Working with Azure Storage diagnostic logs in Analytics Log Work-space

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

Log Analytics is an Azure service that collects telemetry and other data from a various sources and provide a query language for advanced analytics. After you post logging data to Log Analytics workspace with HTTP Data Collector API, you are able to query logs for troubleshooting, visualize the data for monitoring, or even create alerts based on log search.

 

Steps 1: Create Log Analytic Workspace

clipboard_image_0.png

Work space got created

clipboard_image_1.png

 

Step 2:  Load the logs from Storage Analytic logs( from $Log) folder to analytical workspace using below script.

 

Please make sure, you change the following values in the script before executing.

 

# - $ResourceGroup

# - $StorageAccountName

# - $CustomerId

# - $SharedKey

# - $LogType

# - Please create a  file with the name Log.txt in your D drive and update the below path in the script.

$filename = "D:\Log\Log.txt"

 

clipboard_image_0.png

You can find more details on this script here

Step 3:

Once you run the script, you will get below output, which indicates that logs are being posted to Log analytics.

clipboard_image_0.png

 

clipboard_image_0.png

 

clipboard_image_1.png

 

 

 

Common Queries

 

Apsarnewlog_CL

| limit 50

 

Apsarnewlog_CL

| sort by request_start_time_t asc //Sorting

 

//Use Wild cards using "*"

 

search in (Apsarnewlog_CL ) "*Tiger*" //The search command is typically used to search a specific term. In the following example, all columns in all tables are scanned for the term Tiger:

 

search in (Apsarnewlog_CL) request_url_s:"*Tiger*" // By default, search will evaluate all columns in the data set. To search only a specific column {request_url_s}, use this syntax:

 

search in (Apsarnewlog_CL) "container2" and ("Sucess" or "200") //If you have multiple search conditions, you can combine them into the same query using parentheses:

| take 100

 

Apsarnewlog_CL // Use project to select specific columns to include in the results:

| top 10 by client_request_id_s

| project TimeGenerated, request_url_s , operation_type_s

 

 

Apsarnewlog_CL //Summarize: aggregate groups of rows

| where TimeGenerated > ago(1h)

| summarize count() by operation_type_s

 

 

clipboard_image_0.png

 

Apsarnewlog_CL

| where request_start_time_t > ago(1d)

| summarize count() by tostring( requester_ip_address_s), operation_type_s, bin(request_start_time_t, 1h)

 

clipboard_image_0.png

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.