Azure Log Analytics: Queries, the basics explained – Part 1
Sometimes I’m guilty of jumping in to the deep-end and skipping the basics.
Update: This post end up in four parts:
I spend all my time in the Advanced Analytics portal, as originally Log Search was a single line syntax.
I much prefer multi-line syntax:
Perf
| where TimeGenerated >= ago(2h)
| where ObjectName == "Processor" and CounterName == "% Processor Time" and InstanceName!="_Total"
| sort by InstanceName asc nulls first
| summarize makeset(InstanceName), dcount(InstanceName) by Computer
rather than:
Perf | where TimeGenerated >= ago(2h)| where ObjectName == "Processor" and CounterName == "% Processor Time"
Luckily Log Search now supports multi-line (see screenshot), but the Analytics portal also gives many other features, some of which we will discuss in this and a follow-up post:
Just click on [Analytics] to get to Advanced Analytics portal:
This takes you to the Home Page:
This is useful place to land, with examples, and also the SCHEMA details on the left (more of that later). One of the first things you’ll do is click on the Open a New Tab [+]. You’ll also notice you can go to the ‘Playground’ where there is a demo Analytics workspace to test queries, useful as you may not have some data in your own.
If we click on the [+] we get a tab called “New Query 1”, which points to your workspace. We can then save that with a name of your choice (it does need a simple query before you can save). So I’ve named mine myDemoSyntax in a category of Demo.
The advantages of this are, that you can then, explore your queries with the Query Explorer. These are also shared with anyone else who has access to your workspace. I tend to use demo as a category for my syntax that I’m working on.
The Query Explorer (it used to just be a OPEN File dialog until a week or so ago), also allows you to see common queries by Solution – just double click on one of these to see & run it. Notice - it also gives you the v1 syntax as well for your reference – but that is commented out.
Often these queries are single line, so you can either Right Click and Prettify Query, or press Ctrl+Alt+P this is tidy the query and make it multi-line.
e,g, Initial Query on a single line
which becomes Multiline
You can run Prettify anytime, especially useful when you get into 10s of lines of code to do a tidy up. Now I've removed the v1 query and added a comment to the code, using “//” you can use “//” at the start or at any point in each line.
