Linkedin-in Youtube Facebook-f

Log Analytics is a service in Azure Monitor

Log Analytics is a service in Azure Monitor

Log Analytics

Log Analytics is a service in Azure Monitor that helps you collect, analyze, and query data generated by resources in both cloud and on-premises environments.

Using log queries, you can fully leverage the value of data stored in Azure Monitor Logs. The powerful query language allows you to:

  • Join data from multiple tables

  • Aggregate large volumes of data

  • Perform complex analysis with minimal code

With the right data collected and well-constructed queries, virtually any operational or performance question can be answered.

Some Azure Monitor features—such as Insights and Solutions—analyze log data automatically without exposing the underlying queries. However, to fully utilize Azure Monitor’s capabilities, it’s important to understand how queries are built and how to interactively analyze log data.

Real-World Use Cases

Example 1: Assessing Updates

Assessing system update requirements and planning patches is a critical daily task for IT administrators. Accurate scheduling directly impacts SLAs and business operations.

Historically, patching schedules were created with limited insight into how long updates would take. Azure Operations Management Suite collects anonymized, crowd-sourced data from customers performing patches and calculates average installation times for specific missing updates.
This cloud-enabled insight allows administrators to plan updates more accurately and meet strict SLA requirements.

Example 2: Change Tracking

Troubleshooting operational incidents requires access to multiple data streams. Log Analytics enables centralized analysis across diverse data sources using a single interface.

By tracking changes across the environment, Log Analytics helps identify:

  • Abnormal behavior from specific user accounts

  • Installation of unapproved software

  • Unexpected system reboots or shutdowns

  • Indicators of security breaches

  • Issues in loosely coupled or distributed applications

Creating a Log Analytics Workspace

To begin using Log Analytics, you must create a workspace.

Steps:

  • Provide a name for the Log Analytics workspace

  • Select an Azure subscription

  • Choose an existing resource group (typically one containing Azure VMs)

  • Select the location where your virtual machines are deployed

  • The workspace uses the Per GB pricing model by default

Connected Sources

Connected Sources are the systems and services that send data to Log Analytics. These include:

  • Windows and Linux agents (virtual or physical, on-premises or cloud)

  • System Center Operations Manager (SCOM) management groups

  • Azure Storage accounts collecting diagnostics data

Connected sources forward data to the Log Analytics service, where it is stored in a centralized Azure-hosted repository.

Data Flow Overview

  • Log Analytics Service collects and stores data in the Azure repository

  • Computer agents send telemetry from Windows and Linux systems

  • SCOM agents forward performance and event data through management servers

  • Azure Storage can send diagnostics data from virtual machines, web roles, or worker roles

Data Sources

Data sources define the types of data collected from each connected source. Configuration is managed centrally and automatically applied to all connected agents.

Common data sources include:

  • Windows Event Logs

  • Windows Performance Counters

  • Linux Performance Counters

  • IIS Logs

  • Syslog

  • Custom Logs and Custom Fields

Each data source includes additional configuration options. For example, Windows Event Logs can be filtered by severity (Error, Warning, or Information).

Log Analytics Querying

Log Analytics uses a query language to retrieve and analyze data stored in the workspace. Queries can be:

  • Run interactively in the Azure portal

  • Saved for reuse

  • Scheduled to trigger alerts when conditions are met

Query results can also be visualized on dashboards or exported to tools such as Power BI or Excel. Developers can integrate Log Analytics data using the Log Search API.

Query Language Basics

Each query starts with a table, followed by one or more operators separated by a pipe (|). Operators refine, filter, and aggregate data.

Common Tables

  • Event

  • Syslog

  • Heartbeat

  • Alert

Example Query

The following query returns the top 10 computers generating error events in the last 24 hours:

Event
| where EventLevelName == "Error"
| where TimeGenerated > ago(1d)
| summarize ErrorCount = count() by Computer
| top 10 by ErrorCount desc

Common Query Operators

  • count – Returns the number of records

    StormEvents | count

  • limit – Returns a specified number of rows

    T | limit 5

  • summarize – Aggregates data

    T | summarize count(), avg(price) by fruit, supplier

  • top – Returns the top N records by a specified column

    T | top 5 by Name desc

  • where – Filters rows based on conditions

    T | where fruit == "apple"
Linkedin-in Youtube Facebook-f
  • 03304 004 334
  • info@qisltd.co.uk
  • Quantus Information Services Limited
    Unit 5, Minster Court
    Tuscam Way
    Camberley
    Surrey
    GU15 3YY

Pages

Our Services

Subscribe to our Newsletter

Facebook-f Twitter Linkedin-in