function with parameter
Hi, As the title states... Is this possible with Log analytics now? I found this documentation: https://docs.microsoft.com/en-us/azure/kusto/management/create-alter-function But when I try to run the command in Kusto it doesn't work and gives me this error: Query could not be parsed at '.' on line [1,0] Token: . Line: 1 Position: 0 Do I need to create Azure data explorer resource and run it from there? Or is this a bug in Log analytics? Thanks! 🙂
Solved
oOMelon
Oct 20, 2023 Place Azure Observability
5.8KViews
0likes
6Comments
AVD kusto query what applications are being used by users with a specific domain
Hi, I'm trying to find a way of querying Log Analytics for applications being used on AVD by users on a specific domain. Thanks.
matty905
Sep 14, 2023 Place Azure Observability
771Views
0likes
1Comment
VM details query
Hi Team, Trying to query VM details using KQL but unable to include different thing in query. VMComputer | where _ResourceId != "" | summarize by TimeGenerated, HostName, AzureImageSku, AzureResourceGroup, AzureLocation, AzureSize, Cpus, DependencyAgentVersion, PhysicalMemoryMB, OperatingSystemFamily, OperatingSystemFullName, VirtualMachineType, VirtualizationState Unable to include IPaddress details in it which can be seen using : | project Computer, Ipv4Addresses, Ipv4DefaultGateways, Ipv4SubnetMasks, MacAddresses Also, it doesn't have a state of VM like Running or Stopped Can someone help to include them in one query? Thanks in advance.
Solved
Rahul_Mahajan
Aug 25, 2023 Place Azure Observability
12KViews
0likes
11Comments
Query for App Service and outbound IP Query
Right now I need help writing a Query that shows this: AzureDiagnostics | where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog" clientIp, backendHostname This query isn't working. I have a server that is using SSH and the logs there show stuff but I have a Front Door Globally and I need to see the logs there also. What is the best method.
PedroNL
Aug 24, 2023 Place Azure Observability
882Views
0likes
2Comments
Azure Virtual Machine runtime calculation
Hello All, I currently have an azure automation runbook that executes a get-azurermvm command against all the subscriptions in our tenant. This script compiles a table, that lists the vmSize and Status of running / deallocated as well as other pertinent information. The out put is then formatted to JSON and posted to the log analytics Rest API where I have a custom Log called RunningVMs_CL What I would like to be able to do is calculate any VM running more than 8 hours and up to 40 hours and be able to alert on it when it reaches above 8 hours of runtime per day or more, and then when it reaches 40 hours of total run time. The 40 hours might be a bit difficult to check as logs are only 31 days old at max. Being new to Log Analytics language I'm struggling to find the right commands to use to facilitate at least the 8 hour calculation, any tips on how I should approach this query? Thanks john
John Wildes
Aug 10, 2023 Place Azure Observability
15KViews
0likes
8Comments