Azure Monitor-Log Analytics
Welcome to the "Azure Log Analytics ":https://azure.microsoft.com/en-us/services/log-analytics/ Feedback page. We appreciate your feedback and look forward to hearing from you. Use this site for new ideas and bug reports or to request help.
NOTE – Log Analytics is now a part of Operations Management Suite. Learn more at http://microsoft.com/OMS
- For general discussion/question and answers (not ideas and bug reports) use the MSDN Forum
- Onboarding issues? Read this troubleshooting guide
- How do I do XYZ? Try our documentation
- Customers with Premier support can log support cases via Premier
- Customers with Azure support agreements can log support cases in the Azure portal
-
Support wildcards for field values in search
Being able to use naming convention in criteria would be very useful, i.e. Computer="SRV0*". Having to enter exact names makes exploration less versatile.
91 votesYou can now do wildcard searches.
e.g.
Computer=svel*
Type=WireData RemoteIP:172?16*
Type:Perf CounterName=ProcessorA couple of things to note:
- Do not enclose the value in quotes – it will look for * as the actual value to match
- For strings with . in them, use the ? to match (. is not currently a valid character in non-quoted string literals)
- Use ? to match spaces in strings
-
Long-Running Saved Searches (or scheduled) that can generate an Alert and/or email notification
This could be useful for daily/weekly reports, as well for 'monitoring' type scenario.
The basic idea is you could be scheduling your query to run every so often, and then take some action such as raising an alert or email you the Excel/CSV results out, etc...It would again - like dashboards - build on the foundation of 'saved searches' http://blogs.technet.com/b/momteam/archive/2014/07/25/system-center-advisor-limited-preview-saved-searches-cloud-attach-status-and-usage-and-more.aspx
You could ask HTML/Text or Excel output of results, or a customizable message you define, like in a SCOM Alert http://blogs.technet.com/b/momteam/archive/2014/08/29/check-it-out-export-advisor-search-results-to-excel.aspx
Or it could produce an Alert and store it in Search.
Or all of the above?
91 votesThanks for voting for this suggestion.
We’ve now enabled the ability to have the results of a search generate either an e-mail notification or call an Automation runbook.
Read more on about it on our blog:
http://blogs.technet.com/b/momteam/archive/2015/12/02/announcing-the-oms-alerting-public-preview.aspxTry it out and then make additional suggestions on the feedback site.
-
Search autocomplete or Intellisense-like assisted search typing
Autocomplete within search for fields/facets/functions would be useful for exploration.
46 votesWe shipped this! Check the blog post at http://blogs.technet.com/b/momteam/archive/2015/02/20/smart-search-with-autocomplete-amp-the-new-filter-in-operational-insights.aspx
-
Easy way to fetch the last datapoint for a specific set of computers
I need a way to fetch the last data document for a given set of computers (1 to all) for a given DataSource.
- last performance point
- last IIS log entry
- ...
while this can be done for a single computer using the TOP clause and ordering by TimeGenerated I didn't find a way to get it for a set of computers.
The IN clause seems to just for computer and it doesn't support the full query language, for example: Type=Perf TimeGenerated IN {Type=Perf | measure max(TimeGenerated) As TimeGenerated by Computer | select TimeGenerated} doesn't work, it says…71 votesHi,
With the recent upgrade of our query language, this option is supported out-of-the-box.
In the example below, the operators argmax() and in() are being used to retrieve the latest record in a given data source, for each computer in a dynamically-created set of computers.
I also used “let” to name that list, in this example it’s a set of computers that are missing updates.let computers_that_need_update =
Update
| where TimeGenerated > now(-1d)
| where UpdateState == “Needed”
| summarize makeset(Computer);
Heartbeat | summarize argmax(TimeGenerated, *) by Computer | where Computer in (computers_that_need_update)To learn more about the new query language, check out the language documentation site: http://docs.loganalytics.io/
Regards,
Noa -
Increase the supported number of grouping fields for MEASURE command
Currently the "MEASURE" command in OMS Search language supports group by up to 3 fields. In order to pass aggregated NRT perf data to Power BI and produce meaningful Power BI reports, we need 5 fields in the Power BI dataset: ObjectName, Computer, CounterName, InstanceName and CounterPath. We are not able to produce a search query in OMS that passes all 5 fields to Power BI because the measure command only supports group by up to 3 fields. i.e. Type=Perf | measure avg(CounterValue) by Computer,CounterName,InstanceName
Please consider lift this number from 3 to 5 so we can pass all required…70 votesHi,
With the recent upgrade or our query language, this option is supported out-of-the-box.
The given example would be translate to this in the new language:Perf
| summarize average_value= avg(CounterValue) by Computer, ObjectName, CounterName, CounterPath, InstanceNameI am not aware of a limit on the number of dimensions to group by. For example you can also add SourceSystem and group in 2-hour buckets of TimeGenerated:
Perf | summarize average_value= avg(CounterValue) by Computer, ObjectName, CounterName, CounterPath, InstanceName, SourceSystem, bin(TimeGenerated, 2h)The full documentation is available here: https://docs.loganalytics.io/docs/Language-Reference/Tabular-operators/summarize-operator
Regards,
Noa -
Integrate with PowerBI - allow to query and refresh data via OpInsights searches within PowerBI
This is the follow up scope after our initial Export to Excel functionality introduced here http://blogs.technet.com/b/momteam/archive/2014/08/29/check-it-out-export-advisor-search-results-to-excel.aspx
61 votesThis is now in public preview:
https://blogs.technet.microsoft.com/msoms/2016/04/01/export-oms-data-to-power-bi-now-available-in-public-preview/ -
Bring back the Preview Feature "PowerBI Integration"
We use this feature in the past with an older OMS instance to push search data from OMS to Power BI and it is very helpful for us. With newer instances there is no possibility to activate this feature, so please bring it back as soon as possible.
60 votesNow available in Public Preview! https://blogs.technet.microsoft.com/msoms/2016/04/01/export-oms-data-to-power-bi-now-available-in-public-preview/
-
Be able to set case sensitiveness for data in searches
Scenario.
Run this query * | Measure Max(TimeGenerated) by ComputerName
I have multiple entries for several computers since different IPs have set the name with different case combinations.
Every time we search or aggregate we should be able to specify if we want to be case sensitive or insensitive. If it's too expensive, just default to case insentiveness since I think it's the more common usage.56 votesHi,
With the recent upgrade or our query language, this option is supported out-of-box.
The given example would be translate to this in the new language:
`search * | summarize AggregatedValue = max(TimeGenerated) by tolower(Computer)`Note that “tolower” was used to create groups by computer names, regardless if it’s upper/lower case in the raw data.
To compare values that are not even aggregated, you can now select the case-sensitive or insensitive operators.
For example:
Heartbeat | where Computer == “contoSOWEB” vs. Heartbeat | where Computer =~ “contoSOWEB”
Heartbeat | where Computer containscs “CONTOSO” vs. Heartbeat | where Computer contains “CONTOSO”Another use case could be to get the latest record relating to each computer in a given table, for example to find the latest heartbeat of each computer. argmax is the best operator for that. If somehow different logs use different cases for the same computer,…
-
Back button
It would be nice a back button to drill up the queries. I know that already have a history on query texbox, but we are more familiar with a back button. I always click on the browser back button, that always redirects me to the home page of OMS, not the last query.
58 votesThis has been completed. Tell us what you think!
-
Filter Groups of Computers thru subqueries (IN / NOT IN operators)
Would very much need some way to filter the queries to only SQL, Exchange, Sharepoint, Lync, etc. servers. Maybe use SCOM groups somehow? Basically our SQL team would need an easy view to only see SQL servers and not have to enter each server name on the filter query. For example show me: "SQL servers, disk size > 5 GB"
36 votesIn OMS we wanted to re-define the idea of what a group is. Since groups are essentially lists of machines we think the ability to do sub-queries is a key ingredient i.e. give me the list of machines that are sql servers is one ‘inner’ query – and then your outer query checks for data where the value of Computer is IN any of the values in the inner query results.
The basic functionality for this is implemented and enabled now.
Read more about it in the blog post http://blogs.msdn.com/b/dmuscett/archive/2015/05/30/operations-management-suite-log-search-how-to-part-viii-the-in-operator-and-subsearches.aspxThe core functionality is that you now can feed an inner query that uses measure into an outer query. This was also demoed at Ignite in this session http://channel9.msdn.com/Events/Ignite/2015/BRK3500
There is an additional proposal (continued scope) to allow persisting static ‘lists’ (of computer names, user names, whatever) as groups, to be fed to the IN operator, as opposed to full…
-
Allow Search Queries to be Saved as 'Favorites'
Favorites or bookmarks could replace the canned, hard-coded queries that are now present in the search page and in various Intelligence Pack's drill downs.
Users should also be able to save their own favorites in the Advisor account for easy/routine access.25 votesThis is live now on the production portal. Let us know what you think, and how you are using ‘saved searches’! Enjoy!
-
Display in Local Time
Have the option to display date/time value in local time instead of UTC/GMT.
46 votesSearch results now show in local time!
-
Ability to store Lookup Lists/Groups and use them in Query Language
While the IN operator and sub-searches partially enabled some level of 'grouping' - see this http://feedback.azure.com/forums/267889-azure-operational-insights/suggestions/6519234-filter-groups-of-computers-thru-subqueries-in-n it would also be useful to just store/persist a list (of computer names, user names, file names... whatever the fields of your data contain).
This can be useful for a series of scenarios, one example is for Security Solution to use query filters that are based on members of an Active Directory Group. It would be great if the query language support Active Directory Groups with users/computers to use as a filter.
Read the comment thread for more information.
36 votesRead this post to learn more about the computer groups functionality.
https://blogs.technet.microsoft.com/msoms/2016/04/04/computer-groups-in-oms/ -
Measure command should allow to Group By more than one field
I've tried to create a dashboard that shows the average time taken for webservices by csuristem, but cannot group by another with the measure tab. I'd love to be able to measure and group by more than one field.
30 votesWe now allow you to group by up to 3 fields.
-
Integrate Search into OpsMgr Dashboards
Allow contextual search of logs driven by OpsMgr objects and display results in OpsMgr dashboards
12 votesAt TechED North America this year in our session on System Center Advisor we briefly showed a proof of concept on how to contextually drive System Center Advisor search using Operations Manager dashboards. We now have this integration ready for you all to use.
The sample dashboards and scripts used to highlight this integration are linked below:
Sample Advisor dashboard with event search : http://gallery.technet.microsoft.com/PSWB-Dashboards-to-84cc6cef
Sample simple performance search : http://gallery.technet.microsoft.com/PSWB-Script-to-run-a-d76ef411
Sample complex performance search : http://gallery.technet.microsoft.com/PSWB-Script-to-run-complex-718255da
Read more on the momteam blog http://blogs.technet.com/b/momteam/archive/2014/08/14/integrate-system-center-advisor-into-operations-manager-dashboards.aspx
-
Export Search Results to Excel or CSV for custom reporting and analysis of data
Allowing Excel export with the ability to perform most of the filtering and some pre-processing on Advisor side, and continue in Excel.
12 votesWe have enabled CSV export as a first iteration.
It’s live now: look for the EXPORT button at the bottom left of the search results page! Read the blog here http://blogs.technet.com/b/momteam/archive/2014/08/29/check-it-out-export-advisor-search-results-to-excel.aspx , use it, and let us know what you think!For the (more involved) scope with regards to a ‘true’ PowerBI integration, please look at/vote this new idea http://feedback.azure.com/forums/267889-azure-operations-insights/suggestions/6519374-integrate-with-powerbi-allow-to-query-and-refres
-
19 votes
This is solved with the “Advanced Analytics” experience that would become mainstream soon.
-
Columns in Search
Would be nice if you could select the columns you want to see in the search result window as well as being able to resize the column width and select number of rows to see.
15 votesSelecting columns is implemented with the command ‘Select’. It is designed to work like Select-Object cmdlet in powershell.
Example:
Type=Event | Select EventID,RenderedDescription
will yield results that only show the two selected fields. -
Keep a history of queries
Ability to undo e.g. the last 10 changes to the query so you don't have to write the query again, after having clicked on a item that automatically changes the query. Then it would be able to "go-back" in the query history.
9 votesThis is live now on the production portal.
Enjoy! -
Measure count() should return ALL distinct results, not just top 100
Note that today you have a partial workaround of using Max() function instead, to get the distinct list of values, but not the count of documents with each of those distinct values.
i.e. if you are after a list of machines
Type=Event | Measure count() by Computer
gives you the 100 computers with the most events, and a count of how many events per machineType=Event | Measure Max(EventLevelName) by Computer
gives you ALL computers and shows you the worst severity level across all events per each computer, but not the count of docs.8 votesMeasure count() now returns all the distinct values for the given field.
Note that for millions of records and many thousands of distinct values in a given field, this type of query might take a long time and time out, but should work for all the ‘reasonable’ scenarios.
- Don't see your idea?