Microsoft Operations Management Suite Cookbook

上QQ阅读APP看书，第一时间看更新

There's more...

As shown in the preceding query syntax, a Log Analytics query is comprised of a filter, which can be a table or a search command, and a set of operators or commands that can further filter the initial result set and return very specific information from the data in tables in your Log Analytics workspace, or across workspaces. The structure of the query language is such that you can start with simple basic queries and progress to use more advanced functions and capabilities as your search requirements increase in complexity. As shown previously, after you return the initial result set by referencing data in a table, you can perform incredibly advanced functions by chaining multiple operators together in order to further filter and glean insights into your data. In order to work with more advanced functions and perform more complex query operations, you will need to understand the various Log Analytics service concepts, supported query operators, functions, expressions, and other query components that are available in the Log Analytics query language.

See the links in the following See also section for detailed Log Analytics query language reference guides.

As stated in earlier sections of this chapter, the Log Analytics language is a highly-interactive language from which you can derive answers and insights from disparate machines and other data sources. It works at scale, is optimized for searches over large datasets, and includes smart machine-learning constructs for analyzing and correlating ingested data.

The query language supports the use of a wide range and variety of tabular and scalar operators, as well as various functions that enable you to scope, filter, and aggregate data to glean and visualize insights from even the most complex big data sets. To illustrate this, let's look at how we can quickly glean and visualize insights about data usage in a Log Analytics workspace using a relatively simple query. Consider the following query, which shows a distribution of your workspace data by type over the last 24 hours:

union withsource=type *
| where TimeGenerated > ago(24h)
| summarize AggregatedValue = count() by type
| render piechart

This query effectively says, Take all tables in a workspace and return records with a timestamp from the past 24 hours from all table rows. From that set, aggregate the data and return the count for each data type. Display the aggregated data in a pie chart visualization.

When executed in the Analytics portal, this query will return a pie chart rendering of the distribution of data in your workspace. Let's peel back the covers and analyze what the query is doing beneath the surface. The query begins with a union tabular operator, which scopes the initial result set that will be filtered further in the query:

union withsource=type *

The union operator references all tables in the current workspace—using the wildcard (*) operator—and returns the rows in all the workspace tables. It then passes this on for filtration. The initial result set is then filtered in the next query line introduced by the pipe character:

| where TimeGenerated > ago(24h)

The where tabular operator is then used with a simple scalar expression to filter all the rows returned in the initial result set that satisfy the predicate defined in the scalar expression (TimeGenerated > ago(24h). This filters all the rows and returns only data from the last 24 hours. The returned data is then passed on for further filtering in the next query line, which is also introduced by another pipeline character:

| summarize AggregatedValue = count() by type

The summarize tabular operator then takes the data returned by the preceding filter, makes a call to the count ( ) aggregation function, and returns the aggregated count value for each data type in all rows input into the filter.

At this point, the data has a shape that looks like the following screenshot:

Figure 2.6

The aggregated data is then passed on for further filtering in the next and last query line, which is also introduced by another pipeline operator:

| render piechart

The render tabular operator renders a graphical output of the aggregated data input from the preceding filter.

The render operator should be the last operator in the query expression.

The render operator performs a pie chart rendering of the aggregated data type count information input from the preceding filter. The render operator supports a wide variety of visualization types. The rendered data is then returned in the following form:

Figure 2.6

In addition to the tabular operators reviewed in the preceding example, the Log Analytics query language supports the use of scalar operators and a wide variety of functions.