Querying Log Analytics – Monitoring Resources with Azure Monitor

Querying Log Analytics

It can be useful to explore your logs in Log Analytics. Being able to query Log Analytics requires an understanding of Kusto Query Language (KQL). We will explore some basic queries in this exercise to understand how the system works.

Creating a Log Analytics workspace

Before we can display, monitor, and query logs from Azure Monitor, we need to create a

Log Analytics workspace. For that, we must perform the following steps:

1. Navigate to the Azure portal by clicking on https://portal.azure.com.
2. Navigate to your AZ104-Monitor resource group.
3. Click + Create to create a new resource.
4. Type log analytics in the search box and click Log Analytics Workspace:

Figure 20.32 – Log Analytics Workspace

5. Click Create.
6. Add the following values:

• Subscription: Select your Azure subscription.

• Resource group: AZ104-Monitor.

• Name: az104loganalytics.

• Region: West Europe (or select what you prefer).

7. Click Review + create and then Create.

Now that we have created a Log Analytics workspace, we can use it inside Azure Monitor to create some queries to retrieve data. We will do this in the next section.

Utilizing log search query functions

Azure Monitor is now integrated with the features and capabilities that Log Analytics offers. This also includes creating search queries across the different logs and metrics by using KQL.

To retrieve any type of data from Azure Monitor, a query is required. Whether you are configuring an alert rule, analyzing data in the Azure portal, retrieving data using the Azure Monitor Logs API, or being notified of a particular condition, a query is used.

The following list provides an overview of all the different ways queries can be consumed from Azure Monitor:

• Portal: From the Azure portal, an interactive analysis of log data can be performed. In there, you can create and edit queries and analyze the results in a variety of formats and visualizations.

• Dashboards: The results of a query can be pinned to a dashboard. This way, results can be visualized and shared with other users.

• Workbooks: By using Workbooks in Azure Monitor, you can create custom views of your data. This data is provided by queries as well.

• Alerts: Alert rules are also made up of queries.

• Data export: Exports of data configured for a storage account or Event Grid. Using M query, you can also export data to Excel or PowerBI, also created with queries. The query defines the data to export.

• Azure Monitor Logs API: The Azure Monitor Logs API allows any REST API client to retrieve log data from the workspace. The API request includes a query to retrieve the data.

• PowerShell: You can run a PowerShell script from a command line or an Azure Automation runbook that uses Invoke-AzOperationalInsightsQuery to retrieve log data from Azure Monitor. You need to create a query for this cmdlet to retrieve the data.

In the following section, we are going to create some queries to retrieve data from the logs in Azure Monitor.