Merge pull request #97575 from dagiro/freshness89

freshness89

Author: megvanhuygen

articles/hdinsight/hdinsight-hadoop-oms-log-analytics-use-queries.md

@@ -5,17 +5,16 @@ author: hrasheed-msft
 ms.author: hrasheed
 ms.reviewer: jasonh
 ms.service: hdinsight
-ms.custom: hdinsightactive
 ms.topic: conceptual
-ms.date: 11/05/2018
+ms.custom: hdinsightactive
+ms.date: 12/02/2019
 ---
 
 # Query Azure Monitor logs to monitor HDInsight clusters
 
 Learn some basic scenarios on how to use Azure Monitor logs to monitor Azure HDInsight clusters:
 
 * [Analyze HDInsight cluster metrics](#analyze-hdinsight-cluster-metrics)
-* [Search for specific log messages](#search-for-specific-log-messages)
 * [Create event alerts](#create-alerts-for-tracking-events)
 
 [!INCLUDE [azure-monitor-log-analytics-rebrand](../../includes/azure-monitor-log-analytics-rebrand.md)]
@@ -29,96 +28,101 @@ You must have configured an HDInsight cluster to use Azure Monitor logs, and add
 Learn how to look for specific metrics for your HDInsight cluster.
 
 1. Open the Log Analytics workspace that is associated to your HDInsight cluster from the Azure portal.
-1. Select the **Log Search** tile.
-1. Type the following query in the search box to search for all metrics for all available metrics for all HDInsight clusters configured to use Azure Monitor logs, and then select **RUN**.
+1. Under **General**, select **Logs**.
+1. Type the following query in the search box to search for all metrics for all available metrics for all HDInsight clusters configured to use Azure Monitor logs, and then select **Run**. Review the results.
 
-        search *
+    ```kusto
+    search *
+    ```
 
     ![Apache Ambari analytics search all metrics](./media/hdinsight-hadoop-oms-log-analytics-use-queries/hdinsight-log-analytics-search-all-metrics.png "Search all metrics")
 
-    The output shall look like:
-
-    ![log analytics search all metrics](./media/hdinsight-hadoop-oms-log-analytics-use-queries/hdinsight-log-analytics-search-all-metrics-output.png "Search all metrics output")
-
-1. From the left pane, under **Type**, select a metric that you want to dig deep into, and then select **Apply**. The following screenshot shows the `metrics_resourcemanager_queue_root_default_CL` type is selected.
+1. From the left menu, select the **Filter** tab.
 
-    > [!NOTE]  
-    > You may need to select the **[+]More** button to find the metric you are looking for. Also, the **Apply** button is at the bottom of the list so you must scroll down to see it.
-
-    Notice that the query in the text box changes to one shown in the highlighted box in the following screenshot:
+1. Under **Type**, select **Heartbeat**. Then select **Apply & Run**.
 
     ![log analytics search specific metrics](./media/hdinsight-hadoop-oms-log-analytics-use-queries/hdinsight-log-analytics-search-specific-metrics.png "Search for specific metrics")
 
-1. To dig deeper into this specific metric. For example, you can refine the existing output based on the average of resources used in a 10-minute interval, categorized by cluster name using the following query:
-
-        search in (metrics_resourcemanager_queue_root_default_CL) * | summarize AggregatedValue = avg(UsedAMResourceMB_d) by ClusterName_s, bin(TimeGenerated, 10m)
-
-1. Instead of refining based on the average of resources used, you can use the following query to refine the results based on when the maximum resources were used (as well as 90th and 95th percentile) in a 10-minute window:
+1. Notice that the query in the text box changes to:
 
-        search in (metrics_resourcemanager_queue_root_default_CL) * | summarize ["max(UsedAMResourceMB_d)"] = max(UsedAMResourceMB_d), ["pct95(UsedAMResourceMB_d)"] = percentile(UsedAMResourceMB_d, 95), ["pct90(UsedAMResourceMB_d)"] = percentile(UsedAMResourceMB_d, 90) by ClusterName_s, bin(TimeGenerated, 10m)
+    ```kusto
+    search *
+    | where Type == "Heartbeat"
+    ```
 
-## Search for specific log messages
+1. You can dig deeper by using the options available in the left menu. For example:
 
-Learn how to  look error messages during a specific time window. The steps here are just one example on how you can arrive at the error message you are interested in. You can use any property that is available to look for the errors you are trying to find.
+    - To see logs from a specific node:
 
-1. Open the Log Analytics workspace that is associated to your HDInsight cluster from the Azure portal.
-2. Select the **Log Search** tile.
-3. Type the following query to search for all error messages for all HDInsight clusters configured to use Azure Monitor logs, and then select **RUN**.
-
-         search "Error"
+        ![Search for specific errors output1](./media/hdinsight-hadoop-oms-log-analytics-use-queries/log-analytics-specific-node.png "Search for specific errors output1")
 
-    You shall see an output like the following output:
+    - To see logs at certain times:
 
-    ![Azure portal log search errors](./media/hdinsight-hadoop-oms-log-analytics-use-queries/hdinsight-log-analytics-search-all-errors-output.png "Search all errors output")
+        ![Search for specific errors output2](./media/hdinsight-hadoop-oms-log-analytics-use-queries/log-analytics-specific-time.png "Search for specific errors output2")
 
-4. From the left pane, under **Type** category, select an error type that you want to dig deep into, and then select **Apply**.  Notice the results are refined to only show the error of the type you selected.
+1. Select **Apply & Run** and review the results. Also note that the query was updated to:
 
-5. You can dig deeper into this specific error list by using the options available in the left pane. For example:
+    ```kusto
+    search *
+    | where Type == "Heartbeat"
+    | where (Computer == "zk2-myhado") and (TimeGenerated == "2019-12-02T23:15:02.69Z" or TimeGenerated == "2019-12-02T23:15:08.07Z" or TimeGenerated == "2019-12-02T21:09:34.787Z")
+    ```
 
-    - To see error messages from a specific worker node:
+### Additional sample queries
 
-        ![Search for specific errors output1](./media/hdinsight-hadoop-oms-log-analytics-use-queries/hdinsight-log-analytics-search-specific-error-refined.png "Search for specific errors output1")
+A sample query based on the average of resources used in a 10-minute interval, categorized by cluster name:
 
-    - To see an error occurred at a certain time:
+```kusto
+search in (metrics_resourcemanager_queue_root_default_CL) * 
+| summarize AggregatedValue = avg(UsedAMResourceMB_d) by ClusterName_s, bin(TimeGenerated, 10m)
+```
 
-        ![Search for specific errors output2](./media/hdinsight-hadoop-oms-log-analytics-use-queries/hdinsight-log-analytics-search-specific-error-time.png "Search for specific errors output2")
+Instead of refining based on the average of resources used, you can use the following query to refine the results based on when the maximum resources were used (as well as 90th and 95th percentile) in a 10-minute window:
 
-6. To see the specific error. You can select **[+]show more** to look at the actual error message.
-
-    ![Search for specific errors output3](./media/hdinsight-hadoop-oms-log-analytics-use-queries/hdinsight-log-analytics-search-specific-error-arrived.png "Search for specific errors output3")
+```kusto
+search in (metrics_resourcemanager_queue_root_default_CL) * 
+| summarize ["max(UsedAMResourceMB_d)"] = max(UsedAMResourceMB_d), ["pct95(UsedAMResourceMB_d)"] = percentile(UsedAMResourceMB_d, 95), ["pct90(UsedAMResourceMB_d)"] = percentile(UsedAMResourceMB_d, 90) by ClusterName_s, bin(TimeGenerated, 10m)
+```
 
 ## Create alerts for tracking events
 
 The first step to create an alert is to arrive at a query based on which the alert is triggered. You can use any query that you want to create an alert.
 
 1. Open the Log Analytics workspace that is associated to your HDInsight cluster from the Azure portal.
-2. Select the **Log Search** tile.
-3. Run the following query on which you want to create an alert, and then select **RUN**.
+1. Under **General**, select **Logs**.
+1. Run the following query on which you want to create an alert, and then select **Run**.
 
-        metrics_resourcemanager_queue_root_default_CL | where AppsFailed_d > 0
+    ```kusto
+    metrics_resourcemanager_queue_root_default_CL | where AppsFailed_d > 0
+    ```
 
     The query provides list of failed applications running on HDInsight clusters.
 
-4. Select **New Alert Rule** on the top of the page.
+1. Select **New alert rule** on the top of the page.
 
     ![Enter query to create an alert1](./media/hdinsight-hadoop-oms-log-analytics-use-queries/hdinsight-log-analytics-create-alert-query.png "Enter query to create an alert1")
 
-5. In the **Create rule** window, enter the query and other details to create an alert, and then select **Create alert rule**.
+1. In the **Create rule** window, enter the query and other details to create an alert, and then select **Create alert rule**.
 
     ![Enter query to create an alert2](./media/hdinsight-hadoop-oms-log-analytics-use-queries/hdinsight-log-analytics-create-alert.png "Enter query to create an alert2")
 
-To edit or delete an existing alert:
+### Edit or delete an existing alert
 
 1. Open the Log Analytics workspace from the Azure portal.
-2. From the left menu, select **Alert**.
-3. Select the alert you want to edit or delete.
-4. You have the following options: **Save**, **Discard**, **Disable**, and **Delete**.
+
+1. From the left menu, under **Monitoring**, select **Alerts**.
+
+1. Towards the top, select **Manage alert rules**.
+
+1. Select the alert you want to edit or delete.
+
+1. You have the following options: **Save**, **Discard**, **Disable**, and **Delete**.
 
     ![HDInsight Azure Monitor logs alert delete edit](media/hdinsight-hadoop-oms-log-analytics-use-queries/hdinsight-log-analytics-edit-alert.png)
 
 For more information, see [Create, view, and manage metric alerts using Azure Monitor](../azure-monitor/platform/alerts-metric.md).
 
 ## See also
 
+* [Get started with log queries in Azure Monitor](../azure-monitor/log-query/get-started-queries.md)
 * [Create custom views by using View Designer in Azure Monitor](../azure-monitor/platform/view-designer.md)
-* [Create, view, and manage metric alerts using Azure Monitor](../azure-monitor/platform/alerts-metric.md)