Azure Monitor-Log Analytics

Welcome to the "Azure Log Analytics ":https://azure.microsoft.com/en-us/services/log-analytics/ Feedback page. We appreciate your feedback and look forward to hearing from you. Use this site for new ideas and bug reports or to request help.
NOTE – Log Analytics is now a part of Operations Management Suite. Learn more at http://microsoft.com/OMS

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. whitespace

    There is too much whitespace. The bar with icons for alerts etc incl.

    0 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
  2. Add "render" option for query language

    Can we please have an option to display search results into different types of graphics? Similar to Kusto (or Application Insights Analytics) which has an option to render the search results into different graphics.
    For example:
    requests
    | where timestamp >= ago(24h)
    | summarize requestCount=count() by client_CountryOrRegion
    | order by requestCount desc
    | render piechart

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
  3. Keep "Show More" open while search is running

    Show More should stay open. If a search is on-going, the "[+] show more" option keeps closing.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
  4. Bug with saved queries containing a plus sign

    When I open in Log Search a saved query that contains a '+' sign, it does not load correctly, ommiting the '+' and thus generating a syntax error (please see attached file)

    2 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
  5. Allow to search for 'parts' of a datetime field

    real world scenario: I need to analyze my alerts distribution by time windows (i.e. how many of them overnight vs during the day) and based on week day (how many on Sunday, Monday, ...)
    I think this scenario can be applied to every data source you have. To do that we need to be able to query on parts of the datetime fields.

    11 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →

    I have this capability on my query language improvement backlog already. I would like to allow folks to search via local time (instead of ISO UTC time) and use keywords like Sunday, 6PM, etc.

    This is currently behind JOIN, Regex, DEDUP, and search time custom field extraction.

  6. add optional UX for query string

    Add a ? option to the query language line which would bring up a UI to build the query line. At the very least, have it bring up context based help that describes the options and features of the query line.

    This UI would build the query line like the following: Type:Update (Classification:"Security Updates" OR Classification:"Critical Updates") AND UpdateState=Needed AND Optional=false AND Approved!=false Computer="server.domain.com"

    Basically I want to filter the output to some of the fields rather than all of the properties.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
  7. Sytax Suggestions

    Don't give me syntax suggestions if they are invalid!

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
  8. Import groupings from SCOM

    Import already existing server groupings from SCOM for access in the Log Analytics or the pre-built assessments

    11 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
  9. "internal server error" for search Type=SecurityEvent TimeGenerated>NOW-24Hours

    Similar search work for other Types. This one generates and internal sever error.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  1 comment  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
  10. [View] links for EventID rework

    [View] for EventID only searches technet for the event number - this is generally not useful functionality. Please have all [View] links point at useful info for their associated content.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
  11. Choose Width of Filter Slicer

    You should be able to change the width of the filter slicer on the Search page or it should be expandable between 3 sizes (collapse, mini, full screen width) , similar to the experience in the Azure portal for blades.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
  12. Unique

    It would be incredibly powerful if we were able to do a Select Distinct/Unique on a given result set.

    I'm thinking something similar to how this is done in PowerShell:

    Get-Process | Select Name, Path -Unique | Sort Name

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
  13. Issue when using special charecters in query

    Issue with special characters in query:
    when a query contains a special character the query reports an error "the remote server returned an error:(400) Bad Request"

    query example: Type=ConfigurationChange ConfigChangeType="Software" SoftwareType="Application" and SoftwareName=µTorrent

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
  14. Support conversion and formatting functions in the search language

    There should be option in the search language to convert metrics. For example If I want to convert Bytes to Gigabytes that should be possible in the search language. Other examples are in converting time to specific format (shorter time format, adding timezone and etc.)

    15 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    8 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
  15. Ability to disable automatic search history dropdown

    As my searches get more complex and I am using the search function to investigate the automatic history drop down is frustrating as it covers the results, requiring me to click in another part of the window to get it to go away.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
  16. Operationional Insights reference in OMS

    I've noticed a reference to Operational Insights (old name) reference in the portal.

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
  17. Portal site Localization

    Now, OMS portal site is not localized to other languages.

    such as assessment intelligent pack, it has useful information, but many customer (in Japan) cannot understand English information...

    Please localize portal site to famous language.

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
  18. 'interval' function in Measure command should support all statistical/aggregation functions (Max/Min/Avg/Sum) not just count

    Per documentation:
    https://azure.microsoft.com/en-us/documentation/articles/operational-insights-search/
    Interval function is supported only of grouping Date/Time fields and works with only count() aggregation function. This makes the use of interval function very limited. For example if you want to create query that will show certain results for every hour for the past 12 hours for multiple of objects you can't.
    Example of this:
    Type:WireData | measure count() by ApplicationServiceName interval 1HOUR
    In order to achieve such results you will have to create query for every ApplicationServiceName like this:
    Type:WireData (ApplicationServiceName=http) | measure count() by TimeGenerated interval 1HOUR
    Additionally if you want to see the traffic…

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
  19. Ability for Searchs to Have Titles

    When I click on the "Locked-out Accounts" view from the Security IP, I am brought to the search section. There is no way on this page to tell what I am looking at without analysing the search. In the search bar it shows "EventID=4740" but who in their right mind has every event id memorized. There should be a title that shows I clicked on "Locked-out Accounts".

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the feedback.

    This is similar to the behavior the mobile app has for ‘saved searches’ – they do show the title there.

    Coded drill-downs today don’t carry a title across pages, and changing this has an overall impact on the breadcrumb code, most likely – see this other idea http://feedback.azure.com/forums/267889-azure-operational-insights/suggestions/6519263-moving-across-pages-needs-to-be-seamless-clickable

    Keep in mind that the default drill down pages are meant as a convenience: once you identified a search you care about, you can SAVE it to your Saved Searches, and pin it on your own dashboard – those tiles in dashboards have a title (=the name of the saved search).

  20. When pivoting from results of Measure count() queries that use INTERVAL (based on field TimeGenerated) drill down query returns no result

    REPRO steps:
    Do a query like Type:Event | Measure count() interval 1DAY; the grouped results you get back will have TimeGenerated as the first field.... but the row in the table really represents a time RANGE/interval
    When clicking on a group, the resulting query becomes something like Type:Event TimeGenerated:"2014-02-25T20:04:39.234Z" - this yelds no results because the TimeGenerated is really just the BEGINNING of the '1DAY' interval.

    How it should work:
    backend API should provide more information back to the caller, such as
    - informing that this group is not based on a fixed string value (like in many other cases…

    2 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base