add vnet flow logs query

halkazwini · halkazwini · commit 7c732fbdf021 · 2025-06-25T11:06:06.000-05:00
diff --git a/articles/network-watcher/traffic-analytics-schema.md b/articles/network-watcher/traffic-analytics-schema.md
@@ -32,6 +32,14 @@ Traffic analytics is a cloud-based solution that provides visibility into user a
 - `FlowStartTime` field indicates the first occurrence of such an aggregated flow (same four-tuple) in the flow log processing interval between `FlowIntervalStartTime` and `FlowIntervalEndTime`.
 - For any resource in traffic analytics, the flows indicated in the Azure portal are total flows seen, but in Azure Monitor logs, user sees only the single, reduced record. To see all the flows, use the `blob_id` field,  which can be referenced from storage. The total flow count for that record matches the individual flows seen in the blob.
 
+The following query helps you look at all subnets interacting with non-Azure public IPs in the last 30 days.
+
+```
+NTANetAnalytics
+| where SubType == "FlowLog" and FlowStartTime >= ago(30d) and FlowType == "ExternalPublic"
+| project SrcSubnet, DestSubnet
+```
+
 # [**Network security group flow logs**](#tab/nsg)
 
 - All flow logs at a network security group between `FlowIntervalStartTime_t` and `FlowIntervalEndTime_t` are captured at one-minute intervals as blobs in a storage account.
@@ -41,8 +49,6 @@ Traffic analytics is a cloud-based solution that provides visibility into user a
 - `FlowStartTime_t` field indicates the first occurrence of such an aggregated flow (same four-tuple) in the flow log processing interval between `FlowIntervalStartTime_t` and `FlowIntervalEndTime_t`.
 - For any resource in traffic analytics, the flows indicated in the Azure portal are total flows seen by the network security group, but in Azure Monitor logs, user sees only the single, reduced record. To see all the flows, use the `blob_id` field,  which can be referenced from storage. The total flow count for that record matches the individual flows seen in the blob.
 
----
-
 The following query helps you look at all subnets interacting with non-Azure public IPs in the last 30 days.
 
 ```
@@ -87,9 +93,10 @@ The previous query constructs a URL to access the blob directly. The URL with pl
 
 ```
 https://{storageAccountName}@insights-logs-networksecuritygroupflowevent/resoureId=/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroup}/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/{networkSecurityGroupName}/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json
-
 ```
 
+---
+
 ## Traffic analytics schema
 
 Traffic analytics is built on top of Azure Monitor logs, so you can run custom queries on data decorated by traffic analytics and set alerts.
