To query logs in Azure Monitor, perform the following steps:
- Navigate to the Azure portal by opening https://portal.azure.com.
- In the left-hand menu, select Monitor to open the Azure Monitor overview blade. Under Insights, select More. This will open the Log Analytics workspace that we created in the previous step.
- On the overview page, click on Logs in the top menu. This will open the Azure Monitor query editor:
Azure Monitor query editor
- Here, you can select some default queries. They are displayed at the bottom part of the screen. There are queries for retrieving unavailable computers, the last heartbeat of a computer, and much more. Add the following queries to the query editor window to retrieve data:
-
- This query will retrieve the top 10 computers with the most error events over the last day:
Event | where (EventLevelName == "Error") | where (TimeGenerated > ago(1days)) | summarize ErrorCount = count() by Computer | top 10 by ErrorCount desc
-
- This query will create a line chart with the processor utilization for each computer from the last week:
Perf | where ObjectName == "Processor" and CounterName == "% Processor Time" | where TimeGenerated between (startofweek(ago(7d)) .. endofweek(ago(7d)) ) | summarize avg(CounterValue) by Computer, bin(TimeGenerated, 5min) | render timechart
A detailed overview and tutorial on how to get started with the Kusto query language are beyond the scope of this book. If you want to find out more about this query language, you can refer to https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/get-started-queries.