Thursday, March 26, 2020

 Enable performance counter for Log analytics and execute KUSTO Query


This article states you about how can you execute log analytics query or KUSTO query over log analytics workspace. A KUSTO query is combination of SQL,PowerShell and bash and becomes KQL (Kusto query language).
Prior to this please go through to this which is about how to create log analytics workspace.


The following must be present for this solution:
1.     You should have Log analytics workspace already configured in your Azure subscription.

Log analytics workspace

Once you are done with creation of LAW, go to that and find an option logs on t eleft side of the panel as you can see in an image LA.jpg below marked as RED

There I’ve executed a query which is describes about list the number of computers sending logs, each hour. For that purpose I selected a table named HeartBeat which contains a potential information about the virtual machine connected to Log analytics workspace aka LAW

Go to Data -> Windows Performance Counter -> Add the selected performance counter
And click on that. As soon as you click all those counter will be enable and will start sending telemetry to log analytics workspace on which you can query and get virtual machine performace information. Refer enable-counter.jpg

Once performance counter got enabled , it starts sending those information to Log Analytics workspace.

NOTE: If you don’t get any records while you execute query on PERF table than restart MMA agent persists on virtual machine or disconnect/connect from virtual machine option visible in Log Analytics Workspace.

You can easily see the performance of a virtual machine connected to Log analytics workspace aka LAW. For that select PERF table .

Another set of query is for Usage and rendering it in piechart. You can render it in table , scatterchart and with few more option

// Usage by data types
// Chart the amount of logs reported for each data type, today
| summarize count_per_type=count() by DataType
| sort by count_per_type desc
| render piechart

In an image below you should be able to understand how does it works in real use case.

KUSTO keywords in use

Refer an image below kusto-query-piechart.jpg below for the output in piechart.

NOTE:  Following query fetches information about "%committed bytes in use"  (in case of windows OS) for Linux base machine counter name will be "% Used Memory".
After executing the below query I get 3 rows as a result because If you remember I’ve enable performance counter for windows computer. Refer screen shot enable-counter.jpg

| where TimeGenerated > ago(30m)
| where  CounterName == "% Committed Bytes In Use"
| project TimeGenerated, CounterName, CounterValue, Computer 
| summarize UsedMemory = avg(CounterValue) by CounterName, bin(TimeGenerated, 10m), Computer
| where UsedMemory > 0
| render timechart

Refer an image result.jpg below


I hope it helps you a bit to understand how can we run KUSTO on LOG analytics workspace.


Post a Comment