Structure of Azure Monitor Logs
The ability to quickly gain insights into your data using a log query is a powerful feature of Azure Monitor. To create efficient and useful queries, you should understand some basic concepts such as where the data you want is located and how it's structured. This article provides the basic concepts you need to get started.
Data in Azure Monitor Logs is stored in either a Log Analytics workspace or an Application Insights application. Both are powered by Azure Data Explorer meaning that they leverage its powerful data engine and query language.
Data in both workspaces and applications is organized into tables, each of which stores different kinds of data and has its own unique set of properties. Most data sources will write to their own tables in a Log Analytics workspace, while Application Insights will write to a predefined set of tables in an Application Insights application. Log queries are very flexible allowing you to easily combine data from multiple tables and even use a cross-resource query to combine data from tables in multiple workspaces or to write queries that combine workspace and application data.
The following image shows examples of data sources that write to different tables that are used in sample queries.
Log Analytics workspace
All data collected by Azure Monitor Logs except for Application Insights is stored in a Log Analytics workspace. You can create one or more workspaces depending on your particular requirements. Data Sources such as Activity Logs and Diagnostic logs from Azure resources, agents on virtual machines, and data from insights and monitoring solutions will write data to one or more workspaces that you configure as part of their onboarding. Other services such as Azure Security Center and Azure Sentinel also use a Log Analytics workspace to store their data so it can be analyzed using log queries along with monitoring data from other sources.
Different kinds of data are stored in different tables in the workspace, and each table has a unique set of properties. A standard set of tables are added to a workspace when it's created, and new tables are added for different data sources, solutions, and services as they're onboarded. You can also create custom tables using the Data Collector API.
You can browse the tables in a workspace and their schema in the Schema tab in Log Analytics for the workspace.
Use the following query to list the tables in the workspace and the number of records collected into each over the previous day.
union withsource = table * | where TimeGenerated > ago(1d) | summarize count() by table | sort by table asc
See Designing an Azure Monitor Logs deployment to understand the access control strategy and recommendations to provide access to data in a workspace. In addition to granting access to the workspace itself, you can limit access to individual tables using Table Level RBAC.
Application Insights application
When you create an application in Application Insights, a corresponding application is automatically created in Azure Monitor Logs. No configuration is required to collect data, and the application will automatically write monitoring data such as page views, requests, and exceptions.
Unlike a Log Analytics workspace, an Application Insights application has a fixed set of tables. You can't configure other data sources to write to the application so no additional tables can be created.
|availabilityResults||Summary data from availability tests.|
|browserTimings||Data about client performance, such as the time taken to process the incoming data.|
|customEvents||Custom events created by your application.|
|customMetrics||Custom metrics created by your application.|
|dependencies||Calls from the application to external components.|
|exceptions||Exceptions thrown by the application runtime.|
|pageViews||Data about each website view with browser information.|
|performanceCounters||Performance measurements from the compute resources supporting the application.|
|requests||Details of each application request.|
|traces||Results from distributed tracing.|
You can view the schema for each table in the Schema tab in Log Analytics for the application.
While each table in Azure Monitor Logs has its own schema, there are standard properties shared by all tables. See Standard properties in Azure Monitor Logs for details of each.
|Log Analytics workspace||Application Insights application||Description|
|TimeGenerated||timestamp||Date and time the record was created.|
|Type||itemType||Name of the table the record was retrieved from.|
|_ResourceId||Unique identifier for the resource the record is associated with.|
|_IsBillable||Specifies whether ingested data is billable.|
|_BilledSize||Specifies the size in bytes of data that will be billed.|