Log queries in Azure Monitor
Azure Monitor Logs is based on Azure Data Explorer, and log queries are written using the same Kusto query language (KQL). This is a rich language designed to be easy to read and author, so you should be able to start writing queries with some basic guidance.
Areas in Azure Monitor where you will use queries include the following:
- Log Analytics. Primary tool in the Azure portal for editing log queries and interactively analyzing their results. Even if you intend to use a log query elsewhere in Azure Monitor, you'll typically write and test it in Log Analytics before copying it to its final location.
- Log alert rules. Proactively identify issues from data in your workspace. Each alert rule is based on a log query that is automatically run at regular intervals. The results are inspected to determine if an alert should be created.
- Workbooks. Include the results of log queries using different visualizations in interactive visual reports in the Azure portal.
- Azure Dashboards. Pin the results of any query into an Azure dashboard which allow you to visualize log and metric data together and optionally share with other Azure users.
- Logic Apps. Use the results of a log query in an automated workflow using Logic Apps.
- PowerShell. Use the results of a log query in a PowerShell script from a command line or an Azure Automation runbook that uses Get-AzOperationalInsightsSearchResults.
- Azure Monitor Logs API. Retrieve log data from the workspace from any REST API client. The API request includes a query that is run against Azure Monitor to determine the data to retrieve.
Getting started
The best way to get started learning to write log queries using KQL is leveraging available tutorials and samples.
- Log Analytics tutorial - Tutorial on using the features of Log Analytics which is the tool that you'll use in the Azure portal to edit and run queries. It also allows you to write simple queries without directly working with the query language. If you haven't used Log Analytics before, start here so you understand the tool that you'll use with the other tutorials and samples.
- KQL tutorial - Guided walk through basic KQL concepts and common operators. This is the best place to start to come up to speed with the language itself and the structure of log queries.
- Example queries - Description of the example queries available in Log Analytics. You can use the queries without modification or use them as samples to learn KQL.
- Query samples - Sample queries illustrating a variety of different concepts.
Reference documentation
Documentation for KQL including the reference for all commands and operators is available in the Azure Data Explorer documentation. Even as you get proficient using KQL, you'll still regularly use the reference to investigate new commands and scenarios that you haven't used before.
Language differences
While Azure Monitor uses the same KQL as Azure Data Explorer, there are some differences. The KQL documentation will specify those operators that aren't supported by Azure Monitor or that have different functionality. Operators specific to Azure Monitor are documented in the Azure Monitor content. The following sections provide a list the differences between versions of the language for quick reference.
Statements not supported in Azure Monitor
Functions not supported in Azure Monitor
- cluster()
- cursor_after()
- cursor_before_or_at()
- cursor_current(), current_cursor()
- database()
- current_principal()
- extent_id()
- extent_tags()
Operators not supported in Azure Monitor
Plugins not supported in Azure Monitor
Additional operators in Azure Monitor
The following operators support specific Azure Monitor features and are not available outside of Azure Monitor.
Next steps
- Walk through a tutorial on writing queries.
- Access the complete reference documentation for Kusto query language.