Creating charts and diagrams from Azure Monitor log queries
You should complete Advanced aggregations in Azure Monitor log queries before completing this lesson.
You can work through this exercise in your own Log Analytics environment, or you can use our Demo environment, which includes plenty of sample data.
This article describes various visualizations in Azure Monitor to display your log data in different ways.
Charting the results
Start by reviewing how many computers there are per operating system, during the past hour:
Heartbeat | where TimeGenerated > ago(1h) | summarize count(Computer) by OSType
By default, results display as a table:
To get a better view, select Chart, and choose the Pie option to visualize the results:
Show the average, 50th and 95th percentiles of processor time in bins of 1 hour. The query generates multiple series and you can then select which series to show in the time chart:
Perf | where TimeGenerated > ago(1d) | where CounterName == "% Processor Time" | summarize avg(CounterValue), percentiles(CounterValue, 50, 95) by bin(TimeGenerated, 1h)
Select the Line chart display option:
A reference line can help you easily identifying if the metric exceeded a specific threshold. To add a line to a chart, extend the dataset with a constant column:
Perf | where TimeGenerated > ago(1d) | where CounterName == "% Processor Time" | summarize avg(CounterValue), percentiles(CounterValue, 50, 95) by bin(TimeGenerated, 1h) | extend Threshold = 20
Multiple expressions in the
by clause of
summarize create multiple rows in the results, one for each combination of values.
SecurityEvent | where TimeGenerated > ago(1d) | summarize count() by tostring(EventID), AccountType, bin(TimeGenerated, 1h)
When you view the results as a chart, it uses the first column from the
by clause. The following example shows a stacked column chart using the EventID. Dimensions must be of
string type, so in this example the EventID is being cast to string.
You can switch between by selecting the dropdown with the column name.
See other lessons for using the Kusto query language with Azure Monitor log data: