How it works...
A Log Analytics query enables you to perform read operations against data ingested into an Azure Log Analytics data repository. Log Analytics queries can start with either a search command or a table name. This is important to note because OMS data sources and solutions store their data in tables in the Log Analytics workspace. When you build a table-based query or a search query, you reference these tables. Fundamentally, the language syntax of a Log Analytics query references a Log Analytics table, which defines what the initial data is, and from where the initial data gets returned. For further processing of the initial result set, various query operators separated by a pipe character (|) can be used to refine and further filter the data.
After the initial result set is returned, the result is passed on to a filter for further processing. This action is indicated with the use of the pipeline character in a new line, which indicates the start of a filter. The pipeline will usually be followed by a query operator, which references parameters such as scalar expressions. A new line denoted by a pipeline character indicates the start of another filter or command that will be performed against the initial result set that is being processed by the query.
The syntax structure for the Log Analytics query language is as follows:
Table or search query
| operator1 scalar expression
| operator2 [function]
| operator3....
A scalar expression refers to numerical or string values in a single Log Analytics table cell. Scalar expressions will evaluate to scalar values. Examples of scalar expressions include the following:
Log (10)/1 = = value - 99
Where TimeGenerated > ago(24h)
Furthermore, you can use the intuitive filters and facets in the portal to further filter the result sets until you arrive at the specific information of interest. As you interact with and select field values of interest, you can add the selected values to your filter in the query bar. This intuitive feature enables you to easily build queries and learn how to filter indexed data.
You can further make use of query filters to return more specific data from the initial result set. For instance, using the table-based Perf query mentioned previously, you could further filter the previously mentioned result set to return records of a specific value, such as LogicalDisk from the ObjectName column in the Perf table. You could use a query such as the following:
Perf
| where ObjectName == "LogicalDisk"
| where Computer == "HV01LEN.odiks.com"
The preceding query starts with a basic, table-based query that filters for a Perf data type and uses instances of the tabular where operator and scalar expressions to further filter the initial result set. It also uses the reference LogicalDisk and a Computer name facet from the ObjectName and Computer columns respectively in the Perf table. The search then identifies all data that conforms to the query and returns the data as the result set that is then displayed in the search or Analytics portal. The pipe character is used to separate the operators, and can be used to identify a new input into the subsequent operator, as well as indicate the start of a new filter. For instance, in the preceding query, the input to the first tabular where operator is the Perf table, which is the result of the pipeline that precedes the where operator:
