MicrosoftDocs
diff --git a/‎articles/azure-monitor/logs/analyze-usage.md
Lines changed: 3 additions & 3 deletions b/‎articles/azure-monitor/logs/analyze-usage.md
Lines changed: 3 additions & 3 deletions
diff --git a/‎articles/azure-monitor/logs/log-analytics-tutorial.md
Lines changed: 42 additions & 15 deletions b/‎articles/azure-monitor/logs/log-analytics-tutorial.md
Lines changed: 42 additions & 15 deletions
diff --git a/‎articles/azure-monitor/logs/media/log-analytics-tutorial/expand-query-search-result.png
128 KB b/‎articles/azure-monitor/logs/media/log-analytics-tutorial/expand-query-search-result.png
128 KB
diff --git a/‎articles/azure-monitor/logs/media/log-analytics-tutorial/expand-record.png
-157 KB b/‎articles/azure-monitor/logs/media/log-analytics-tutorial/expand-record.png
-157 KB
diff --git a/‎articles/azure-monitor/logs/media/log-analytics-tutorial/log-analytics-pivot-table.png
127 KB b/‎articles/azure-monitor/logs/media/log-analytics-tutorial/log-analytics-pivot-table.png
127 KB
diff --git a/‎articles/azure-monitor/logs/media/log-analytics-tutorial/log-analytics-query-scope.png
33.2 KB b/‎articles/azure-monitor/logs/media/log-analytics-tutorial/log-analytics-query-scope.png
33.2 KB
diff --git a/‎articles/azure-monitor/logs/media/log-analytics-tutorial/preview-data.png
128 KB b/‎articles/azure-monitor/logs/media/log-analytics-tutorial/preview-data.png
128 KB
diff --git a/‎articles/azure-monitor/logs/media/log-analytics-tutorial/query-filter-pane.png
185 KB b/‎articles/azure-monitor/logs/media/log-analytics-tutorial/query-filter-pane.png
185 KB
diff --git a/‎articles/azure-monitor/logs/media/log-analytics-tutorial/query-filter.png
187 KB b/‎articles/azure-monitor/logs/media/log-analytics-tutorial/query-filter.png
187 KB
diff --git a/‎articles/azure-monitor/logs/media/log-analytics-tutorial/query-multiple-filters.png
169 KB b/‎articles/azure-monitor/logs/media/log-analytics-tutorial/query-multiple-filters.png
169 KB
@@ -96,7 +96,7 @@ Event
 Analyze the amount of billable data collect from a virtual machine or set of virtual machines. The **Usage** table doesn't include information about data collected from virtual machines, so these queries use the [find operator](/azure/data-explorer/kusto/query/findoperator) to search all tables that include a computer name. The **Usage** type is omitted because this is only for analytics of data trends. 
 
 > [!WARNING]
-> Use [find](/azure/data-explorer/kusto/query/findoperator?pivots=azuremonitor) queries sparingly because scans across data types are [resource intensive](./query-optimization.md#query-performance-pane) to execute. If you don't need results per subscription, resource group, or resource name, use the [Usage](/azure/azure-monitor/reference/tables/usage) table as in the queries above.
+> Use [find](/azure/data-explorer/kusto/query/findoperator?pivots=azuremonitor) queries sparingly because scans across data types are [resource intensive](./query-optimization.md#query-details-pane) to execute. If you don't need results per subscription, resource group, or resource name, use the [Usage](/azure/azure-monitor/reference/tables/usage) table as in the queries above.
 
 **Billable data volume by computer**
 
@@ -122,7 +122,7 @@ find where TimeGenerated > ago(24h) project _IsBillable, Computer
 Analyze the amount of billable data collected from a particular resource or set of resources. These queries use the [_ResourceId](./log-standard-columns.md#_resourceid) and [_SubscriptionId](./log-standard-columns.md#_subscriptionid) columns for data from resources hosted in Azure. 
 
 > [!WARNING]
-> Use [find](/azure/data-explorer/kusto/query/findoperator?pivots=azuremonitor) queries sparingly because scans across data types are [resource intensive](./query-optimization.md#query-performance-pane) to execute. If you don't need results per subscription, resource group, or resource name, use the [Usage](/azure/azure-monitor/reference/tables/usage) table as in the queries above.
+> Use [find](/azure/data-explorer/kusto/query/findoperator?pivots=azuremonitor) queries sparingly because scans across data types are [resource intensive](./query-optimization.md#query-details-pane) to execute. If you don't need results per subscription, resource group, or resource name, use the [Usage](/azure/azure-monitor/reference/tables/usage) table as in the queries above.
 
 **Billable data volume by resource ID**
 
@@ -322,7 +322,7 @@ union (AppAvailabilityResults),
 If you don't have excessive data from any particular source, you may have an excessive number of agents that are sending data.
 
 > [!WARNING]
-> Use [find](/azure/data-explorer/kusto/query/findoperator?pivots=azuremonitor) queries sparingly because scans across data types are [resource intensive](./query-optimization.md#query-performance-pane) to execute. If you don't need results per subscription, resource group, or resource name, use the [Usage](/azure/azure-monitor/reference/tables/usage) table as in the queries above.
+> Use [find](/azure/data-explorer/kusto/query/findoperator?pivots=azuremonitor) queries sparingly because scans across data types are [resource intensive](./query-optimization.md#query-details-pane) to execute. If you don't need results per subscription, resource group, or resource name, use the [Usage](/azure/azure-monitor/reference/tables/usage) table as in the queries above.
 
 
 **Count of agent nodes that are sending a heartbeat each day in the last month**
 
@@ -1,13 +1,13 @@
 ---
 title: "Log Analytics tutorial"
-description: Learn from this tutorial how to use features of Log Analytics in Azure Monitor to build and run a log query and analyze its results in the Azure portal.
+description: Learn how to use Log Analytics in Azure Monitor to build and run a log query and analyze its results in the Azure portal.
 ms.topic: tutorial
 ms.date: 06/28/2021
 
 ---
 
 # Log Analytics tutorial
-Log Analytics is a tool in the Azure portal to edit and run log queries from data collected by Azure Monitor Logs and interactively analyze their results. You can use Log Analytics queries to retrieve records that match particular criteria, identify trends, analyze patterns, and provide a variety of insights into your data. 
+Log Analytics is a tool in the Azure portal to edit and run log queries from data collected by Azure Monitor Logs and interactively analyze their results. You can use Log Analytics queries to retrieve records that match particular criteria, identify trends, analyze patterns, and provide various insights into your data. 
 
 This tutorial walks you through the Log Analytics interface, gets you started with some basic queries, and shows you how you can work with the results. You'll learn the following:
 
@@ -30,7 +30,7 @@ Open the [Log Analytics demo environment](https://portal.azure.com/#blade/Micros
 
 You can view the scope in the upper-left corner of the screen. If you're using your own environment, you'll see an option to select a different scope. This option isn't available in the demo environment.
 
-:::image type="content" source="media/log-analytics-tutorial/scope.png" alt-text="Screenshot that shows the Log Analytics scope for the demo." lightbox="media/log-analytics-tutorial/scope.png":::
+:::image type="content" source="media/log-analytics-tutorial/log-analytics-query-scope.png" alt-text="Screenshot that shows the Log Analytics scope for the demo." lightbox="media/log-analytics-tutorial/log-analytics-query-scope.png":::
 
 ## View table information
 The left side of the screen includes the **Tables** tab, where you can inspect the tables that are available in the current scope. These tables are grouped by **Solution** by default, but you can change their grouping or filter them. 
@@ -41,7 +41,7 @@ Expand the **Log Management** solution and locate the **AppRequests** table. You
 
 Select the link below **Useful links** to go to the table reference that documents each table and its columns. Select **Preview data** to have a quick look at a few recent records in the table. This preview can be useful to ensure that this is the data that you're expecting before you run a query with it.
 
-:::image type="content" source="media/log-analytics-tutorial/sample-data.png" alt-text="Screenshot that shows sample data." lightbox="media/log-analytics-tutorial/sample-data.png":::
+:::image type="content" source="media/log-analytics-tutorial/preview-data.png" alt-text="Screenshot that shows preview data for the AppRequests table." lightbox="media/log-analytics-tutorial/preview-data.png":::
 
 ## Write a query
 Let's write a query by using the **AppRequests** table. Double-click its name to add it to the query window. You can also type directly in the window. You can even get IntelliSense that will help complete the names of tables in the current scope and Kusto Query Language (KQL) commands.
@@ -56,11 +56,11 @@ You can see that we do have results. The number of records that the query has re
 
 Let's add a filter to the query to reduce the number of records that are returned. Select the **Filter** tab on the left pane. This tab shows columns in the query results that you can use to filter the results. The top values in those columns are displayed with the number of records that have that value. Select **200** under **ResultCode**, and then select **Apply & Run**. 
 
-:::image type="content" source="media/log-analytics-tutorial/query-pane.png" alt-text="Screenshot that shows the query pane." lightbox="media/log-analytics-tutorial/query-pane.png":::
+:::image type="content" source="media/log-analytics-tutorial/query-filter-pane.png" alt-text="Screenshot that shows the query filter pane." lightbox="media/log-analytics-tutorial/query-filter-pane.png":::
 
 A **where** statement is added to the query with the value that you selected. The results now include only records with that value, so you can see that the record count is reduced.
 
-:::image type="content" source="media/log-analytics-tutorial/query-results-filter-01.png" alt-text="Screenshot that shows query results filtered." lightbox="media/log-analytics-tutorial/query-results-filter-01.png":::
+:::image type="content" source="media/log-analytics-tutorial/query-filter.png" alt-text="Screenshot that shows a filter being applied to the query." lightbox="media/log-analytics-tutorial/query-filter.png":::
 
 
 ### Time range
@@ -74,38 +74,65 @@ Let’s change the time range of the query by selecting **Last 12 hours** from t
 > [!NOTE]
 > Changing the time range using the **Time range** dropdown does not change the query in the query editor.
 
-:::image type="content" source="media/log-analytics-tutorial/query-results-max.png" alt-text="Screenshot that shows the time range." lightbox="media/log-analytics-tutorial/query-results-max.png":::
+:::image type="content" source="media/log-analytics-tutorial/query-time-range.png" alt-text="Screenshot that shows the time range." lightbox="media/log-analytics-tutorial/query-time-range.png":::
 
 
 ### Multiple query conditions
 Let's reduce our results further by adding another filter condition. A query can include any number of filters to target exactly the set of records that you want. Select **Get Home/Index** under **Name**, and then select **Apply & Run**. 
 
-:::image type="content" source="media/log-analytics-tutorial/query-results-filter-02.png" alt-text="Screenshot that shows query results with multiple filters." lightbox="media/log-analytics-tutorial/query-results-filter-02.png":::
+:::image type="content" source="media/log-analytics-tutorial/query-multiple-filters.png" alt-text="Screenshot that shows query results with multiple filters." lightbox="media/log-analytics-tutorial/query-multiple-filters.png":::
 
 
 ## Analyze results
 In addition to helping you write and run queries, Log Analytics provides features for working with the results. Start by expanding a record to view the values for all of its columns.
 
-:::image type="content" source="media/log-analytics-tutorial/expand-record.png" alt-text="Screenshot that shows expanding a record." lightbox="media/log-analytics-tutorial/expand-record.png":::
+:::image type="content" source="media/log-analytics-tutorial/expand-query-search-result.png" alt-text="Screenshot that shows a record expanded in the search results." lightbox="media/log-analytics-tutorial/expand-query-search-result.png":::
 
 Select the name of any column to sort the results by that column. Select the filter icon next to it to provide a filter condition. This is similar to adding a filter condition to the query itself, except that this filter is cleared if the query is run again. Use this method if you want to quickly analyze a set of records as part of interactive analysis.
 
-For example, set a filter on the **DurationMs** column to limit the records to those that took more than **100** milliseconds. 
+For example, set a filter on the **DurationMs** column to limit the records to those that took more than **150** milliseconds. 
 
 :::image type="content" source="media/log-analytics-tutorial/query-results-filter.png" alt-text="Screenshot that shows a query results filter." lightbox="media/log-analytics-tutorial/query-results-filter.png":::
 
-Instead of filtering the results, you can group records by a particular column. Clear the filter that you just created and then turn on the **Group columns** toggle. 
+### Search through query results
 
-:::image type="content" source="media/log-analytics-tutorial/query-results-group-columns.png" alt-text="Screenshot that shows turning on grouping of columns." lightbox="media/log-analytics-tutorial/query-results-group-columns.png":::
+Let's search through the query results using the search box at the top right of the results pane.
 
-Drag the **Url** column into the grouping row. Results are now organized by that column, and you can collapse each group to help you with your analysis.
+Enter **Chicago** in the query results search box and select the arrows to find all instances of this string in your search results.
 
-:::image type="content" source="media/log-analytics-tutorial/query-results-grouped.png" alt-text="Screenshot that shows query results grouped." lightbox="media/log-analytics-tutorial/query-results-grouped.png":::
+:::image type="content" source="media/log-analytics-tutorial/search-query-results.png" alt-text="Screenshot the search box at the top right of the result pane." lightbox="media/log-analytics-tutorial/search-query-results.png":::
+
+### Reorganize and summarize data
+
+To better visualize your data, you can reorganize and summarize the data in the query results based on your needs.
+
+Select **Columns** to the right of the results pane to open the **Columns** sidebar. 
+ 
+:::image type="content" source="media/log-analytics-tutorial/query-results-group-columns.png" alt-text="Screenshot the Column link at shows to the right of the results pane, which you select to open the Columns sidebar." lightbox="media/log-analytics-tutorial/query-results-group-columns.png":::
+
+In the sidebar, you'll see a list of all available columns. Drag the **Url** column into the **Row Group** section. Results are now organized by that column, and you can collapse each group to help you with your analysis. This is similar to adding a filter condition to the query, but instead of refetching data from the server, you're processing the data your original query returned. When you run the query again, Log Analytics retrieves data based on your original query. Use this method if you want to quickly analyze a set of records as part of interactive analysis.
+
+:::image type="content" source="media/log-analytics-tutorial/query-results-grouped.png" alt-text="Screenshot that shows query results grouped by URL." lightbox="media/log-analytics-tutorial/query-results-grouped.png":::
+### Create a pivot table
+
+To analyze the performance of your pages, create a pivot table. 
+
+In the **Columns** sidebar, select **Pivot Mode**. 
+
+Select **Url** and **DurationMs** to show the total duration of all calls to each URL.
+
+To view the maximum call duration to each URL, select **sum(DurationMs)** > **max**. 
+
+:::image type="content" source="media/log-analytics-tutorial/log-analytics-pivot-table.png" alt-text="Screenshot that shows how to turn on Pivot Mode and configure a pivot table based on the URL and DurationMS values." lightbox="media/log-analytics-tutorial/log-analytics-pivot-table.png":::
+
+Now let's sort the results by longest maximum call duration by selecting the **max(DurationMs)** column in the results pane.
+
+:::image type="content" source="media/log-analytics-tutorial/sort-pivot-table.png" alt-text="Screenshot the query results pane being sorted by the maximum DurationMS values." lightbox="media/log-analytics-tutorial/sort-pivot-table.png":::
 
 ## Work with charts
 Let's look at a query that uses numerical data that we can view in a chart. Instead of building a query, we'll select an example query.
 
-Select **Queries** on the left pane. This pane includes example queries that you can add to the query window. If you're using your own workspace, you should have a variety of queries in multiple categories. If you're using the demo environment, you might see only a single **Log Analytics workspaces** category. Expand that to view the queries in the category.
+Select **Queries** on the left pane. This pane includes example queries that you can add to the query window. If you're using your own workspace, you should have various queries in multiple categories. If you're using the demo environment, you might see only a single **Log Analytics workspaces** category. Expand that to view the queries in the category.
 
 Select the query called **Function Error rate** in the **Applications** category. This step adds the query to the query window. Notice that the new query is separated from the other by a blank line. A query in KQL ends when it encounters a blank line, so these are considered separate queries.