Merge pull request #226515 from guywi-ms/law-service-and-resource-health

v-ccolin · web-flow · commit 97336fd56590 · 2023-02-09T10:07:17.000Z
LAW service and resource health
diff --git a/articles/azure-monitor/logs/data-ingestion-time.md b/articles/azure-monitor/logs/data-ingestion-time.md
@@ -2,8 +2,8 @@
 title: Log data ingestion time in Azure Monitor | Microsoft Docs
 description: This article explains the different factors that affect latency in collecting log data in Azure Monitor.
 ms.topic: conceptual
-author: bwren
-ms.author: bwren
+author: guywi-ms
+ms.author: guywild
 ms.reviewer: eternovsky
 ms.date: 03/21/2022
 
@@ -12,13 +12,13 @@ ms.date: 03/21/2022
 # Log data ingestion time in Azure Monitor
 Azure Monitor is a high-scale data service that serves thousands of customers that send terabytes of data each month at a growing pace. There are often questions about the time it takes for log data to become available after it's collected. This article explains the different factors that affect this latency.
 
-## Typical latency
-Latency refers to the time that data is created on the monitored system and the time that it becomes available for analysis in Azure Monitor. The typical latency to ingest log data is *between 20 seconds and 3 minutes*. The specific latency for any particular data will vary depending on several factors that are explained in this article.
+## Average latency
+Latency refers to the time that data is created on the monitored system and the time that it becomes available for analysis in Azure Monitor. The average latency to ingest log data is *between 20 seconds and 3 minutes*. The specific latency for any particular data will vary depending on several factors that are explained in this article.
 
 ## Factors affecting latency
 The total ingestion time for a particular set of data can be broken down into the following high-level areas:
 
-- **Agent time**: The time to discover an event, collect it, and then send it to an Azure Monitor Logs ingestion point as a log record. In most cases, this process is handled by an agent. More latency might be introduced by the network.
+- **Agent time**: The time to discover an event, collect it, and then send it to a [data collection endpoint](../essentials/data-collection-endpoint-overview.md) as a log record. In most cases, this process is handled by an agent. More latency might be introduced by the network.
 - **Pipeline time**: The time for the ingestion pipeline to process the log record. This time period includes parsing the properties of the event and potentially adding calculated information.
 - **Indexing time**: The time spent to ingest a log record into an Azure Monitor big data store.
 
@@ -48,15 +48,15 @@ To ensure the Log Analytics agent is lightweight, the agent buffers logs and per
 
 **Varies**
 
-Network conditions might negatively affect the latency of this data to reach an Azure Monitor Logs ingestion point.
+Network conditions might negatively affect the latency of this data to reach a data collection endpoint.
 
 ### Azure metrics, resource logs, activity log
 
 **30 seconds to 15 minutes**
 
-Azure data adds more time to become available at an Azure Monitor Logs ingestion point for processing:
+Azure data adds more time to become available at a data collection endpoint for processing:
 
-- **Azure platform metrics** are available in under a minute in the metrics database, but they take another 3 minutes to be exported to the Azure Monitor Logs ingestion point.
+- **Azure platform metrics** are available in under a minute in the metrics database, but they take another 3 minutes to be exported to the data collection endpoint.
 - **Resource logs** typically add 30 to 90 seconds, depending on the Azure service. Some Azure services (specifically, Azure SQL Database and Azure Virtual Network) currently report their logs at 5-minute intervals. Work is in progress to improve this time further. To examine this latency in your environment, see the [query that follows](#check-ingestion-time).
 - **Activity log** data is ingested in 30 seconds when you use the recommended subscription-level diagnostic settings to send them into Azure Monitor Logs. They might take 10 to 15 minutes if you instead use the legacy integration.
 
@@ -75,7 +75,7 @@ To determine a solution's collection frequency, see the [documentation for each
 
 **30 to 60 seconds**
 
-After the data is available at an ingestion point, it takes another 30 to 60 seconds to be available for querying.
+After the data is available at the data collection endpoint, it takes another 30 to 60 seconds to be available for querying.
 
 After log records are ingested into the Azure Monitor pipeline (as identified in the [_TimeReceived](./log-standard-columns.md#_timereceived) property), they're written to temporary storage to ensure tenant isolation and to make sure that data isn't lost. This process typically adds 5 to 15 seconds.
 
@@ -107,7 +107,7 @@ Ingestion time might vary for different resources under different circumstances.
 | Step | Property or function | Comments |
 |:---|:---|:---|
 | Record created at data source | [TimeGenerated](./log-standard-columns.md#timegenerated) <br>If the data source doesn't set this value, it will be set to the same time as _TimeReceived. | If at processing time the Time Generated value is older than 3 days, the row will be dropped. |
-| Record received by Azure Monitor ingestion endpoint | [_TimeReceived](./log-standard-columns.md#_timereceived) | This field isn't optimized for mass processing and shouldn't be used to filter large datasets. |
+| Record received by the data collection endpoint | [_TimeReceived](./log-standard-columns.md#_timereceived) | This field isn't optimized for mass processing and shouldn't be used to filter large datasets. |
 | Record stored in workspace and available for queries | [ingestion_time()](/azure/kusto/query/ingestiontimefunction) | We recommend using `ingestion_time()` if there's a need to filter only records that were ingested in a certain time window. In such cases, we recommend also adding a `TimeGenerated` filter with a larger range. |
 
 ### Ingestion latency delays
diff --git a/articles/azure-monitor/logs/log-analytics-workspace-health.md b/articles/azure-monitor/logs/log-analytics-workspace-health.md
@@ -0,0 +1,63 @@
+---
+title: Monitor Log Analytics workspace health
+description: This article how to monitor the health of a Log Analytics workspace and set up alerts about latency issues specific to the Log Analytics workspace or related to known Azure service issues.
+ms.topic: how-to
+author: guywi-ms
+ms.author: guywild
+ms.reviewer: MeirMen
+ms.date: 02/07/2023
+
+#Customer-intent: As a Log Analytics workspace administrator, I want to know when there are latency issues in a Log Analytics workspace, so I can act to resolve the issue, contact Microsoft for support, or track that is Azure is meeting its SLA.  
+---
+
+# Monitor Log Analytics workspace health
+
+[Azure Service Health](../../service-health/overview.md) monitors the health of your cloud resources, including Log Analytics workspaces. When a Log Analytics workspace is healthy, data you collect from resources in your IT environment is available for querying and analysis in a relatively short period of time, known as [latency](../logs/data-ingestion-time.md). This article explains how to view the health status of your Log Analytics workspace and set up alerts to track Log Analytics workspace health status changes.  
+
+Azure Service Health monitors:
+
+- [Resource health](../../service-health/resource-health-overview.md): information about the health of your individual cloud resources, such as a specific Log Analytics workspace. 
+- [Service health](../../service-health/service-health-overview.md): information about the health of the Azure services and regions you're using, which might affect your Log Analytics workspace, including communications about outages, planned maintenance activities, and other health advisories.
+
+## View Log Analytics workspace health and set up health status alerts 
+
+When Azure Service Health detects [average latency](../logs/data-ingestion-time.md#average-latency) in your Log Analytics workspace, the workspace resource health status is **Available**.
+
+To view your Log Analytics workspace health and set up health status alerts:
+ 
+1. Select **Resource health** from the Log Analytics workspace menu.
+
+    The **Resource health** screen shows:
+
+    - **Health history**: Indicates whether Azure Service Health has detected latency issues related to the specific Log Analytics workspace. To further investigate latency issues related to your workspace, see [Investigate latency](#investigate-log-analytics-workspace-health-issues).  
+    - **Azure service issues**: Displayed when a known issue with an Azure service might affect latency in the Log Analytics workspace. Select the message to view details about the service issue in Azure Service Health.
+   
+    > [!NOTE]
+    > Service health notifications do not indicate that your Log Analytics workspace is necessarily affected by the know service issue. If your Log Analytics workspace resource health status is **Available**, Azure Service Health did not detect issues in your workspace.  
+   
+    :::image type="content" source="media/data-ingestion-time/log-analytics-workspace-latency.png" lightbox="media/data-ingestion-time/log-analytics-workspace-latency.png" alt-text="Screenshot that shows the Resource health screen for a Log Analytics workspace.":::  
+    
+1. To set up health status alerts:
+    1. Select **Add resource health alert**.
+    
+        The **Create alert rule** wizard opens, with the **Scope** and **Condition** panes pre-populated. By default, the rule triggers alerts all status changes in all Log Analytics workspaces in the subscription. If necessary, you can edit and modify the scope and condition at this stage. 
+
+        :::image type="content" source="media/data-ingestion-time/log-analytics-workspace-latency-alert-rule.png" lightbox="media/data-ingestion-time/log-analytics-workspace-latency-alert-rule.png" alt-text="Screenshot that shows the Create alert rule wizard for Log Analytics workspace latency issues.":::  
+
+    1. Follow the rest of the steps in [Create a new alert rule in the Azure portal](../alerts/alerts-create-new-alert-rule.md#create-a-new-alert-rule-in-the-azure-portal). 
+
+## Investigate Log Analytics workspace health issues
+
+To investigate Log Analytics workspace health issues:
+
+- Use [Log Analytics Workspace Insights](../logs/log-analytics-workspace-insights-overview.md), which provides a unified view of your workspace usage, performance, health, agent, queries, and change log.
+- Query the data in your Log Analytics workspace to [understand which factors are contributing greater than expected latency in your workspace](../logs/data-ingestion-time.md).  
+- [Use the `_LogOperation` function to view and set up alerts about operational issues](../logs/monitor-workspace.md) logged in your Log Analytics workspace.
+
+## Next steps
+
+Learn more about:
+
+- [Log Analytics Workspace Insights](../logs/log-analytics-workspace-insights-overview.md).
+- [Querying log data in Azure Monitor Logs](../logs/get-started-queries.md).
+
diff --git a/articles/azure-monitor/logs/media/data-ingestion-time/log-analytics-workspace-latency-alert-rule.png b/articles/azure-monitor/logs/media/data-ingestion-time/log-analytics-workspace-latency-alert-rule.png
diff --git a/articles/azure-monitor/logs/media/data-ingestion-time/log-analytics-workspace-latency.png b/articles/azure-monitor/logs/media/data-ingestion-time/log-analytics-workspace-latency.png
diff --git a/articles/azure-monitor/logs/monitor-workspace.md b/articles/azure-monitor/logs/monitor-workspace.md
@@ -1,13 +1,13 @@
 ---
-title: Monitor health of Log Analytics workspace in Azure Monitor
+title: Monitor operational issues logged in your Azure Monitor Log Analytics workspace 
 description: The article describes how to monitor the health of your Log Analytics workspace by using data in the Operation table.
-ms.topic: conceptual
-ms.reviewer: shemers
+ms.topic: how-to
+ms.reviewer: MeirMen
 ms.date: 03/21/2022
 
 ---
 
-# Monitor health of a Log Analytics workspace in Azure Monitor
+# Monitor operational issues in your Azure Monitor Log Analytics workspace
 
 To maintain the performance and availability of your Log Analytics workspace in Azure Monitor, you need to be able to proactively detect any issues that arise. This article describes how to monitor the health of your Log Analytics workspace by using data in the [Operation](/azure/azure-monitor/reference/tables/operation) table. This table is included in every Log Analytics workspace. It contains error messages and warnings that occur in your workspace. We recommend that you create alerts for issues with the level of Warning and Error.
 
diff --git a/articles/azure-monitor/toc.yml b/articles/azure-monitor/toc.yml
@@ -506,13 +506,16 @@ items:
             href: logs/availability-zones.md
         - name: Monitor
           items:
-          - name: Monitor a workspace
-            href: logs/monitor-workspace.md
-          - name: Analyze usage and cost
-            href: logs/analyze-usage.md
+          - name: Monitor Log Analytics workspace health
+            displayName: latency
+            href: logs/log-analytics-workspace-health.md
+          - name: Monitor operational issues
+            href: logs/monitor-workspace.md     
           - name: Log data ingestion time
             displayName: latency
             href: logs/data-ingestion-time.md
+          - name: Analyze usage and cost
+            href: logs/analyze-usage.md   
         - name: Move and delete
           items:
           - name: Move a workspace
