Log Analytics

Welcome to the "Azure Log Analytics ":https://azure.microsoft.com/en-us/services/log-analytics/ Feedback page. We appreciate your feedback and look forward to hearing from you. Use this site for new ideas and bug reports or to request help.
NOTE – Log Analytics is now a part of Operations Management Suite. Learn more at http://microsoft.com/OMS

How can we improve Azure Log Analytics ?

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Show Contextual data such as CPU and RAM for servers

    When I click over a list that shows servers and select a given server from the list it would be nice to get a quick overview of the system. Such as OS SKU, CPU, RAM, Disk Free and so on.

    126 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →

      We have not forgotten about this but this is a multi-faceted feedback that expresses a desire (show me/let me pivot to contextual data), but besides the graphical interaction we need to bring the right capabilities and the right data types to the platform first.

      A first step in this direction is the common ‘Computer’ field – http://feedback.azure.com/forums/267889-azure-operations-insights/suggestions/6519266-unify-standardize-computer-field-across-intellig
      that allows you to pivot from one data type to another, and to join different data types thru sub-searches http://feedback.azure.com/forums/267889-azure-operational-insights/suggestions/6519234-filter-groups-of-computers-thru-subqueries-in-n
      (which anyhow are generic and work with other fields too)

      We are starting to discuss what a UX for ‘context’ could look like, but we are not finished with bringing in new data types to make that really compelling :-)

      One example of such ‘context’ is in the form of tracking configuration changes – http://feedback.azure.com/forums/267889-azure-operations-insights/suggestions/6519185-need-configuration-change-tracking-solution-softw so you can move from a troubleshooting scenario (capacity or events) to a ‘context’ of what has changed…

    • 19 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
      • Add a keyboard shortcut to comment / uncomment the current line in the query editor (like CTRL+K in VS)

        There already is a shortcut that allows to run the query (Shift+Enter), which is great.
        A shortcut to toggle wheter the current line is a comment or not (by adding / removing "//" at the beginning of the line) would be great and save a lot of time while editing queries / functions.

        Similar to the shortcut VS or any other IDE: https://blogs.msdn.microsoft.com/zainnab/2010/04/13/comment-and-uncomment-code/

        13 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
        • Support conversion and formatting functions in the search language

          There should be option in the search language to convert metrics. For example If I want to convert Bytes to Gigabytes that should be possible in the search language. Other examples are in converting time to specific format (shorter time format, adding timezone and etc.)

          12 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            8 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
          • Allow to search for 'parts' of a datetime field

            real world scenario: I need to analyze my alerts distribution by time windows (i.e. how many of them overnight vs during the day) and based on week day (how many on Sunday, Monday, ...)
            I think this scenario can be applied to every data source you have. To do that we need to be able to query on parts of the datetime fields.

            11 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →

              I have this capability on my query language improvement backlog already. I would like to allow folks to search via local time (instead of ISO UTC time) and use keywords like Sunday, 6PM, etc.

              This is currently behind JOIN, Regex, DEDUP, and search time custom field extraction.

            • Save Time frame Scope

              Save time scope along with query, so we don't have to adjust in the GUI each time we click on a saved query. This should also apply to dashboard elements, so we don't end up with "half" graphs when you have limited TimeGenerated.

              11 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
              • Import groupings from SCOM

                Import already existing server groupings from SCOM for access in the Log Analytics or the pre-built assessments

                11 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  1 comment  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
                • 'render timechart' should support logarithmic y-scale

                  Currently I need to manually exclude one series that has especially high values from my timechart. It means that the automatic scale has a very high max which means that the other series are not easily viewable.

                  I'd like a parameter to 'render timechart' that lets me specify a log y scale, it will help all series to be visible.

                  It's a fairly common feature in data visualization generally.

                  I actually want this for Application Insights Analytics (https://feedback.azure.com/forums/357324-application-insights/suggestions/14110047-add-logarithmic-scale-to-charts). I'm not sure the right place for these requests now that there is standard Log Analytics Query Language.

                  10 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
                  • Allow us to filter deduped data set (* | dedup * | where ??)

                    Ok now with dedup we can almost achieve the "last data point by Computer" scenario, but we cannot use where after dedup as in: Type:Heartbeat | dedup Computer | where TimeGenerated < NOW-10MINUTE
                    Just add the ability to use "| where" to process the deduped data set.

                    10 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      3 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
                    • Increase number of distinct results for measure command (limit 100)

                      Today measure command only support 100 distinct results. It´s a risk that alerts created with measure command don´t give correct results because of this limit. Now the first top 100 results is sent to measure.

                      From documentation:

                      Second, Measure count currently returns only the top 100 distinct results. This limit does not apply to the other statistical functions. So, you'll usually need to use a more precise filter first to search for specific items before you apply measure count().

                      https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-log-searches#use-the-measure-command

                      9 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
                      • Minify on W3CIISLog

                        Minify works great for logs. Specifically we would like to get REST endpoints our of the csUriStem

                        8 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          planned  ·  1 comment  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
                        • Add "render" option for query language

                          Can we please have an option to display search results into different types of graphics? Similar to Kusto (or Application Insights Analytics) which has an option to render the search results into different graphics.
                          For example:
                          requests
                          | where timestamp >= ago(24h)
                          | summarize requestCount=count() by client_CountryOrRegion
                          | order by requestCount desc
                          | render piechart

                          6 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
                          • Ability for Searchs to Have Titles

                            When I click on the "Locked-out Accounts" view from the Security IP, I am brought to the search section. There is no way on this page to tell what I am looking at without analysing the search. In the search bar it shows "EventID=4740" but who in their right mind has every event id memorized. There should be a title that shows I clicked on "Locked-out Accounts".

                            6 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →

                              Thanks for the feedback.

                              This is similar to the behavior the mobile app has for ‘saved searches’ – they do show the title there.

                              Coded drill-downs today don’t carry a title across pages, and changing this has an overall impact on the breadcrumb code, most likely – see this other idea http://feedback.azure.com/forums/267889-azure-operational-insights/suggestions/6519263-moving-across-pages-needs-to-be-seamless-clickable

                              Keep in mind that the default drill down pages are meant as a convenience: once you identified a search you care about, you can SAVE it to your Saved Searches, and pin it on your own dashboard – those tiles in dashboards have a title (=the name of the saved search).

                            • Improve Log Search UI and and Results

                              I would like to see the following:
                              - Larger query input field
                              - Tabs
                              - Table result column filtering
                              - Table rows expand to show full results
                              - Table scrolls horizontally so that you can actually read the data when there area lot of columns
                              - More "Last" time slices (Last 15 min, Last 30 min, Last 1 hour, etc...)
                              - Column selection mechanism in UI (drop down with checkboxes instead of having to | select x, y, z)

                              Analytics for App Insights has all of these features, and I constantly find myself wishing Log Search had them

                              6 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
                              • Query auto correction

                                auto correction when typing a query.
                                e.g. "Type:SecurityEVent" (wrong capital 'V') will be auto corrected to "Type:SecurityEvent"

                                6 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
                                • Portal site Localization

                                  Now, OMS portal site is not localized to other languages.

                                  such as assessment intelligent pack, it has useful information, but many customer (in Japan) cannot understand English information...

                                  Please localize portal site to famous language.

                                  6 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    1 comment  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Create your own custom time ranges (i.e. last 26 hours)

                                    Create a personalized standard date / time filter:
                                    i.e. last 26 hours: 24 hours + 2 hours in which you can perform your daily checks, making sure you never miss out any log info while not having to manually customize every check

                                    Context:
                                    I perform daily checks in the first two hours of my working day: now I have to manually set the search window to make sure I don't miss out any data. (like today I checked 9AM, but yesterday 8AM, with 24 search i'll miss one hour)

                                    6 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Date facet and TimeGenerated in query are inconsistent - can we override or disable Date facet

                                      The Date facet in the log query screen seems to apply inconsistently - if I specificy the timeframe I want to query it may or may not override my query and use it's set default range
                                      e.g. I use TimeGenerated>NOW-30DAYS in my query, but as I have NOT adjusted the Date facet it restricts my results to the "Data based on the last 1 day" - which is what the Date facet is set to by default for each new query
                                      It would be good if Date filter could be turned off for queries

                                      6 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Allow me to choose the 'width' of each time bar in 'results over time' facet / time control

                                        Now it automatically adjusts - i.e. when looking at 7 days, each bar becomes 6 hours. It would be nice to decide what interval to choose.
                                        6 hours is an odd interval. If I am looking at 7 days I would rather see how many of those results are there each day/24 hrs intervals/buckets.
                                        If I am querying 1 or 2 days, I probably want to see a hourly breakdown.

                                        The idea is to offer a drop down to allow selecting specific aggregation intervals.

                                        5 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →

                                          Hi,

                                          Thanks for offering this feature. Currently the plan is to upgrade the portal with many new features, the timeline is being re-designed as part of it.
                                          Until that, I can only recommend you to use the query to generate charts that describe this in the manner that fits your data best.

                                          We’ve recently upgraded the query language. Here’s an example of the new syntax, using 3-hour bins over the last two days of events:
                                          Event
                                          | where TimeGenerated > now(-2d)
                                          | summarize count() by bin(TimeGenerated, 3h)
                                          | render timechart

                                          Regards,
                                          Noa

                                        • custom field based on regex

                                          sorry if this has been asked I searched but could not find anything similar.

                                          would love to be able to create a custom field based on a regex. Like I have csUsername as a field but I want to know the domain of the users not the email address, the stuff after the @ is this possible or are you working on it.

                                          love oms so far,I hopefully I didn't miss something

                                          ps this doesn't need to be a regex could be things like split,trim,end, lastindexof, etc..

                                          4 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3
                                          • Don't see your idea?

                                          Feedback and Knowledge Base