In a shared Azure Landing Zone infrastructure, we are running a dozen or so SW applications, and we must report the cost of LAW ingestion of all the Azure resources allocated to each application (we call them "Outcomes") in this environment. We built a workbook and in it fashioned some queries, one of them "by outcome" and it takes a loooooong time to complete (I have never seen it complete) based on several TiB of data ingested over the last 30 days.

The Kusto Query

Parameter Query :- (Scoped to Subscription)

ResourceContainers
| where type=='microsoft.resources/subscriptions/resourcegroups'
| extend Tag = todynamic(tags)
| extend TeamName = Tag["TEAM NAME"]
| where isnotempty(TeamName)
| project Owner = strcat("'",name,'#',tostring(TeamName),"'")

Actual Query :- (Scoped to Log Analytics Workspace)

let OutcomeTable = datatable(ResourceGroupOwner:string) {ResourceGroupOwnerList};
find where TimeGenerated {TimeRange:value} project _ResourceId, _BilledSize, _IsBillable, TimeGenerated
| where _IsBillable == true
| extend ResourceGroup = case(isempty(_ResourceId),"Infrastructure",tostring(split(_ResourceId, '/')[4]))
| where isnotempty(ResourceGroup)
| summarize IngestedData = sum(_BilledSize) by ResourceGroup
| join kind=leftouter (OutcomeTable | extend ResourceGroup = tostring(split(ResourceGroupOwner,'#')[0]), Owner = tostring(split(ResourceGroupOwner,'#')[1]) | project ResourceGroup, Owner) on ResourceGroup
| project Owner = case(isempty(Owner),ResourceGroup,Owner), IngestedData
| summarize sum(IngestedData) by Owner

Azure Monitor - InsightsMetrics

Hello,

We need some way to filter metrics scraped from our services in Azure Kubernetes that are injected into InsightsMetrics.
It seems that labels/annotations from pods are droped, we did not find a way to populate pod name with metrics...

How should we plot a graph of requests per second per pod, in Azure Monitor, if we cannot filter out by a pod?

https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/prometheus-metrics-scrape-configuration
Azure/iotedge#6141

Example record from InsightsMetrics
12/3/2022, 10:32:00.000 AM aks-default-12500777-vmss000000 container.azm.ms/telegraf prometheus keycloak_response_errors 3 {"code":"500","container.azm.ms/clusterId":"/subscriptions/xxxxxx-5fa9-493e-9256-xxxxxx/resourceGroups/RG-dev/providers/Microsoft.ContainerService/managedClusters/aks-dev","container.azm.ms/clusterName":"aks-dev","hostName":"aks-default-12500777-vmss000000","method":"GET","resource":"realms,realms/center/protocol/openid-connect","scrapeUrl":"https://identity.dev.net/realms/center/metrics"} xxxxxx-9e53-4d70-9df1-xxxxxxxxxx

Case 1:

Case 2:

The above graphs are depicting amount of data being ingested by data collection rules in Azure metrics workbook.

Bug is clear from case 1, where graph is incorrectly rendering count as 888 instead of being close to 0.
Whereas in case 2, graph shows 91 as expected when user hovers on a peak.

I have a question related to behaviour as seen below.

We deploy about 300 alerts for our customers which are mostly based upon log searches.

I gave read that when an alert rule is failing for 7 days it gets disabled automatically.

As I understood the documentation this also happens when the syntax of the query is ok but if the table/column does not yet exist in log analytics.

Since we bootstrap our environments with all these alerts it could obviously be that a customer will not deploy all the resources that have an alert within a 7 day period. It could take months for somebody to actually deploy an AKS cluster for example.

Is the "7 day disable automation by MS" applicable to:

• v1 and v2 alert rules

Is there a way to prevent this from happening?

Did I understand the mechanism correctly?

"alert 123 is disabled by the System due to : Alert has been failing consistently with the same exception for the past week"

As I'm not finding any docs on this, and this seems to be the right place to ask this question:
What do I have to do to permanently hide all example queries from my logs analytics workspace?
They tend to clutter the UI and make it harder to find the desired queries.

Hi team, currently I have this setup:

• Prometheus rule group with scope of Azure Monitor Workspace
• The rules in the rule group have an action group associated, which will call a HTTP based slack webhook to send alerts

What I'm trying to achieve:

• When the condition is met for a certain rule, I expected the alert to fire once and subsequent evaluations to the rule to either do nothing or update to the existing alert

Current reality of my setup:

• When the condition is met for a certain rule, new alerts will keep firing on each subsequent evluation of the rule

I've tried looking for configuration that will help me achieve the desired behavior but with no luck.
So far I've tried:

• Setting the evaluation interval to a higher value, but this only delays the alert firing, not deduplicate it
• Processing rule to supress alerts, but it seems to only supress by time of day etc, not deduplicate

Is there a config that I'm not aware of or is this a mechanism not yet implemented in Azure Monitor?

I am looking for a Java Client to insert data into Log Analytics Workspace. Currently I am using HTTP Api but looking for a java client.

I had posted the issue in a wrong channel, please find the details in the following link
Azure/azure-cosmos-dotnet-v3#3984 (comment)

How do you target Logic App Preview workflow failures?

Should files containing queries be named with extension .csl rather than .txt? Markdown would be another format providing better ways to format syntax by language.

csl or kusto extension supports formatting in VSCode
https://marketplace.visualstudio.com/items?itemName=ms-samples.kusto-language

I have tried below kql queries but its not giving the CPU and Memory Metrics of the node described along with the pod details.a

ContainerInventory

| where Computer contains "aks-nodepool1-pvmss000002"

Perf

| where Computer contains "aks-agentpool-vmss000003"

KubeNodeInventory

| where Computer contains "aks-agentpool-vmss000003"

InsightsMetrics

| where Computer contains "aks-agentpool-vmss000003"

but do we have the kubectl queries to get the CPU and Memory Metrics of each nodes- kubectl describe node aks-agentpool-vmss000003

Getting the below attached error when trying to run the migration script. Please, assist. Thanks!

Hi,

I get the following error when I run the script on Powershell 7.3.4:

Get-AzContext : The term 'Get-AzContext' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Temp\WorkspaceConfigToDCRMigrationTool.ps1:664 char:18

• $azContext = Get-AzContext
  

•              ~~~~~~~~~~~~~
  

  • CategoryInfo : ObjectNotFound: (Get-AzContext:String) [], CommandNotFoundException
  • FullyQualifiedErrorId : CommandNotFoundException

Module Az.Accounts is installed on version 2.12.3 and I run powershell as administrator.

Any ideas?

Best regards,

DJITS

There may be some redundancy with this repo and the workbooks contained within https://github.com/microsoft/Application-Insights-Workbooks

Should clarify / contrast purpose & scope, and provide link to other repos provided for Azure Monitor and supporting solutions (Data Explorer Proxy, etc)

Add additional examples for following services:

Azure Synapse and Azure Data Warehouse
Azure Data Factory v2 (Resource-Specific Diagnostics)
Security Center Continuous Export
Azure Databricks

I am looking for query which cause blocks on SQL server , as per documents Monitor should show me blocks but is there a way to see the query which cause the blocks.?

Hi All , Iam very new to AzureMonitor Community One of Customer is asking Can we able to trigger an email alert of daily/Monthly Health reports of their VM's

Need your Suggestions please its not an issue :)

Thanks
Dhishyanth

I don't know where I can post this issue so that posting issue here,

I have write own logger into asp.net to log into log analytics.
There try to implement distributed tracing with help of activity class which is provided by asp.net core framework,

Issue is that when we are log TraceId into log as string , it's automatic consider as GUID and append dashes(-). so that we are not able to compare actual TraceId and logged TraceId.

here problem is Data Collector API does not understand proper data type.

fea47d6e-5871-c742-a07c-5073e8a7886c (logged TraceId)
fea47d6e5871c742a07c5073e8a7886c (original TraceId)

I ran SQL best practices assessment for SQL virtual machine and got this failure:

Then I went through these troubleshooting steps and everything looks fine:
https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/vmext-troubleshoot?WT.mc_id=Portal-SqlAzureExtension#troubleshoot-the-azure-windows-vm-extension

Next, I followed these steps and chose "The agent extension deployment is failing" scenario:
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agent-windows-troubleshoot?WT.mc_id=Portal-SqlAzureExtension&tabs=UpdateMMA#use-the-troubleshooting-tool

And I got this log:
tool.log

Then I ran the SQL best practices assessment again but still got the same error. Can you please help me to solve this problem? Many thanks!

seems to be no examples for how to surface logs from your Azure OpenAI service generations. thoughts?

Just for information: All the IoT-Hub query samples are broken (using current AzureMonitor QueryEditor)

There's some confusion on the Event Grid Log queries. I see the queries are located in this repo. Running the queries produce the error:

'parse' operator: Failed to resolve table or column expression named 'AegDeliveryFailureLogs'

Does something need to be enabled to create the AegDeliveryFailureLogs table? Are the queries in the repo still accurate?

If this is not the proper place for this question feel free to close this issue.

I am flummoxed by the results of this query always being empty

let requestList = requests | where timestamp >= ago(30m)
| distinct operation_Id;
pageViews  | where timestamp >= ago(30m)
| join kind=inner requestList on operation_Id;

Has there been a change recently in the use of operation_Id ?

Can we have workbook or any kql for network traffic analytics, we tried something but i can't able to get like x-axis for time and y-axis for ingress and egress traffic. I need this on dashboard

I created Audit Trail in my database by overriding EF Core SaveChanges and SaveChangesAsync methods and storing if entity was Added, Removed, Edited, what columns where edited and what user did it.

However, I became aware of Azure Monitor, but I cannot find information is it possible to track changes made to records stored in selected errors using Azure Monitor instead of what I've done?

I'm attempting to deploy an instance of Azure Monitor Workspace. However, I need to assign a custom name to the default resource group created during AMW provisioning. I've been unable to achieve this using the ARM template or with Bicep, and I can't find any documentation on the topic.

Based in the manual this metric must be AVG Link

AzureMetrics   
| where ResourceProvider == 'MICROSOFT.DATAFACTORY'
| where Resource == 'xxx'
| where MetricName  ==  'IntegrationRuntimeAvailableMemory' 
| project TimeGenerated, Average
| order by TimeGenerated asc
| render timechart

But I suspect that is not true:

I'm missing a folder for Azure Active Directory... I have some queries to share :-)

I have a function app which collects custom logs from one source and sends them to Azure Monitor using the following code example. The function app runs each hour and sends about 100k rows of log.

Whenever I test the function app locally, it sends the exact amount of log rows, for example 100,000, but when I publish my function app, for some reason it shows in Azure that the number of rows received is slightly more than the original (e.g. 100,050).

What could be the possible reason?

I am trying to setup a scheduled query alert from the AKS-Construction repo, and have run into some odd behavior. Apparently, the alert can be setup from the AKS-Construction templates, but not from a standalone deployment. I am trying to move the alert into my logging templates as it isn't really AKS related.

Azure/AKS-Construction#559

resource Daily_data_cap_breached_for_workspace_logworkspacename_CIQ_1 'microsoft.insights/scheduledqueryrules@2022-06-15' = {
  name: 'Daily data cap breached for workspace ${resLogAnalyticsWorkspace.name} CIQ-1'
  location: parAutomationAccountLocation
  properties: {
    displayName: 'Daily data cap breached for workspace ${resLogAnalyticsWorkspace.name} CIQ-1'
    description: 'This alert monitors daily data cap defined on a workspace and fires when the daily data cap is breached.'
    severity: 1
    enabled: metricAlertsEnabled
    evaluationFrequency: evalFrequency
    scopes: [
      resLogAnalyticsWorkspace.id
    ]
    windowSize: windowSize
    autoMitigate: false
    criteria: {
      allOf: [
        {
          query: '_LogOperation | where Operation == "Data collection Status" | where Detail contains "OverQuota"'
          timeAggregation: 'Count'
          operator: 'GreaterThan'
          threshold: 0
          failingPeriods: {
            numberOfEvaluationPeriods: 1
            minFailingPeriodsToAlert: 1
          }
        }
      ]
    }
    muteActionsDuration: 'P1D'
  }
}

throws the following exception from a standalone bicep deployment

{
    "status": "Failed",
    "error": {
        "code": "BadRequest",
        "message": "Couldn't optimize the query because it doesn't contain the table Operation explicitly. Please add the table to the query explicitly and try again"
    }
}

I'm trying to access AppInsights data, for now trying through a console app, using APIKey for authentication.
Surprisingly, I get empty result as response. Same query returns expected result when run in Azure portal.
Please help me understand what I am missing here.

Code:

public async Task<IList<IDictionary<string, string>>> ReadAsync(string applicationId, string apiKey)
        {
            ApiKeyClientCredentials credentials = new ApiKeyClientCredentials(apiKey);
            using ApplicationInsightsDataClient client = new ApplicationInsightsDataClient(credentials);
            client.AppId = applicationId;
            string query = "customMetrics | take 1";
            HttpOperationResponse<QueryResults> queryWithHttpMessagesAsync = await client.QueryWithHttpMessagesAsync(query);
            QueryResults result = queryWithHttpMessagesAsync.Body;
            IList<IDictionary<string, string>> resultsDictionary = result.Results.ToList();

            return resultsDictionary;
        }

The workbook works w/o issue with no modifications against workspaces whose VMs are connected with the legacy agent. However, any special considerations for VMs using the newer AMA?

I was directed by @tarekgh here to create an issue in this repository, so here I am 👋

There are more details in the issue linked (dotnet/runtime#98854), but the gist of it is this: Adding UseAzureMonitor causes my integration tests to "blow up"; It's causing some immense concurrency and/or correlation issues.

Without UseAzureMonitor I have no concurrency and/or correlation issues (Only some inconsistencies in the name of the activity, which is a different issue entirely I reckon, not related to Azure).

With UseAzureMonitor however there is something happening (be that concurrency or correlation - I don't know) that's causing my integration tests to fail when running them in parallel, but work fine when I'm running them sequentially.

Later in the thread I did find a partial workaround (With its own set of problems), but the general issue stands; Something fishy is going on with UseAzureMonitor.

In case the issue over on dotnet drops or I do a lot of changes to the repro during research, here's a direct link to the GitHub repo before adding the partial workaround: https://github.com/KennethHoff/Repros/tree/b25106f575ee5c782f99dfcfe89b5fc6eb53a900/ActivityTesting

I have gone through the Azure Monitor Docs and also played around on their website, but what I have only found out is that we can monitor a particular resource, i.e. if I create a Azure Cache for Redis instance that I can only monitor what happens in that instance, but since one instance has the capability of creating 16 different logical databases, is it possible to separately monitor those databases accordingly, and find out if how much resource is each of the database using in that single redis instance?

This rule triggers when there is a DNS query for non-local domain.

//This is my log query and watchlist

Not able to figure it out why i am not seeing the domain listed in the watchlist to my table

AZ_VERSION

{
  "azure-cli": "2.32.0",
  "azure-cli-core": "2.32.0",
  "azure-cli-telemetry": "1.0.6",
  "extensions": {
    "log-analytics": "0.2.2",
    "log-analytics-solution": "0.1.1"
  }
}

Linking log profiles to storage account, tried through various methods. Results in the same error message.
"code":"StorageAccountNotAccessible"

STORAGEACCOUNT_ID=$(az storage account show --resource-group <rg-name> --name <storage-account>  --query id -o tsv)
az monitor log-profiles create \                                                                                                                                    6s 
  --name <log-profile-name> --categories "Delete" "Write" "Action" --days 30 --enabled true \
  --storage-account-id $STORAGEACCOUNT_ID --location $LOCATION --locations $LOCATIONS 

ERROR:

cli.azure.cli.core.sdk.policies: {"code":"StorageAccountNotAccessible","message":"There is a transient issue accessing the provided storage account. Please try again."}
cli.azure.cli.core.util: azure.cli.core.util.handle_exception is called with an exception:
cli.azure.cli.core.util: Traceback (most recent call last):
  File "/opt/azure-cli/lib/python3.10/site-packages/knack/cli.py", line 231, in invoke
    cmd_result = self.invocation.execute(args)
  File "/opt/azure-cli/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 658, in execute
    raise ex
  File "/opt/azure-cli/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 721, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
  File "/opt/azure-cli/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 713, in _run_job
    return cmd_copy.exception_handler(ex)
  File "/opt/azure-cli/lib/python3.10/site-packages/azure/cli/command_modules/monitor/_exception_handler.py", line 23, in exception_handler
    raise ex
  File "/opt/azure-cli/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 692, in _run_job
    result = cmd_copy(params)
  File "/opt/azure-cli/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 328, in __call__
    return self.handler(*args, **kwargs)
  File "/opt/azure-cli/lib/python3.10/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
    return op(**command_args)
  File "/opt/azure-cli/lib/python3.10/site-packages/azure/cli/command_modules/monitor/operations/log_profiles.py", line 14, in create_log_profile_operations
    return client.create_or_update(log_profile_name=name, parameters=parameters)
  File "/opt/azure-cli/lib/python3.10/site-packages/azure/mgmt/monitor/v2016_03_01/operations/_log_profiles_operations.py", line 206, in create_or_update
    map_error(status_code=response.status_code, response=response, error_map=error_map)
  File "/opt/azure-cli/lib/python3.10/site-packages/azure/core/exceptions.py", line 105, in map_error
    raise error
azure.core.exceptions.ResourceExistsError: (StorageAccountNotAccessible) There is a transient issue accessing the provided storage account. Please try again.
Code: StorageAccountNotAccessible
Message: There is a transient issue accessing the provided storage account. Please try again.

cli.azure.cli.core.azclierror: (StorageAccountNotAccessible) There is a transient issue accessing the provided storage account. Please try again.
Code: StorageAccountNotAccessible
Message: There is a transient issue accessing the provided storage account. Please try again.
az_command_data_logger: (StorageAccountNotAccessible) There is a transient issue accessing the provided storage account. Please try again.
Code: StorageAccountNotAccessible
Message: There is a transient issue accessing the provided storage account. Please try again.

Also tried through rest

az rest -m PUT --uri "https://management.azure.com/subscriptions/<sub-id>/providers/Microsoft.Insights/logprofiles/<profile-name>?api-version=2016-03-01" --body '{"location":"<location>","properties":{"locations":["global","<location>"],"categories":["Write","Delete","Action"],"retentionPolicy":{"enabled":true,"days":3},"storageAccountId":"<storage-account-resource-id>"}}' --headers "Content-Type=application/json"

Results are all the same.
Tried with different SKU's deleting and recreating the storage account, different service principals, my account which is Contributor, always results in the same error.

Your help would be appreciated.

I need a query about the duration of computer processes. After the process has terminated, the system can reuse the Id. With the sequence_detect query sample below the start / exit sequence of the two processes with the reused id 1 is not correct detected. How can I query the correct durations?

let Table1 = datatable (Time:datetime, ProcId:int, Action:string)
[
datetime(2020-06-01 8:00), 0, "Start",
datetime(2020-06-01 8:01), 1, "Start",
datetime(2020-06-01 8:02), 1, "Exit",
datetime(2020-06-01 8:03), 2, "Start",
datetime(2020-06-01 8:04), 2, "Exit",
datetime(2020-06-01 8:05), 1, "Start",
datetime(2020-06-01 8:06), 1, "Exit",
datetime(2020-06-01 8:10), 0, "Exit",
];
Table1 | evaluate sequence_detect(Time, 1d, 1d, Start = Action == "Start", Stop = Action == "Exit", ProcId)

ProcId | Start_Time | Stop_Time | Duration
1 | 2020-06-01T08:01:00Z | 2020-06-01T08:06:00Z | 00:05:00
2 | 2020-06-01T08:03:00Z | 2020-06-01T08:04:00Z | 00:01:00
0 | 2020-06-01T08:00:00Z | 2020-06-01T08:10:00Z | 00:10:00

Hello,

We are planning to put workbooks and alerts ARM templates that we are building for Azure Operator Distributed Services (AODS) customers in this repo. We want to have control on who can approve PRs for code change on AODS workbooks and alert templates. Can we add CODEOWNERS file to define individuals or teams that are responsible for code in the repo/subdirectories? For example something like this repo has: https://github.com/microsoft/Application-Insights-Workbooks

Hi there
where running your script, always got the below error
Set-AzContext : Cannot validate argument on parameter 'Subscription'. The argument is null or empty. Provide an argument that is not null or empty

Looking at the script code you are using a variable $subId which does not exist; the parameter one is $SubscriptionId

Then, you have also hardcoded value for the workspace RG and and name
$rgNameWorkspace = 'rg-jamui-workspace'
$workspaceName = 'workspace-jamui-1'

When fixing these issues, the script can run successfully as per below

Connect-AzAccount
Select-AzSubscription -Subscription $SubscriptionId

$rgNameWorkspace = $ResourceGroupName
$workspaceName = $WorkspaceName

Hi, I've been using Alert rules for some time to trigger Teams messages. We process the message using the webhookdata, and evaluate some criteria based on the attribute ResultCount. Ever since the 28th May. the ResultCount has been 2, for all triggered alerts. Regardless of the actual number of results in the webhookdata. This is causing our alert to be broken resulting in messages containing System.Object[] rather than strings.

Partial of the webhookdata to help illustrate, heavily redacted so apologies, just trying to illustrate there are three rows in SearchResults but the ResultCount is 2. I've seen the same ResultCount of 2 where there are 1, 2, 3, 4, 5, 6 rows etc, so it seems ResultCount is broken.

"ResultCount": 2,
"SeverityDescription": "Critical",
"WorkspaceId": "xxxxx-xxxxxx-xxxxx-0aa8889d4e49",
"SearchIntervalDurationMin": "2880",
"AffectedConfigurationItems": [],
"AlertType": "Number of results",
"IncludeSearchResults": true,
"SearchIntervalInMinutes": "2880",
"Threshold": 0,
"Operator": "Greater Than",
"SearchResults": {
"tables": [{
"name": "PrimaryResult",
"columns": [{
"name": "subnet_trim",
"type": "string"
}, {
"name": "Cloud_Identity",
"type": "string"
}, {
"name": "Count",
"type": "long"
}],
"rows": [
["web-plan-investments", "web-QuaiAPI", 8],
["", "paymentsapp", 16],
["", "quaiapp", 42]
]
}],

The below query throws an error that it failed to resolve wait_type_s. I don't see it in the list of returned fields.

// Wait stats 
// Wait stats over the last hour, by Logical Server and Database. 
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.SQL"
| where TimeGenerated >= ago(60min)
| parse _ResourceId with * "/microsoft.sql/servers/" LogicalServerName "/databases/" DatabaseName
| summarize Total_count_60mins = sum(delta_waiting_tasks_count_d) by LogicalServerName, DatabaseName, wait_type_s

Hi Team,

I did not able to access the Log Analytics Demo Environment . could you please look into it

The query here
https://github.com/microsoft/AzureMonitorCommunity/blob/master/Azure%20Services/Key%20vaults/Queries/Input%20data%20Errors/List%20all%20input%20deserialization%20errors.kql

seems to be for stream analytics?

Hi Azure monitor team,

I am trying to open this issue on behalf of our customer. The customer would like to be alerted when the bytes remaining in a file sync session is too large. Please refer below:

However, when configuring, this metric is not selectable:

Please kindly advise and discuss if we would have some solution/workaround on this.

This query returns what's expected

AzureDiagnostics 
|where Category contains "postgre" and Message contains "not"
| take 50 
| order by TimeGenerated desc

works when replacing Message contains "not" with Message contains "cert"
But ssl or SSL or connect won't return this entry, and instead the latest is way earlier than it.

There are likely others available from Azure documentation / region availability & pricing calculator pages which can be monitored via Appinsights / Log Analytics.

Azure Data Lake Analytics
Azure Data Lake Store Gen1
Azure Machine Learning (AML) Workspace
Databricks Workspace
Synapse Analytics Workspace
Function Apps
Public IP Address
VNET
Network Adapter
Network Security Group (NSG)

Sorting the wiki lists alphabetically would also help in terms of identification & maintenance.