Azure Log Analytics: looking at data and costs – Part 2 

Part1: Part2: This post Part3 Part4: Sometimes you get an obvious question but it takes a while to work through the details, in this case Vlad wanted to know how much data each Service EndPoint Monitor (NPM) Test produced and the cost. So this is a modified version of my KQL code from part1….Read more

Azure Log Analytics: Looking at data and costs 

At some stage, you either need to add a new set of data to Log Analytics or even look at your usage and costs. Originally you looked at the Usage table for this data: As you can see from these docs (and please read them as I wont go over the content here), Usage…Read more

Azure Log Analytics: Cross Workspace Query 

This was announced at Ignite last week, see here which I missed at the time. Adding the ‘withsource=SourceTable’ I have found to be really useful to see where the data was found. If the returned SourceTable is just “SecurityEvent” as per this example its from your local workspace, if its workspace(”). SecurityEvent // show…Read more

Azure Log Analytics: Dynamic Arrays 

In my first post on parsing we looked for Eventlog data and parsed the info to get User names from with data in the Event log. Sometimes we want to work with a list of values such as User or Computer names and look for these in the data. Jon once again asked for a…Read more

Azure Log Analytics: Sorting Events 

Jon (who also works at Microsoft) was asking me how to use an ‘or’ to filter EventIDs, I thought I’d add some syntax examples. We have seen in the last post that you can get Event or SecurityEvent details. I’ll use SecurityEvents as the example but you can use Events if you prefer. All examples…Read more

Azure Log Analytics: Using Perfmon data 

Updated: As last night the Settings moved to the Azure portal Today I was looking at Perfmon data for a particular process. In this case it happened to be lsass.exe but only on Domain Controllers. I needed to add this Perfmon Counter to OMS, in Settings – Data – Windows Performance Counters (via the OMS…Read more

Azure Log Analytics: Using the Parse operator 

Updated: to include some screenshots (as thus wasn’t working the other day) Today I had to look at getting some data from SecurityEvent. This is using the new Log Analytics query language and the Advanced Analytics portal. I was looking at EventID: 5061, but you can use any EventID you like, e.g. SecurityEvent | where…Read more

Log Analytics Syntax post series: #4 : WireData 

One of the most interesting set of syntax has been the use of WireData, I’m not really a networking person but they way you can visualise and assess the data is very useful. For all of these replace with your own FQDN I started to look at traffic from a Subnet and the Remote…Read more

Log Analytics Syntax post series: #3 Events & Alerts 

Part 3 I wanted to look at a range of EventIDs (I cant remember why now) but this is how: Type=Event EventID=* | measure count () by EventID | Where (EventID>6000 AND EventID<6500) If you want to look for some specific EventIDs, I was also filtering on the last 24hrs (Note: for the 24hrs scope…Read more