How can we improve Azure Log Analytics ?

Filter Groups of Computers thru subqueries (IN / NOT IN operators)

Would very much need some way to filter the queries to only SQL, Exchange, Sharepoint, Lync, etc. servers. Maybe use SCOM groups somehow? Basically our SQL team would need an easy view to only see SQL servers and not have to enter each server name on the filter query. For example show me: "SQL servers, disk size > 5 GB"

36 votes
Vote
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
You have left! (?) (thinking…)
Sami Koskivaara shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

In OMS we wanted to re-define the idea of what a group is. Since groups are essentially lists of machines we think the ability to do sub-queries is a key ingredient i.e. give me the list of machines that are sql servers is one ‘inner’ query – and then your outer query checks for data where the value of Computer is IN any of the values in the inner query results.

The basic functionality for this is implemented and enabled now.
Read more about it in the blog post http://blogs.msdn.com/b/dmuscett/archive/2015/05/30/operations-management-suite-log-search-how-to-part-viii-the-in-operator-and-subsearches.aspx

The core functionality is that you now can feed an inner query that uses measure into an outer query. This was also demoed at Ignite in this session http://channel9.msdn.com/Events/Ignite/2015/BRK3500

There is an additional proposal (continued scope) to allow persisting static ‘lists’ (of computer names, user names, whatever) as groups, to be fed to the IN operator, as opposed to full blown search queries. If you are interested, read and vote/follow the thread here http://feedback.azure.com/forums/267889-azure-operational-insights/suggestions/8617567-ability-to-store-lookup-lists-groups-and-use-them

A few example scenarios of how the current syntax can be used are below

“Find all Events=1234 on the machines where also EventID:5678 was logged”:
Type:Event EventID=1234 Computer IN {Type:Event EventID=5678 | Measure Count() by Computer}

“Show all Updates needed by machines where automatic updates is disabled”:
Type=RequiredUpdate Computer IN {Type=UpdateAgent AutomaticUpdateEnabled!=Enabled | Measure count() by Computer } | Measure count() by KBID

“Show Avg Disk Space for Machines were SQL is installed”
Type=PerHourly ObjectName=“Logical Disk” CounterName=“% Free Space” InstanceName=“_Total” Computer IN {Type=SQLAssessmentRecommendation | Measure count() by Computer } TimeGenerated>NOW-8HOURS | Measure Avg(SampleValue) by Computer

1 comment

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
An error occurred while saving the comment

Feedback and Knowledge Base