Log Analytics

Welcome to the "Azure Log Analytics ":https://azure.microsoft.com/en-us/services/log-analytics/ Feedback page. We appreciate your feedback and look forward to hearing from you. Use this site for new ideas and bug reports or to request help.
NOTE – Log Analytics is now a part of Operations Management Suite. Learn more at http://microsoft.com/OMS

How can we improve Azure Log Analytics ?

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Skip operator for Query Search

    Old version Log Analytics has 'Skip' operator.
    But now, New version of Log Analytics Query does not have 'Skip' operator.

    I want this feature.
    Because when we use Query via REST API, for limitation about Log Analytics API, we cannot download all logs at one time.
    So, we must execute API many again and again.

    If there is 'skip' operator, I can use 'skip' and 'limit' for repeat.
    Now because there is no 'skip' operator, I don't get log from Log Analytics via REST API.

    3 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  0 comments  ·  Search UI and Language  ·  Flag idea as inappropriate…  ·  Admin →
    • Two successive configuration applications from OMS Settings failed

      When I used log search, I found error message about Linux Agent for DSC.

      - Error Message
      Two successive configuration applications from OMS Settings failed – please report issue to github.com/Microsoft/PowerShell-DSC-for-Linux/issues

      I found that this issue is discussed in below:
      https://github.com/Microsoft/PowerShell-DSC-for-Linux/issues/258

      But the date of fix is unknown.
      Error is very noisy for collecting log from Linux Agent.
      So, I want to know the date of fix as soon as possible.
      I want to decrease this error.

      3 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)
        You have left! (?) (thinking…)
      • Custom Log feature for log rotate

        Now, Log Analytics can not collect custom log which file is rotated by log rotation.
        But log rotation is necessary for collection log on OS.
        So, for mitigation we cannot unable to turn off log rotation.
        So, I request to add new request about Custom Log for collecting Log Rotation files.

        36 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          under review  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
        • Allow use of Windows Analytics solutions without credit card information

          Our organization is only able to use Purchase Orders and would like to use the free Windows Analytics solutions.

          3 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            under review  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
          • Populate ComputerIP field with agent manager Computer IP address

            ComputerIP is populated with the IP Address from which Azure Log Analytics is receiving data. For nodes behind a firewall/proxy or OMS Gateway this mean to have the external IP Address of the proxy.
            ComputerIP must contain IP(s) information collected by the Agent on the computer hosting it to enable Compliance and Security Scenario on the console.
            RemoteIPAddress could be added as the External IP address for proxy based agents or will contains the same address of the ComputerIP for agents not behind a proxy/firewall/Gateway.
            This have a serious impact on compliance in the actual implementation.

            93 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)
              You have left! (?) (thinking…)
            • folder change tracking for windows

              Folder change tracking for Windows , rather then having to enter individual files to track in OMS , being able to enter the content of the whole folders in Windows to track would be great?.

              3 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                0 comments  ·  Flag idea as inappropriate…  ·  Admin →
              • import data

                It would be good to have a way to automatically import azure tables into log analytics. Currently the only way is to call log analytics and after call azure tables to have a data replica. Other possibility it would be to export data from Log Analytics into azure tables. Currently log analytics is kind of a black box since the only way to pull or push data is through the API.

                3 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                • Analyse logs from App Service in the OMS portal

                  Hello,

                  I would like to Analyse logs from an App Service in the OMS portal, right now it's posible to save those logs in a storage account but this one can't be linked to the Log Analytics for an analysis in the OMS portal.

                  12 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    1 comment  ·  OMS Gateway  ·  Flag idea as inappropriate…  ·  Admin →
                  • Alerting TimeWindow limitation of 24-Hours makes Alerting useless. Shoud really match the retention for LogAnalytics!

                    Alerting TimeWindow limitation of 24-Hours makes Alerting useless. Shoud really match the retention for LogAnalytics!

                    Is there a way to come around some major limitations when creating Alerts? The biggest problem is the Time Window restriction. This restricts us from searching in data older than 24 hours when creating an alert. I expect a record for a custom MessageType
                    to arrive once a week, i am not able to create an Alert if this message does not appear as expected.
                    The retention days for OMS Log Analytics is minimum 31 days according to this article: https://blogs.msdn.microsoft.com/…/change-oms-log-analytic…/
                    Why do we then…

                    29 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      under review  ·  3 comments  ·  Alert Management Solution  ·  Flag idea as inappropriate…  ·  Admin →
                    • UI Confirmation For Initial Scan

                      Provide feedback for when the 'baseline state' is captured so that we know when we can start monitoring for changes to the system.

                      I plan on using this tool to diagnose why installing software on a Linux VM renders it useless upon next boot. Therefore I want to know when the baseline has been established before I start the installation process.

                      1 vote
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        0 comments  ·  Change Tracking Solution  ·  Flag idea as inappropriate…  ·  Admin →
                      • User specified delimiter for custom logs

                        Request to introduce user defined delimiter for Custom logs

                        We run into issues where we're unable to delimit RabbitMQ log timestamp format
                        dd-MMM-yyyy::HH:mm:ss
                        Unfortunately, there is no configuration for us to change that timestamp format in RabbitMQ and have to implement a heavy workaround in order to work around this to convert it to a date time format supported by Microsoft then forwarding it to OMS.

                        25 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                        • Parameterized saved searches

                          Currently, we are able to create parameterized functions by using the 'let' command.

                          Example:

                          let f=(a:int, b:string) { strcat(b, ":", a) }

                          This sounds great in concept... until you find out that this only works if you type your entire function at the beginning of each query because these functions aren't 'stored' and you can't save the function as a saved search because then the search engine starts complaining when there is no output...

                          So, saved searches behave right now as SQL views. Even though there is a "function" concept it doesn't seem like we can create parameterized functions at…

                          2 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                          • Alert

                            In most cases when you are looking at the Alert Management Solution you do not care about the instances of an alert - especially if you have been notified by runbook/webhook/email.

                            I'd wager that most people care about the data in the search query that caused that alert and the data it returned. Having to copy and paste the LinkToSearchResults is quite time consuming. The UX on this should be improved to allow jumping directly to the search results that caused the alert, would save time on training too!

                            18 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              under review  ·  3 comments  ·  Alert Management Solution  ·  Flag idea as inappropriate…  ·  Admin →
                            • Allow variables from saved search in email subject

                              It would be helpful if you could dynamically add the variables (from saved searches - such as computername) to the subject line of email alerts.

                              The reasoning behind this is in our ticketing system we want the computer name to be immediately visible for an OMS generated alert. We are currently hardcoding the searches per computer however with the amount of servers we manage we are hitting the saved search limit of 250.

                              15 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                0 comments  ·  Alert Management Solution  ·  Flag idea as inappropriate…  ·  Admin →
                              • Need ability to exclude time frame for alerts

                                We would like the ability to exclude time frames from alert management as there could be system downtimes due to maintenance that are throwing alerts that are false positive. Either allow the ability to exclude date/time ranges or globally disable alerts when doing system maintenance and planned downtime

                                9 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  1 comment  ·  Alert Management Solution  ·  Flag idea as inappropriate…  ·  Admin →

                                  Big thanks to @Stefan – you can filter for specific time period using the new query language of log analytics; which in-turn can be used in OMS Alerts to skip over specific times.

                                  Regarding the ask for making global maintenance windows in Azure – we are working on the same and we’ll intimate you soon when we are ready with the functionality. Thanks again for your idea and feedback for Azure.

                                • Add kubernetes specific information to container logs

                                  When running the agent on a Kubernetes cluster, it would be very useful to add kubernetes specific information to the log lines. For example:

                                  - namespace
                                  - pod name
                                  - tags

                                  3 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                  • 6 hours SLA on indexing custom log data is a very long time to alert on

                                    According to this article https://azure.microsoft.com/en-us/support/legal/sla/log-analytics/v1_1/ SLA on indexing log data might take up to 6 hours. OMS has built in alerting that allows you to trigger actions within 5 minutes of data arrival. But if indexing takes more than 5 minutes - then what's the point of creating alert that might trigger on something that is no longer a problem, or not trigger at all if there is real problem. What is the average data indexing time? Log Analytics would be much more useful and have many more applications in real world if that indexing time is much lower. 6…

                                    219 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                    • 51 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        4 comments  ·  Change Tracking Solution  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Is Service Map available to Premium customers?

                                        Is Service Map available to Premium customers? If not, can it be?

                                        3 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          0 comments  ·  Service Map  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Apply filters to what's being shown in service map

                                          Allow us to apply filters to hide certain processes like SCOM for example that might be common to all servers.

                                          I added a domain controller for example and it regularly refuses to show the map because of too many entries. If I could filter out say DNS it might be able to render.

                                          15 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            1 comment  ·  Service Map  ·  Flag idea as inappropriate…  ·  Admin →

                                            We are working designs for ways to filter which processes and connections are shown. In addition, yesterday we checked in a feature that should enable you to show a map for domain controllers. First, we are now grouping connections to machines without an agent by port. This provides a more useful view where you can see all the connections to a given port, and it simplifies the map as we don’t draw a node for each individual back-end connection.

                                          ← Previous 1 3 4 5 13 14
                                          • Don't see your idea?

                                          Feedback and Knowledge Base