Using Kusto Queries
- In this session we will understand how to use KQL
- Counting rows
TableName | count
* Order results
InsightsMetrics
| sort by TimeGenerated desc
| where Name contains "FreeSpace"
| take 10
InsightsMetrics
| where Name contains "FreeSpace"
| top 5 by TimeGenerated desc
- Compute derived columns
- Display a chart or table
- Joining Different records
VMComputer
|where Computer == "qtbusinessserve"
| distinct Computer, PhysicalMemoryMB
| join kind=inner (
InsightsMetrics
| where Namespace == "Memory" and Name == "AvailableMB"
| project TimeGenerated, Computer, AvailableMemoryMB = Val
) on Computer
| project TimeGenerated, Computer, PercentageMemory = AvailableMemoryMB/PhysicalMemoryMB * 100
| render timechart
* Exercise: Try to Create a Time series chart which projects ReadBytesPerSecond and WriteBytePerSecond with a bin = 2 hours
- Parse Operator: Evaluates a string expression and parses the values into one or more calculated columns
T | parse Message with "
- For parsing text Record Refer Here
- Creating alerts from custom log queries
InsightsMetrics
| where Name == "FreeSpaceMB"
|extend FreeSpaceGb = Val/1000
| summarize AggregatedValue=avg(FreeSpaceGb) by bin(TimeGenerated, 1h)
* Activity Logs exist at individual resources, resource groups and subscriptions as well which help in auditing the subscription for changes
