Azure Log Analytics, being one of the most important components of Azure Monitor, allows you to run queries against logs stored in Azure Monitor’s datastore. While it’s not an independent service, it’s still worth diving deeper into, as many services and features allow you to integrate logs with this component. Azure Log Analytics is also one of the key elements of monitoring Azure infrastructure as it centralizes queries, alerts, and data.

In this chapter, we’ll extend your knowledge of Log Analytics by discussing details of workspaces, queries, and results visualization. The information contained in the upcoming sections will help you elevate your monitoring solutions in Azure so they provide more detailed, useful information.

In this chapter, we’ll cover a couple of different topics, including the following:

• Getting started – an overview of Azure Log Analytics
• Using workspaces
• Querying data
• Visualizing...

For the exercises in this chapter, you’ll need the following:

• The Azure CLI (https://learn.microsoft.com/en-us/cli/azure/install-azure-cli)
• A command line of any kind (either the one available in your operating system or your favorite one)

The Code in Action video for this book can be viewed at: https://packt.link/GTX9F

As mentioned at the beginning of this chapter, Azure Log Analytics is a tool that you can use to run queries against data stored in Azure Monitor. While it’s not the only thing that it provides, you can consider its ability to query data as its main use case. Log Analytics is a service that you don’t deploy personally – however, there are additional components, such as workspaces that may be managed by you (we’ll talk about them in the next section of this chapter named Using workspaces). Let’s start by discussing both basic and more advanced topics related to Log Analytics.

Use cases for Azure Log Analytics

In general, when you collect logs using Azure Monitor, they’re saved inside the internal datastore of the Azure Monitor service and can be used when needed. These logs can be leveraged in various scenarios – for instance, when creating an alert rule, you may query...

Azure Log Analytics can be used as it is without provisioning any additional components. In this scenario, you may even be unaware of its existence as it’s incorporated into Azure Monitor in quite a seamless way. However, if you’d like to integrate it with other services (for instance, by deploying diagnostics settings and sending logs from services to a single place), you may be interested in creating a service called Azure Log Analytics Workspace. Let’s see how to use it.

Using Azure Log Analytics Workspace

To start using Azure Log Analytics Workspace, we’ll need to create it. Use the following command to deploy it inside your resource group:

az group create -l <location> -n <resource-group-name>
az monitor log-analytics workspace create -n <workspace-name> \
  -g <resource-group-name>

Once created, a workspace can be used as a data sink for logs generated by other services. To send logs from...

Being able to query data stored within your monitoring solution is one of the most important scenarios that you could leverage. In Azure Monitor (and specifically in Log Analytics workspaces), queries are written in a language called Kusto. This language may look like the syntax of SQL but is crafted specifically to integrate with data volumes and structure supported by Azure Monitor. Let’s start learning it by discussing its basic syntax.

The basic syntax of Kusto

Each query written in Kusto requires a data source, which will be used to query data. This data source (table) contains data that is already preprocessed and can be queried without additional actions on your side. Let’s cover the following example:

VeryImportantTable
| where TimeStamp between (datetime(2022-01-01) .. datetime(2023-12-31))
| sort by ProjectName asc

The preceding query can be read as follows:

1. Select VeryImportantTable as the data source.
2. Filter the data using...

Kusto supports a couple of different ways to visualize data stored in data tables. We’ll look at multiple examples of available functions that you can leverage in your queries. Let’s start with a description of the render function.

render function

Most visualization activities in Kusto are done using the render function. It supports a variety of different chart types that can be selected depending on the shape of your data. The most basic syntax of this function looks like the following:

VeryImportantTable
| render <chart-type>

We’ll start the description with the default visualization type – table.

Visualizing as a table

By default, results returned by Kusto queries are presented as tables. If you want to explicitly define this type, you could use the following query:

VeryImportantTable
| render table

Results rendered by this visualization type will include all columns unless they’re limited by the...

In Chapter 14, we looked at Azure Log Analytics and its more detailed configuration, deployment, and integration options. We also discussed the fundamentals of the Kusto language, which is one of the most important topics when working with this Azure service. Remember that Kusto is not an easy topic – it requires lots of experience and skill to use it to your benefit. However, it’s worth spending some time learning it, as it’ll help you find necessary information quickly, especially when your infrastructure is integrated with Log Analytics workspaces using diagnostic settings.

Lessons included in this chapter should provide an additional view of Log Analytics and its place in your architecture. They should also help you gain a better understanding of monitoring in Azure in general, especially having Kusto in mind as your solution to query aggregated data.

In the last chapter of this book, we’ll take a look at Network Watcher – a native...