As a companion article to my video entry for this year’s Festive Tech Calendar 2020, here are the shared resources and some additional gift resources to help you learn and master Azure Monitor Log Analytics! I use the resources below on a weekly, if not daily, basis to help troubleshoot and administer workloads in Azure. I truly hope that the below materials assist you in your daily responsibilities and learning paths!
Azure Monitor Log Analytics is an interactive querying tool (that feeds from Azure Monitor collected data) located within the Azure Portal. You can retrieve records based on query criteria, gather insights on your data, analyze patterns, show trending, and visually render query data. Queries are created using Kusto Query Language or KQL, and can be saved as a query or a function.
The BEST advice I can give you is to start with one INCREDIBLY powerful and FREE resource:
https://portal.loganalytics.io/demo
Not only does the data in this demo environment get frequently updated, but the queries are SUPER resourceful and help to teach how to effectively query the data, they help find new approaches to returning meaningful data from your diagnostic and audit logging, and it teaches you new ways to interact with your resource data and provide examples to others on your teams.
Here are the queries used in the demo, as well as additional bonus queries:
Demo Example #1:
// Show top 10 Security events by TimeGenerated
SecurityEvent
| top 10 by TimeGenerated
// Show Security Events based on Level and EventID
SecurityEvent
| where Level == 8 and EventID == 4672
// Show Top 10 Security Events based on Time Generated
// Select (project) only three columns of table data
SecurityEvent
| top 10 by TimeGenerated
| project TimeGenerated, Computer, Activity
// Select Security events greater than or equal to 7 days ago
// Group by and count based on Activity
SecurityEvent
| where TimeGenerated >= ago(7d)
| summarize count() by Activity Demo Example #2:
// Show Computer heartbeat based on time generated in the past
// Group by distinct count of computers
// Render visualization in default barchart format
Heartbeat
| where TimeGenerated >= startofweek(ago(21d))
| summarize dcount(Computer) by endofweek(TimeGenerated)
| render barchart kind=default Demo Example #3:
// Check container inventory for containers with status of Terminated
ContainerInventory
| where ContainerState == "Terminated" Bonus Example #1:
// Determine availability statistics for Azure resources for past month until now
// Measure computer heartbeat and evaluate availability rate
// Project availability details in tabular res
let start_time=startofday(datetime("2020-11-01"));
let end_time=now();
Heartbeat
| where TimeGenerated > start_time and TimeGenerated < end_time
| summarize heartbeat_per_hour=count() by bin_at(TimeGenerated, 1h, start_time), Computer
| extend available_per_hour=iff(heartbeat_per_hour>0, true, false)
| summarize total_available_hours=countif(available_per_hour==true) by Computer
| extend total_number_of_buckets=round((end_time-start_time)/1h)+1
| extend availability_rate=total_available_hours*100/total_number_of_buckets Some “gift” links of resources and learning opportunities:
Thanks once again to some great community stewards Richard Hooper and Gregor Suttie for organizing this wonderfully rounded Festive Tech Calendar 2020! Remember that there are not just tech sessions available, but soft skills and other storytelling from all areas and #HumansofIT – do check out the site all throughout the month of December, and do enjoy yourselves with the contributions!
I had a lot of fun creating this content – I hope you have just as much fun learning, playing, and sharing your creations with the community! Happy Holidays, Merry Christmas, and take care!
CG
Configuring Clouds 