Search queries in Azure Monitor logs

Azure Monitor log queries can start with either a table name or a search command. This tutorial covers search-based queries. There are advantages to each method.

Table-based queries start by scoping the query and therefore tend to be more efficient than search queries. Search queries are less structured which makes them the better choice when searching for a specific value across columns or tables. search can scan all columns in a given table, or in all tables, for the specified value. The amount of data being processed could be enormous, which is why these queries could take longer to complete and might return very large result sets.

Search a term

The search command is typically used to search a specific term. In the following example, all columns in all tables are scanned for the term "error":

search "error"
| take 100

While they're easy to use, unscoped queries like the one showed above are not efficient and are likely to return many irrelevant results. A better practice would be to search in the relevant table, or even a specific column.

Table scoping

To search a term in a specific table, add in (table-name) just after the search operator:

search in (Event) "error"
| take 100

or in multiple tables:

search in (Event, SecurityEvent) "error"
| take 100

Table and column scoping

By default, search will evaluate all columns in the data set. To search only a specific column (named Source in the below example), use this syntax:

search in (Event) Source:"error"
| take 100

Tip

If you use == instead of :, the results would include records in which the Source column has the exact value "error", and in this exact case. Using ':' will include records where Source has values such as "error code 404" or "Error".

Case-sensitivity

By default, term search is case-insensitive, so searching "dns" could yield results such as "DNS", "dns", or "Dns". To make the search case-sensitive, use the kind option:

search kind=case_sensitive in (Event) "DNS"
| take 100

Use wild cards

The search command supports wild cards, at the beginning, end or middle of a term.

To search terms that start with "win":

search in (Event) "win*"
| take 100

To search terms that end with ".com":

search in (Event) "*.com"
| take 100

To search terms that contain "www":

search in (Event) "*www*"
| take 100

To search terms that starts with "corp" and ends in ".com", such as "corp.mydomain.com""

search in (Event) "corp*.com"
| take 100

You can also get everything in a table by using just a wild card: search in (Event) *, but that would be the same as writing just Event.

Tip

While you can use search * to get every column from every table, it's recommended that you always scope your queries to specific tables. Unscoped queries may take a while to complete and might return too many results.

Add and / or to search queries

Use and to search for records that contain multiple terms:

search in (Event) "error" and "register"
| take 100

Use or to get records that contain at least one of the terms:

search in (Event) "error" or "register"
| take 100

If you have multiple search conditions, you can combine them into the same query using parentheses:

search in (Event) "error" and ("register" or "marshal*")
| take 100

The results of this example would be records that contain the term "error" and also contain either "register" or something that starts with "marshal".

Pipe search queries

Just like any other command, search can be piped so search results can be filtered, sorted, and aggregated. For example, to get the number of Event records that contain "win":

search in (Event) "win"
| count

Next steps