31 January 2022

  • 2

  • 4713 views

  • 0

31 January 2022

4713 views
2 0

Saving and Sharing Log Analytics Query

Update on 01/03/2022:

There are two small mistakes on the article below.

A) On the UI, the only Tag value which accepts customization is Label. I believe the customization is possible through API, but I haven’t checked it.

B) The filter and group by using the Label tag is possible. The Label only appears as a possible filter when at least one query has a label. The filters appear or not according to the tags set on the queries.

End Update

Log Analytics uses KQL – Kusto Query Language – as the query language for the log storage. On the past, we could only save the queries  in the Log Analytics Workspace and it was not easy to share them

The new feature to change this scenario is the Log Analytics Query Pack. This feature is an object capable to contain the queries we would like to save. Log Analytics Workspace can read the queries in the query pack.

This feature is still in preview. Some details will seem to be incomplete, but there is no doubt this is an important feature

Default Query Pack

If you ignore the query packs, the query packs will ignore you. Log Analytics creates the default query pack automatically the first time you save a query. This will happen for each subscription.

Saving Queries

When you build a query you can Save a query or a function, the process is slightly different. The functions can be saved only in the workspace, not in a query pack. Let’s keep the focus on the query.

When you build a query you can save it to a query pack. You have the option to save on the default query pack or choose a query pack to save it.

If we are saving the query to the default query pack the entire process can be transparent. We save the query and all workspaces on the same subscription are able to see the query.

On the other hand, if we are using custom query packs we should use the Tags carefully, so we will be able to find the queries easily on the Logs UI.

There are 3 types of Tags we can use on our queries, they are:

Category: The Category Tag is also used by the example queries provided by Microsoft to classify the purpose of the query. We can fit the query in the existing categories or create our own.

Resource Type: The idea of this tag is to classify the queries by the type of resource they are using. However, my recommendation is to use this tag to classify the queries by Query Pack in which it’s saved. The UI doesn’t provide in a very good way the information about the source query pack. It’s up to us to use the Tag fields to classify by query pack.

Label: This is a more “open” Tag field, you can use this for many different purposes. However, this field is not included (at least not yet) in the Filter or Group By UI options explained further on this blog. Due to this, I don’t recommend the use of the Label to classify by query pack.

Reading Queries

The Logs UI, when we select the option on a Log Analytics Worskpace, show us two windows: One popup window, displayed first, allowing us to select a query to edit or execute, it’s like an introduction window; The main query building window, which will display existing queries and allow us to build new ones.

On the popup window, a new option was included allowing us to select the query packs we would like to see on the query editor. The Log Analytics Workspace will remember our selection, so usually we may need to make this selection once, unless the need of additional queries or functions appear.

On the UI, after selecting the query packs, you can close this window and even so your selection will still be remembered.

On the main query editor window, the information about the query pack is displayed only in two different places:

Group by option: The Group by option to group the queries has the option to group the queries by the query type. There are two main query types: “Example Query”, the examples provided by Microsoft and “Query Pack” queries, the queries saved in query packs, either the default or custom ones.

This option can tell you what queries are from query packs, but it doesn’t break down the queries by query pack. In order to achieve this you would need to use the Tag together the group by, as explained before.

Query Popup: Each query has a popup window displayed when we select the query. This popup window tell us the source of the query. It’s useful for individual queries, but to find the queries from one query pack, for example, we would need to look query by query. We avoid that using the Tag to Filter or Group the queries by query pack, as mentioned before.

Summary

Log Analytics is a very important feature on Azure and can be used even for on premises implementations. The Query Packs expand the possibility to create reusable KQL queries and spread Log Analytics culture on an enterprise level

References

  • 2

  • 4713 views

Rate this article

Click to rate this post!
[Total: 2 Average: 4.5]

Dennes Torres

Dennes Torres is a Data Platform MVP and Software Architect living in Malta who loves SQL Server and software development and has more than 20 years of experience. Dennes can improve Data Platform Architectures and transform data in knowledge. He moved to Malta after more than 10 years leading devSQL PASS Chapter in Rio de Janeiro and now is a member of the leadership team of MMDPUG PASS Chapter in Malta organizing meetings, events, and webcasts about SQL Server. He is an MCT, MCSE in Data Platforms and BI, with more titles in software development. You can get in touch on his blog https://dennestorres.com or at his work https://dtowersoftware.com

Follow Dennes Torres via

View all articles by Dennes Torres

Load comments

Related articles

 21 February 2024
21 February 2024

Eventstream and the new KQL Processing

0
1
Eventstream has many differences in relation to the technologies it proposes to replace. Event Hub, Stream Analytics, Streaming Dataflows and more. We can compare these technologies, but EventStream in Microsoft Fabric has some specific differences from all of them. One of the differences is how the transformation of the input data is linked to the … Read more
0
1
16 August 2021
16 August 2021

Creating functions in Kusto Queries

0
2
In the previous blog, I illustrated how to create sub-queries in Kusto. However, sometimes we may face even more complex situations and we may need to create not only a sub-query, but a function. Another way to think about a function inside a Kusto query is like a parameterized sub-query. Let’s review the query from … Read more
0
2
30 April 2024
30 April 2024

PySpark Secrets to use with Fabric

0
1
PySpark is a powerful language for data manipulation and it’s full of tricks. Let’s discover some of them. Control the Type of a NULL column If you are creating a pysspark dataframe, but one of the columns contains only null values (None), how could you control the type of the column? There is an interesting … Read more
0
1

Tags

, ,