Creating charts and diagrams from Azure Monitor log queries

Note

You should complete Advanced aggregations in Azure Monitor log queries before completing this lesson.

Note

You can work through this exercise in your own Log Analytics environment, or you can use our Demo environment, which includes plenty of sample data.

This article describes various visualizations in Azure Monitor to display your log data in different ways.

Charting the results

Start by reviewing how many computers there are per operating system, during the past hour:

Heartbeat
| where TimeGenerated > ago(1h)
| summarize count(Computer) by OSType  

By default, results display as a table:

Table

To get a better view, select Chart, and choose the Pie option to visualize the results:

Pie chart

Timecharts

Show the average, 50th and 95th percentiles of processor time in bins of 1 hour. The query generates multiple series and you can then select which series to show in the time chart:

Perf
| where TimeGenerated > ago(1d) 
| where CounterName == "% Processor Time" 
| summarize avg(CounterValue), percentiles(CounterValue, 50, 95)  by bin(TimeGenerated, 1h)

Select the Line chart display option:

Line chart

Reference line

A reference line can help you easily identifying if the metric exceeded a specific threshold. To add a line to a chart, extend the dataset with a constant column:

Perf
| where TimeGenerated > ago(1d) 
| where CounterName == "% Processor Time" 
| summarize avg(CounterValue), percentiles(CounterValue, 50, 95)  by bin(TimeGenerated, 1h)
| extend Threshold = 20

Reference line

Multiple dimensions

Multiple expressions in the by clause of summarize create multiple rows in the results, one for each combination of values.

SecurityEvent
| where TimeGenerated > ago(1d)
| summarize count() by tostring(EventID), AccountType, bin(TimeGenerated, 1h)

When you view the results as a chart, it uses the first column from the by clause. The following example shows a stacked column chart using the EventID. Dimensions must be of string type, so in this example the EventID is being cast to string.

Bar chart EventID

You can switch between by selecting the dropdown with the column name.

Bar chart AccountType

Next steps

See other lessons for using the Kusto query language with Azure Monitor log data: