Merge pull request #248387 from v-jbasden/v-jbasden-logs-content-inventory-line-8

Authoring new guidance on the permissions required to create a log query across multiple workspaces and apps, adding conceptual tabs, and streamlining the content

Author: prmerger-automator[bot]

articles/azure-monitor/logs/cross-workspace-query.md

@@ -22,16 +22,22 @@ There are two methods to query data that's stored in multiple workspaces and app
 > [!IMPORTANT]
 > If you're using a [workspace-based Application Insights resource](../app/create-workspace-resource.md), telemetry is stored in a Log Analytics workspace with all other log data. Use the `workspace()` expression to write a query that includes applications in multiple workspaces. For multiple applications in the same workspace, you don't need a cross-workspace query.
 
+## Permissions required
+
+- You must have `Microsoft.OperationalInsights/workspaces/query/*/read` permissions to the Log Analytics workspaces you query, as provided by the [Log Analytics Reader built-in role](./manage-access.md#log-analytics-reader), for example.
+- To save a query, you must have `microsoft.operationalinsights/querypacks/queries/action` permisisons to the query pack where you want to save the query, as provided by the [Log Analytics Contributor built-in role](./manage-access.md#log-analytics-contributor), for example.
+
 ## Cross-resource query limits
 
 * The number of Application Insights components and Log Analytics workspaces that you can include in a single query is limited to 100.
 * Cross-resource queries in log alerts are only supported in the current [scheduledQueryRules API](/rest/api/monitor/scheduledqueryrule-2018-04-16/scheduled-query-rules). If you're using the legacy Log Analytics Alerts API, you'll need to [switch to the current API](../alerts/alerts-log-api-switch.md).
-* References to a cross resource, such as another workspace, should be explicit and can't be parameterized. See [Identify workspace resources](#identify-workspace-resources) for examples.
+* References to a cross resource, such as another workspace, should be explicit and can't be parameterized. See [Gather identifiers for Log Analytics workspaces](?tabs=workspace-identifier#gather-identifiers-for-log-analytics-workspaces-and-application-insights-resources) for examples.
+
+## Gather identifiers for Log Analytics workspaces and Application Insights resources
 
-## Query across Log Analytics workspaces and from Application Insights
 To reference another workspace in your query, use the [workspace](../logs/workspace-expression.md) identifier. For an app from Application Insights, use the [app](./app-expression.md) identifier.
 
-### Identify workspace resources
+### [Workspace identifier](#tab/workspace-identifier)
 
 You can identify a workspace using one of these IDs:
 
@@ -47,7 +53,7 @@ You can identify a workspace using one of these IDs:
     workspace("/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/ContosoAzureHQ/providers/Microsoft.OperationalInsights/workspaces/contosoretail-it").Update | count
     ```
 
-### Identify an application
+### [App identifier](#tab/app-identifier)
 The following examples return a summarized count of requests made against an app named *fabrikamapp* in Application Insights.
 
 You can identify an app using one of these IDs:
@@ -64,7 +70,13 @@ You can identify an app using one of these IDs:
     app("/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/Fabrikam/providers/microsoft.insights/components/fabrikamapp").requests | count
     ```
 
-### Perform a query across multiple resources
+---
+
+## Query across Log Analytics workspaces and from Application Insights
+
+Follow the instructions in this section to query without using a function or by using a function.
+
+### Query without using a function
 You can query multiple resources from any of your resource instances. These resources can be workspaces and apps combined.
 
 Example for a query across three workspaces:
@@ -79,7 +91,9 @@ union
 | summarize dcount(Computer) by Classification
 ```
 
-## Use a cross-resource query for multiple resources
+For more information on the union, where, and summarize operators, see [union operator](/azure/data-explorer/kusto/query/unionoperator), [where operator](/azure/data-explorer/kusto/query/summarizeoperator), and [summarize operator](/azure/data-explorer/kusto/query/summarizeoperator).
+
+### Query by using a function
 When you use cross-resource queries to correlate data from multiple Log Analytics workspaces and Application Insights components, the query can become complex and difficult to maintain. You should make use of [functions in Azure Monitor log queries](./functions.md) to separate the query logic from the scoping of the query resources. This method simplifies the query structure. The following example demonstrates how you can monitor multiple Application Insights components and visualize the count of failed requests by application name.
 
 Create a query like the following example that references the scope of Application Insights components. The `withsource= SourceApp` command adds a column that designates the application name that sent the log. [Save the query as a function](./functions.md#create-a-function) with the alias `applicationsScoping`.

articles/azure-monitor/logs/move-workspace-region.md

@@ -292,7 +292,7 @@ The following procedures show how to prepare the workspace and resources for the
     | summarize max(TimeGenerated) by Type
     ```
 
-After data sources are connected to the target workspace, ingested data is stored in the target workspace. Older data stays in the original workspace and is subject to the retention policy. You can perform a [cross-workspace query](./cross-workspace-query.md#perform-a-query-across-multiple-resources). If both workspaces were assigned the same name, use a qualified name (*subscriptionName/resourceGroup/componentName*) in the workspace reference.
+After data sources are connected to the target workspace, ingested data is stored in the target workspace. Older data stays in the original workspace and is subject to the retention policy. You can perform a [cross-workspace query](./cross-workspace-query.md). If both workspaces were assigned the same name, use a qualified name (*subscriptionName/resourceGroup/componentName*) in the workspace reference.
 
 Here's an example for a query across two workspaces that have the same name:
 
@@ -317,7 +317,7 @@ If you want to discard the source workspace, delete the exported resources or th
 
 ## Clean up
 
-While new data is being ingested to your new workspace, older data in the original workspace remains available for query and is subject to the retention policy defined in the workspace. We recommend that you keep the original workspace for as long as you need older data to [query across](./cross-workspace-query.md#perform-a-query-across-multiple-resources) workspaces. 
+While new data is being ingested to your new workspace, older data in the original workspace remains available for query and is subject to the retention policy defined in the workspace. We recommend that you keep the original workspace for as long as you need older data to [query across](./cross-workspace-query.md) workspaces. 
 
 If you no longer need access to older data in the original workspace:
 

articles/azure-monitor/logs/query-optimization.md

@@ -455,7 +455,7 @@ A query that spans more than five workspaces is considered a query that consumes
 
 > [!IMPORTANT]
 > - In some multi-workspace scenarios, the CPU and data measurements won't be accurate and will represent the measurement of only a few of the workspaces.
-> - Cross workspace queries having an explicit identifier: workspace ID, or workspace Azure Resource ID, consume less resources and are more performant. See [Create a log query across multiple workspaces](./cross-workspace-query.md#identify-workspace-resources)
+> - Cross workspace queries having an explicit identifier: workspace ID, or workspace Azure Resource ID, consume less resources and are more performant. See [Gather identifiers for Log Analytics workspaces](./cross-workspace-query.md?tabs=workspace-identifier#gather-identifiers-for-log-analytics-workspaces-and-application-insights-resources)
 
 ## Parallelism
 Azure Monitor Logs uses large clusters of Azure Data Explorer to run queries. These clusters vary in scale and potentially get up to dozens of compute nodes. The system automatically scales the clusters according to workspace placement logic and capacity.