How can we improve Azure Log Analytics ?

Unify/standardize 'computer' field across Intelligence Pack data

Today it is not possible to ask in a single query how much data (across ALL types) belongs to a given computer, because each Intelligence Pack and the 'Type' it collects don't have a standardized field to tell the 'computer', and the syntax for 'measure' command currently only allows to group by a single field. Hence you can only query this one 'Type' at the time.

i.e. some examples of how different 'Types' have different property name to express 'computer':

* | Measure count() by Computer
* | Measure count() by DeviceName
* | Measure count() by ObjectDisplayName
* | Measure count() by Server
* | Measure count() by RootObjectName

or more explicitly, by Type:

Type:Event | Measure count() by Computer
Type:UpdateAgent | Measure count() by Server
Type:RequiredUpdate | Measure count() by Server
Type:ProtectionStatus | Measure count() by DeviceName
Type:PerfHourly | Measure count() by ObjectDisplayName

3 votes
Vote
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
You have left! (?) (thinking…)
Daniele Muscetta (Operational Insights, Program Manager) shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

This change was implemented in production last week around this time.

ALL NEW data since then (so the last 7 days) should now have a ‘Computer’ field. All the previous field names are still available so all your existing queries will still work (and you’ll need to use the old field names to query the OLD data as we cannot back-fill the past), but for a smoother learning of the query language going forward, we encourage the use of the new unified field name and all our examples and guidance and drill-down queries throughout the UI will be gradually be updated to adopt the new format/shape of the data.

When we’ll get to support subqueries in the future – this idea https://systemcenteradvisor.uservoice.com/forums/248023-feedback/suggestions/6109296-allow-subqueries-in-the-search-language – it will make it much easier to express something like a ‘dynamic group’ (SCOM analogy for lack of a better term) in the query language.

0 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...

Feedback and Knowledge Base