Merge pull request #58088 from bwren/cross-resource

 Azure Monitor cross resource queries

Author: v-shils

articles/azure-monitor/toc.yml

@@ -691,6 +691,8 @@
           href: ../log-analytics/query-language/advanced-query-writing.md?toc=/azure/azure-monitor/toc.json
         - name: Charts and diagrams
           href: ../log-analytics/query-language/charts.md?toc=/azure/azure-monitor/toc.json
+        - name: Functions
+          href: ../log-analytics/query-language/functions.md?toc=/azure/azure-monitor/toc.json
       - name: Cheatsheets
         items:
         - name: SQL

articles/log-analytics/log-analytics-cross-workspace-search.md

@@ -12,7 +12,7 @@ ms.workload: na
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
-ms.date: 04/17/2018
+ms.date: 11/15/2018
 ms.author: magoedte
 ms.component: 
 ---
@@ -86,7 +86,7 @@ Identifying an application in Application Insights can be accomplished with the
     ```
 
 ### Performing a query across multiple resources
-You can query multiple resorces from any of your resource instances, these can be workspaces and apps combined.
+You can query multiple resources from any of your resource instances, these can be workspaces and apps combined.
     
 Example for query across two workspaces:    
 
@@ -97,6 +97,36 @@ union Update, workspace("contosoretail-it").Update, workspace("b459b4u5-912x-46d
 | summarize dcount(Computer) by Classification
 ```
 
+## Using cross-resource query for multiple resources
+When using cross-resource queries to correlate data from multiple Log Analytics and Application Insights resources, the query can become complex and difficult to maintain. You should leverage [functions in Log Analytics](query-language/functions.md) to separate the query logic from the scoping of the query resources, which simplifies the query structure. The following example demonstrates how you can monitor multiple Application Insights resources and visualize the count of failed requests by application name. 
+
+Create a query like the following that references the scope of Application Insights resources. The `withsource= SourceApp` command adds a column that designates the application name that sent the log. [Save the query as function](query-language/functions.md#create-a-function) with the alias _applicationsScoping_.
+
+```Kusto
+// crossResource function that scopes my Application Insights resources
+union withsource= SourceApp
+app('Contoso-app1').requests, 
+app('Contoso-app2').requests,
+app('Contoso-app3').requests,
+app('Contoso-app4').requests,
+app('Contoso-app5').requests
+```
+
+
+
+You can now [use this function](query-language/functions.md#use-a-function) in a cross-resource query like the following. The function alias _applicationsScoping_ returns the union of the requests table from all the defined applications. The query then filters for failed requests and visualizes the trends by application. The _parse_ operator is optional in this example. It extracts the application name from _SourceApp_ property.
+
+```Kusto
+applicationsScoping 
+| where timestamp > ago(12h)
+| where success == 'False'
+| parse SourceApp with * '(' applicationName ')' * 
+| summarize count() by applicationName, bin(timestamp, 1h) 
+| sort by count_ desc 
+| render timechart
+```
+![Timechart](media/log-analytics-cross-workspace-search/chart.png)
+
 ## Next steps
 
 Review the [Log Analytics log search reference](https://docs.microsoft.com/azure/log-analytics/query-language/kusto) to view all of the query syntax options available in Log Analytics.    

articles/log-analytics/media/log-analytics-cross-workspace-search/chart.png

@@ -12,7 +12,7 @@ ms.workload: na
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
-ms.date: 08/16/2018
+ms.date: 11/15/2018
 ms.author: bwren
 ms.component: na
 ---
@@ -73,28 +73,6 @@ Event
 | project TimeGenerated, USTimeGenerated, Source, Computer, EventLevel, EventData 
 ```
 
-## Functions
-You can save a query with a function alias so it can be referenced by other queries. For example, the following standard query returns all missing security updates reported in the last day:
-
-```Kusto
-Update
-| where TimeGenerated > ago(1d) 
-| where Classification == "Security Updates" 
-| where UpdateState == "Needed"
-```
-
-You can save this query as a function and give it an alias such as _security_updates_last_day_. Then you can use it in another query to search for SQL-related needed security updates:
-
-```Kusto
-security_updates_last_day | where Title contains "SQL"
-```
-
-To save a query as a function, select the **Save** button in the portal and change **Save as** to _Function_. The function alias can contain letters, digits, or underscores but must start with a letter or an underscore.
-
-> [!NOTE]
-> Saving a function is possible in Log Analytics queries, but currently not for Application Insights queries.
-
-
 ## Print
 `print` will return a table with a single column and a single row, showing the result of a calculation. This is often used in cases where you need a simple calcuation. For example, to find the current time in PST and add a column with EST:
 

articles/log-analytics/query-language/advanced-query-writing.md

@@ -0,0 +1,78 @@
+---
+title: Functions Azure Log Analytics | Microsoft Docs
+description: This article describes how to use functions to call a query from another query in Log Analytics.
+services: log-analytics
+documentationcenter: ''
+author: bwren
+manager: carmonm
+editor: ''
+ms.assetid: 
+ms.service: log-analytics
+ms.workload: na
+ms.tgt_pltfrm: na
+ms.devlang: na
+ms.topic: conceptual
+ms.date: 11/15/2018
+ms.author: bwren
+ms.component: na
+---
+
+
+# Using functions in Azure Monitor Log Analytics
+
+> [!NOTE]
+> You should complete [Get started with the Analytics portal](get-started-analytics-portal.md) and [Getting started with queries](get-started-queries.md) before completing this lesson.
+
+[!INCLUDE [log-analytics-demo-environment](../../../includes/log-analytics-demo-environment.md)]
+
+
+To use a Log Analytics query with another query you can save it as a function. This allows you to simplify complex queries by breaking them into parts and allows you to reuse common code with multiple queries.
+
+## Create a function
+
+Create a function in the Azure portal by clicking **Save** and then providing the information in the following table.
+
+| Setting | Description |
+|:---|:---|
+| Name           | Display name for the query in **Query explorer**. |
+| Save as        | Function |
+| Function Alias | Short name to use the function in other queries. May not contain spaces and must be unique. |
+| Category       | A category to organize saved queries and functions in **Query explorer**. |
+
+> [!NOTE]
+> A function in Log Analytics cannot contain another function.
+
+> [!NOTE]
+> Saving a function is possible in Log Analytics queries, but currently not for Application Insights queries.
+
+
+
+## Use a function
+Use a function by including its alias in another query. It can be used like any other table.
+
+## Example
+The following sample query returns all missing security updates reported in the last day. Save this query as a function with the alias _security_updates_last_day_. 
+
+```Kusto
+Update
+| where TimeGenerated > ago(1d) 
+| where Classification == "Security Updates" 
+| where UpdateState == "Needed"
+```
+
+Create another to search for SQL-related needed security updates.
+
+```Kusto
+security_updates_last_day | where Title contains "SQL"
+```
+
+## Next steps
+See other lessons for using the Log Analytics query language:
+
+- [String operations](string-operations.md)
+- [Date and time operations](datetime-operations.md)
+- [Aggregation functions](aggregations.md)
+- [Advanced aggregations](advanced-aggregations.md)
+- [JSON and data structures](json-data-structures.md)
+- [Joins](joins.md)
+- [Charts](charts.md)