separated activity log to new article. added content about wmpty results and wild card

Author: EdB-MSFT

articles/azure-monitor/essentials/data-platform-metrics.md

@@ -46,12 +46,15 @@ The differences between each of the metrics are summarized in the following tabl
 
 Azure Monitor collects metrics from the following sources. After these metrics are collected in the Azure Monitor metric database, they can be evaluated together regardless of their source:
 
-- **Azure resources**: Platform metrics are created by Azure resources and give you visibility into their health and performance. Each type of resource creates a [distinct set of metrics](./metrics-supported.md) without any configuration required. Platform metrics are collected from Azure resources at one-minute frequency unless specified otherwise in the metric's definition.
+- **Azure resources**: Platform metrics are created by Azure resources and give you visibility into their health and performance. Each type of resource creates a [distinct set of metrics](./metrics-supported.md) without any configuration required. Platform metrics are collected from Azure resources at one-minute frequency unless specified otherwise in the metric's definition. 
 - **Applications**: Application Insights creates metrics for your monitored applications to help you detect performance issues and track trends in how your application is being used. Values include _Server response time_ and _Browser exceptions_.
 - **Virtual machine agents**: Metrics are collected from the guest operating system of a virtual machine. You can enable guest OS metrics for Windows virtual machines by using the [Azure Monitor Agent](/azure/azure-monitor/agents/agents-overview). Azure Monitor Agent replaces the legacy agents - [Windows diagnostic extension](../agents/diagnostics-extension-overview.md) and the [InfluxData Telegraf agent](https://www.influxdata.com/time-series-platform/telegraf/) for Linux virtual machines.
 - **Custom metrics**: You can define metrics in addition to the standard metrics that are automatically available. You can [define custom metrics in your application](../app/api-custom-events-metrics.md) that's monitored by Application Insights. You can also create custom metrics for an Azure service by using the [custom metrics API](./metrics-store-custom-rest-api.md).
 - **Kubernetes clusters**: Kubernetes clusters typically send metric data to a local Prometheus server that you must maintain. [Azure Monitor managed service for Prometheus ](prometheus-metrics-overview.md) provides a managed service that collects metrics from Kubernetes clusters and store them in Azure Monitor Metrics.
 
+> [!NOTE]
+> Metrics collected from different sources and by different methods may be aggregated differently. For example, platform metrics are pre-aggregated and stored in a time-series database, while Prometheus metrics are stored as raw data.Resource metrics may also have a different latency than other metrics. This can lead to differences in metric values for a specific sample time. Over time the, and when analyzing the metrics at the same time granularity, these differences disappear.
+
 ## REST API
 
 Azure Monitor provides REST APIs that allow you to get data in and out of Azure Monitor Metrics.

articles/azure-monitor/essentials/rest-activity-log.md

@@ -0,0 +1,71 @@
+---
+title: Retrieve activity log data using Azure monitor REST API
+description: How to retrieve activity log data using Azure monitor REST API.
+author: EdB-MSFT
+ms.topic: conceptual
+ms.date: 03/10/2024
+ms.reviewer: priyamishra
+
+# customer intent: As a developer, I want to learn how to retrieve activity log data using Azure monitor REST API.
+---
+
+# Retrieve activity log data using Azure monitor REST API
+
+The Azure Activity Log is a log that provides insight into operations performed on resources in your subscription. Operations include create, update, delete, and other actions taken on resources. The Activity Log is a platform-wide log and isn't limited to a particular service. This article explains how to retrieve activity log data using the Azure Monitor REST API. For more information about the activity log, see [Azure Activity Log event schema](/azure/azure-monitor/essentials/activity-log-schema).
+
+
+## Authentication
+
+To retrieve resource logs, you must authenticate with Microsoft Entra. For more information, see [Azure monitoring REST API walkthrough](/azure/azure-monitor/essentials/rest-api-walkthrough?tabs=powershell#authenticate-azure-monitor-requests).
+
+## Retrieve activity log data
+
+Use the Azure Monitor REST API to query [activity log](/rest/api/monitor/activitylogs) data. 
+
+The following request format is used to request activity log data.
+
+```curl 
+GET /subscriptions/<subscriptionId>/providers/Microsoft.Insights/eventtypes/management/values \
+?api-version=2015-04-01 \
+&$filter=<filter> \
+&$select=<select>
+host: management.azure.com
+authorization: Bearer <token>
+```
+
+### $filter
+`$filter` reduces the set of data collected. This argument is required and it also requires at least the start date/time.
+The `$filter` argument accepts the following patterns:
+- List events for a resource group: `$filter=eventTimestamp ge '2014-07-16T04:36:37.6407898Z' and eventTimestamp le '2014-07-20T04:36:37.6407898Z' and resourceGroupName eq <resourceGroupName>`.
+- List events for a specific resource: `$filter=eventTimestamp ge '2014-07-16T04:36:37.6407898Z' and eventTimestamp le '2014-07-20T04:36:37.6407898Z' and resourceUri eq <resourceURI>`.
+- List events for a subscription in a time range: `$filter=eventTimestamp ge '2014-07-16T04:36:37.6407898Z' and eventTimestamp le '2014-07-20T04:36:37.6407898Z'`.
+- List events for a resource provider: `$filter=eventTimestamp ge '2014-07-16T04:36:37.6407898Z' and eventTimestamp le '2014-07-20T04:36:37.6407898Z' and resourceProvider eq <resourceProviderName>`.
+- List events for a correlation ID:` $filter=eventTimestamp ge '2014-07-16T04:36:37.6407898Z' and eventTimestamp le '2014-07-20T04:36:37.6407898Z' and correlationId eq '<correlationID>`.
+
+
+### $select
+`$select` fetches a specified list of properties for the returned events.
+The `$select` argument is a comma separated list of property names to be returned. 
+Valid values are: 
+`authorization`, `claims`, `correlationId`, `description`, `eventDataId`, `eventName`, `eventTimestamp`, `httpRequest`, `level`, `operationId`, `operationName`, `properties`, `resourceGroupName`, `resourceProviderName`, `resourceId`, `status`, `submissionTimestamp`, `subStatus`, and `subscriptionId`.
+
+The following sample requests use the Azure Monitor REST API to query an activity log.
+### Get activity logs with filter:
+
+The following example gets the activity logs for resource group `MSSupportGroup` between the dates `2023-03-21T20:00:00Z` and `2023-03-24T20:00:00Z`
+
+``` HTTP
+GET https://management.azure.com/subscriptions/12345678-abcd-98765432-abcdef012345/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01&$filter=eventTimestamp ge '2023-03-21T20:00:00Z' and eventTimestamp le '2023-03-24T20:00:00Z' and resourceGroupName eq 'MSSupportGroup'
+```
+### Get activity logs with filter and select:
+
+The following example gets the activity logs for resource group `MSSupportGroup`, between the dates `2023-03-21T20:00:00Z` and `2023-03-24T20:00:00Z`, returning the elements eventName, operationName, status, eventTimestamp, correlationId, submissionTimestamp, and level.
+
+```HTTP
+GET https://management.azure.com/subscriptions/12345678-abcd-98765432-abcdef012345/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01&$filter=eventTimestamp ge '2023-03-21T20:00:00Z' and eventTimestamp le '2023-03-24T20:00:00Z'and resourceGroupName eq 'MSSupportGroup'&$select=eventName,operationName,status,eventTimestamp,correlationId,submissionTimestamp,level
+```
+
+## Next steps
+[Stream Azure Monitor activity log data](azure/azure-monitor/essentials/activity-log).
+[Azure Activity Log event schema](/azure/azure-monitor/essentials/activity-log-schema).
+