Log Analytics Query Language - Unified

  • Article

Note

You can enjoy the benefit of IT Health and On-Demand Assessments with your Premier agreement by purchasing a RAP as a Service subscription. Contact your Microsoft representative for more information.

The new and improved Azure Log Analytics announced recently provides a powerful query language with built-in Smart Analytics.

To make the best use of the enhancements, we have provided few queries to make sense of your assessments data using the new query language.

Try the new query language:

  1. Ramp-Up in 5 minutes with our query language cheat sheet.

  2. Visit Getting Started with Queries to learn how to write new queries.

  3. Use the Query Language Reference for details on functions, operators, and types.

  4. Check out our tutorials on Working with String, and Date and Time Operations to learn about data types.

  5. Use aggregations to get insights on your data.

Relevant Queries

  1. Get Assessment Log Data for a Particular Computer

    • Operation | where Computer == "ContosoADDS1.ContosoRetail.com" | summarize arg_max(TimeGenerated, *) by OperationCategory, Solution, Detail

  2. Check the Status of a Solution for Various Operation Categories on All Computers

    • Check whether Operations such as Assessment Target Check, .NET Check, Is Local Administrator Check etc. were successful or not.

    • Operation | where Solution =="SQLAssessment" | summarize arg_max(TimeGenerated, *) by Computer, OperationCategory | sort by TimeGenerated desc , OperationStatus asc

  3. For an Assessment, get all Affected Objects and when they were Accessed

    • SQLAssessmentRecommendation | summarize AggregatedValue = max(TimeGenerated) by AffectedObjectName | sort by AggregatedValue desc

  4. Check for Recommendation Data Available for an Assessment or Not

    • SQLAssessmentRecommendation | summarize Result = count() > 0(returns a true or false value based on whether data is available or not)

  5. To Get Details for a Particular Recommendation Id that Failed

    • SQLAssessmentRecommendation | where RecommendationId =="7821eda2-c420-4920-bc0c-ca8cd1d48482" and RecommendationResult=="Failed"

  6. Get Prioritized list of Failed Recommendations

    • This lists the failed recommendations for unique combinations of RecommendationId and AffectedObjectUniqueName for the latest run of an Assessment.
    • ADAssessmentRecommendation | summarize arg_max(TimeGenerated, *) by RecommendationId, AffectedObjectUniqueName |where RecommendationResult == "Failed" | sort by RecommendationScore desc, TimeGenerated desc

Refer use of arg_max as mentioned in query 1 above.

  1. Get Details Related to Recommendations that Failed for a Particular Affected Object

    • SQLAssessmentRecommendation | where AffectedObjectName == "ContosoMABSVM1.CONTOSORETAIL.COM" | summarize arg_max(TimeGenerated, *) by RecommendationId | where RecommendationResult == "Failed"