In this video, learn how to create a simple log query and filter the results.
- [Instructor] Using Log Analytics, we can easily analyze the logs generated by a variety of sources, including agents, resources within Azure, and Office 365, just to name a few, and we can access Log Analytics through the Azure Monitor and then select Log Analytics. Here we can perform simple, basic queries. Before we get started, you'll want to ensure that you have the correct workspace selected. Instead of building a query right off the top, let's go ahead and take a look at one that's already been preconfigured for us, and we'll use search Heartbeat records that contain windows.
We can change when the data was based on. Right now it's configured for one day, but we could change that as required. If we scroll down through our filter list, you'll see that we have two computers that are registering a heartbeat in the last day. We can see the category of how that's being registered. In this case, it's a direct agent. We can see the different resources. We can see the country where the IP was coming from and the IPs themselves and our OS type.
We could further drill down into one of these systems if we wanted to do so. If we select the demo VM, we can go ahead and click Apply, and you'll notice that the query changes. The one thing I wanna point out here is the pipe. If you want to break down the query into digestible chunks, make sure that the pipe is at the beginning of the line. It would work if we did it this way, as well. But for readability, that's much easier.
Now let's go ahead and create our own query. We'll start off by refreshing the screen. And for this query, we're going to list the updates on a virtual machine, and we'll start with a general search. I'm gonna go ahead and run that query. I could've continued to build it out, but I'm gonna go ahead and show you the filters. From this general search, we can go ahead and select update, and make sure you click Apply, and now we have a list of the computers that have updates applied to them.
Again, this'll be the same two computers. Again we'll select the demo VM, select Apply, and we could further filter the updates down to, let's say security updates and critical updates, and click Apply. And you can see we're down to eight results at this point. I'm gonna filter by table. It makes it a little bit easier to see. And at this point we could drill into each update to get a little bit more information. Once you have your query, you can go ahead and generate a new alert rule right from that query by selecting New Alert Rule.
You'd have to modify the alert criteria. Let's say our threshold was one. And so now our condition is whenever the custom log search is greater than one count. Again, this is not the best example. I just wanted to show you how you create the alert from the query. I'm gonna go ahead and close those. I would recommend that you review log queries before you sit the exam.
- Managing Azure subscriptions and resources
- Implementing and managing storage
- Configuring and managing virtual networks
- Managing identities
- Evaluating and performing server migration to Azure
- Implementing and managing application services
- Implementing advanced virtual networking
- Securing identities