Log Analytics

Welcome to the "Azure Log Analytics ":https://azure.microsoft.com/en-us/services/log-analytics/ Feedback page. We appreciate your feedback and look forward to hearing from you. Use this site for new ideas and bug reports or to request help.
NOTE – Log Analytics is now a part of Operations Management Suite. Learn more at http://microsoft.com/OMS

How can we improve Azure Log Analytics ?

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Fix Windows2016 baseline detection

    I stumble on some error in the detection. For example :

    OSName,RuleSetting,ExpectedResult,ActualResult
    Windows Server 2016 Datacenter,"Privilege Rights : SeTrustedCredManAccessPrivilege",0,"No One"
    Windows Server 2016 Datacenter,"Privilege Rights : SeTcbPrivilege",0,"No One"
    Windows Server 2016 Datacenter,"Privilege Rights : SeCreateTokenPrivilege",0,"No One"
    Windows Server 2016 Datacenter,"Privilege Rights : SeCreatePermanentPrivilege",0,"No One"
    Windows Server 2016 Datacenter,"Privilege Rights : SeLockMemoryPrivilege",0,"No One"
    Windows Server 2016 Datacenter,"Privilege Rights : SeRelabelPrivilege",0,"No One"

    These user right should according the baseline no have an user of group assigned but detection expects 0 instead on "No One"

    Or do I need to make a support call for this?

    3 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
    • OMS Gateway as a a PaaS offering

      Will there be a OMS Gateway as a PaaS offering instead of I setup my own infra, further reduce my CAPEX

      OMS Gateway PaaS should
      - Include load balancing features
      - Abstract the need of the OMS firewall requirement when working with Firewall
      - Only allow secure OMS data to pass through the gateway for security control and compliance needed

      1 vote
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        0 comments  ·  OMS Gateway  ·  Flag idea as inappropriate…  ·  Admin →
      • Bring Network Performance Monitor into Service Map

        For example, in a 3-tier deployment of a web service (IIS front end, middle tier job processing and SQL backend), I would like to see the results of network performance monitoring in the Service Map solution. This could be very useful when troubleshooting slowness to the SQL server, but using Service Map to visualize the 3 tiers as a group.

        3 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          1 comment  ·  Service Map  ·  Flag idea as inappropriate…  ·  Admin →
        • Adding Computer name field to the Alert Management Solution

          I need to group my alerts by tenant.
          The tenant id is embedded in the computer name of all of my machines.
          Unfortunately the machine name is not it's own specific field in the Alert Management Solution, just like it is not it's own field in SCOM which is very disappointing because this is just carrying over a pet peeve I had with SCOM over to OMS.

          Please add the Computer field to the Alert Management Solution... I'm sure I'm not the only one who needs this... it's monitoring 101, you need to be able to tell what machine is…

          1 vote
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            0 comments  ·  Alert Management Solution  ·  Flag idea as inappropriate…  ·  Admin →
          • Parameterized saved searches

            Currently, we are able to create parameterized functions by using the 'let' command.

            Example:

            let f=(a:int, b:string) { strcat(b, ":", a) }

            This sounds great in concept... until you find out that this only works if you type your entire function at the beginning of each query because these functions aren't 'stored' and you can't save the function as a saved search because then the search engine starts complaining when there is no output...

            So, saved searches behave right now as SQL views. Even though there is a "function" concept it doesn't seem like we can create parameterized functions at…

            1 vote
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              0 comments  ·  Flag idea as inappropriate…  ·  Admin →
            • Nested Saved Searches

              I have 2 saved searches, one inside the other.

              Currently the one at the top level does not work because when trying to run the nested saved search it comes back with "Failed to resolve entity [saved search name]"

              This should totally be a thing... we should be able to create nested saved searches as it improves modularity and there is a huge pay off in the long run for having this.

              Saved search 1:
              Alias: Last24hUsage
              Query: Usage| where QuantityUnit == "MBytes" and IsBillable == "true" and TimeGenerated > ago(24h)| summarize DataVolume = sum(Quantity) by TimeGenerated,bin(TimeGenerated,1h)| sort by TimeGenerated…

              1 vote
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                0 comments  ·  Flag idea as inappropriate…  ·  Admin →
              • [Bug] - ARM sharedKeys is not a valid resource type for API Version 2015-11-01-preview

                Unable to use REST according to the documentation https://docs.microsoft.com/en-us/rest/api/loganalytics/workspaces/getsharedkeys for API Version 2015-11-01-preview to obtain primarySharedKey and secondarySharedKey values.

                Please advise. Thank you.

                3 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  0 comments  ·  Azure Resource Management  ·  Flag idea as inappropriate…  ·  Admin →
                • [Bug] - ARM dataSources Properties

                  Any chance to release the Microsoft.OperationalInsights/workspaces/datasources schema properties for the following kinds?

                  - ChangeTrackingPath
                  - ChangeTrackingDefaultPath
                  - ChangeTrackingDefaultRegistry
                  - ChangeTrackingCustomRegistry
                  - CustomLog
                  - CustomLogCollection
                  - GenericDataSource

                  I have tried the following below and gets a Bad Request response back.
                  {
                  "apiVersion": "2015-11-01-preview",
                  "type": "datasources",
                  "name": "WindowsChangeTrackingRegistry-CopyHookHandlers",
                  "dependsOn": [
                  "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
                  ],
                  "kind": "ChangeTrackingDefaultRegistry",
                  "properties": {
                  "enabled": true,
                  "keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Shellex\\CopyHookHandlers",
                  "recurse": true
                  }
                  }

                  3 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    0 comments  ·  Azure Resource Management  ·  Flag idea as inappropriate…  ·  Admin →
                  • SNMP

                    We need to have a way to send SNMP data for network devices (snmp get or snmp traps) to OMS directly from gateway servers instead of implementing UNIX machine in the middle. this will help us a lot in measuring availability and performance of our network devices as well as define some security baselines for monitoring. we should not have to depend on unix to do this!!

                    3 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                    • Alert Exception

                      Ability to create exceptions for some raised alerts.

                      Ex. some antivirus components are not enabled because some applications need it to be configured like that, such as real time protection.
                      Every day we have a alert referring that. We would like to create an exception for that query and that server (thse alerts are displayed in security and update management solutions.

                      3 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                      • baseline exceptions or custom baselines

                        I would like the possibility to add additional baseline checks and override the default baseline checks.

                        For example I have additional groups in my denylogon user right assignments which now result in "failed" check.

                        26 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          2 comments  ·  Security and Audit Solution  ·  Flag idea as inappropriate…  ·  Admin →
                        • Can we add an new column "ACS(Azure Container Service)Cluster name" in the Container Monitoring solutions Table

                          In the Table "Type=ContainerInventory ContainerState=Failed | measure Count(ContainerState) by Computer, Image", it is very difficult to identify which node belongs to which cluster. Appreciate if we can get a ACS cluster name colum in this table

                          1 vote
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            0 comments  ·  Azure Resource Management  ·  Flag idea as inappropriate…  ·  Admin →
                          • Service Group for Group of Computer Groups

                            I'm glad the Computer Group addition was add but if the grouping can be taken a step further and show high level view with connections between defined computer groups that contain computers that are communicating. Then clicking a group within this view would take you to your computer group for drill-down details. But the relationship between groups would be beneficial to see.

                            3 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              0 comments  ·  Service Map  ·  Flag idea as inappropriate…  ·  Admin →
                            • OMS integration with the Jakarta version of ServiceNow

                              We would like to integrate OMS with the Jakarta version of ServiceNow

                              1 vote
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                              • ceiling

                                you have round() and floor(), why not ceiling()?

                                1 vote
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
                                • Alert

                                  In most cases when you are looking at the Alert Management Solution you do not care about the instances of an alert - especially if you have been notified by runbook/webhook/email.

                                  I'd wager that most people care about the data in the search query that caused that alert and the data it returned. Having to copy and paste the LinkToSearchResults is quite time consuming. The UX on this should be improved to allow jumping directly to the search results that caused the alert, would save time on training too!

                                  9 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    1 comment  ·  Alert Management Solution  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Please provide option to directly map blob storage for custom logs

                                    Please provide option to directly map blob storage (for custom logs) in log analytics. Now the limitation is that, custom log files saved in a blob storage location (using log4net) can not be mapped directly in log analytics. Also the concept of installing agent is not required in this context.

                                    For any Azure web site with custom logs stored in azure blob storage(format like .txt), should be possible to map directly to log analytics and get the data in OMS. Here there is no VM exists hence please provide an easy option for this requirement.
                                    Thanks

                                    2 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      0 comments  ·  OMS Gateway  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Region category for service health alerts

                                      I would like to filter service health alerts based on the region of the alert. Is this possible currently? Or something you will add to the solution shortly?

                                      3 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                      • tempdb page allocation contention text is misleading

                                        I think the content of the issue "Configure the tempdb database to reduce page allocation contention." is misleading.

                                        It states "SQL Server is experiencing contention when it tries to allocate pages. This can have a substantial impact on performance."

                                        How are we collecting this information? From performance statistics or from the state of the trace flags?

                                        This issue is showing on a totally idle server that I just added to OMS so I think it is from the trace flag status. If this is the case then the statement that "SQL Server is experiencing contention when it tries to allocate…

                                        3 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          0 comments  ·  OMS Gateway  ·  Flag idea as inappropriate…  ·  Admin →
                                        • search history should not include every query with invalid syntax

                                          Currently I am new to the query language and many queries have syntax errors. The history of these invalid queries is filling my history and make it useless and confusing.

                                          Ideas:
                                          - Invalid queries should not be added to the history.
                                          Pro : This would keep the history clean.
                                          Con: It would prevent organic query growth as I want to resuse/reedit the same code as my query develops

                                          - Can we have the query history filterable so that invalid syntax queries can be hidden from the list?
                                          Pro: This would let me reference and reuse queries that I am actively…

                                          3 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            0 comments  ·  OMS Gateway  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4 5 37 38
                                          • Don't see your idea?

                                          Feedback and Knowledge Base