Create and run a notebook with Azure Monitor Logs (Preview)

This article shows you how to create and run an Azure Data Studio notebook using the Azure Monitor Log extension to connect to a Log Analytics workspace to view results for an Azure SQL database.

Once the Azure Monitor Logs extension is installed, you can connect to your Azure Monitor Log workspaces, browse the tables, write/execute KQL queries against workspaces and write/execute Notebooks connected to the Log Analytics kernel.

With the Azure Monitor Log extension, you can change the kernel option to Log Analytics.

This feature is currently in preview.

Prerequisites

If you don't have an Azure subscription, create a free Azure account before you begin.

The following prerequisites are also required:

Connect to an Azure Monitor Logs (Log Analytics) workspace

There are two main tables in a Log Analytics (Azure Monitor Logs) workspace that capture Azure SQL events:

In the examples below, this article uses the AzureDiagnostics table and the AzureMetric table in a Log Analytics workspace, which store some Azure SQL event data. We have previously configured Azure SQL to write its selected events to a Log Analytics workspace. Learn more about how to do this here.

You can connect to a Log Analytics workspace.

Create an Azure Monitor Log notebook

The following steps show how to create a notebook file in Azure Data Studio:

  1. In Azure Data Studio, connect to your Log Analytics workspace.

  2. Navigate to the Connections pane and under the Servers window, right-click the Log analytics workspace and select New Notebook. You can also go to File > New Notebook.

    Screenshot of Open notebook.

  3. Select Log Analytics for the Kernel. Confirm that the Attach to menu is set to the workspace name.

    Screenshot of Set Kernel and Attach to.

You can save the notebook using the Save or Save as... command from the File menu.

To open a notebook, you can use the Open file... command in the File menu, select Open file on the Welcome page, or use the File: Open command from the command palette.

Change the connection

To change the Azure Monitor Log connection for a notebook:

  1. Select the Attach to menu from the notebook toolbar and then select Change Connection.

    Screenshot of change connections.

    Note

    Ensure that the workspace value is populated. Azure Monitor Log notebooks require to have the Workspace ID specified in the Server field.

  2. Now, you can either select a recent connection workspace or enter new connection details to connect.

    Screenshot of Select a different cluster.

Run a code cell

You can create cells containing KQL queries that you can run in place by selecting the Run cell button to the cell's left. The results are shown in the notebook after the cell runs.

For example:

Add a new code cell by selecting the +Code command in the toolbar.

Screenshot of kernel code block.

Query log results for an Azure SQL database

You can connect to your Log Analytics workspaces to browse tables, write KQL queries against workspaces, and create notebooks connected to the Log Analytics kernel.

Note

Allow about 15 minutes before the log results appear.

Some sample queries are listed below.

AzureMetrics

Here's a sample query to view AzureMetrics results.

AzureMetrics

Screenshot of Azure metrics code cell results.

AzureDiagnostics

Here's a sample query to view AzureDiagnostics results.

The AzureDiagnostics table tends to have more details than AzureMetrics.

AzureDiagnostics
| project-away TenantId, ResourceId, SubscriptionId, _ResourceId, ResourceGroup // hide sensitive info
| take 10

Screenshot of Azure diagnostics code cell results.

Analyze events by Diagnostic Settings

Here's a query to analyze the number of events by Operation Name.

Note

Each row in AzureDiagnostic represents an event for a specific Operation or category. Some SQL actions might result in generating multiple events of different types.

AzureDiagnostics
| summarize count() by OperationName

Screenshot of Azure diagnostics summarize code cell results.

You can try some more examples from the Azure Monitor Logs samples repo.