Merge pull request #284598 from gardnerjr/users/jgardner/addBasicLogs

prmerger-automator[bot] · web-flow · commit bfae9ee7f855 · 2024-09-03T15:52:30.000Z
add basic logs initial info
diff --git a/articles/azure-monitor/logs/query-audit.md b/articles/azure-monitor/logs/query-audit.md
@@ -62,7 +62,7 @@ An audit record is created each time a query is run. If you send the data to a L
 |:---|:---|
 |AAPBI|[Log Analytics integration with Power BI](../logs/log-powerbi.md).|
 |AppAnalytics|Experiences of Log Analytics in the Azure portal.|
-|AppInsightsPortalExtension|[Workbooks](../visualize/workbooks-data-sources.md#logs) or [Application insights](../app/app-insights-overview.md).|
+|AppInsightsPortalExtension|[Workbooks](../visualize/workbooks-data-sources.md#logs-analytics-tables-application-insights) or [Application insights](../app/app-insights-overview.md).|
 |ASC_Portal|Microsoft Defender for Cloud.|
 |ASI_Portal|Sentinel.|
 |AzureAutomation|[Azure Automation.](../../automation/overview.md)|
diff --git a/articles/azure-monitor/visualize/workbooks-data-sources.md b/articles/azure-monitor/visualize/workbooks-data-sources.md
@@ -6,15 +6,16 @@ author: AbbyMSFT
 ms.author: abbyweisberg
 ms.topic: conceptual
 ms.custom: devx-track-arm-template
-ms.date: 06/21/2023
+ms.date: 08/14/2024
 ms.reviewer: gardnerjr
 ---
 
 # Azure Workbooks data sources
 
 Workbooks can extract data from these data sources:
 
- - [Logs](#logs)
+ - [Logs (Analytics Tables, Application Insights)](#logs-analytics-tables-application-insights)
+ - [Logs (Basic, Auxiliary Tables)](#logs-basic-and-auxiliary-tables)
  - [Metrics](#metrics)
  - [Azure Resource Graph](#azure-resource-graph)
  - [Azure Resource Manager](#azure-resource-manager)
@@ -28,11 +29,11 @@ Workbooks can extract data from these data sources:
  - [Change Analysis](#change-analysis)
  - [Prometheus](#prometheus)
 
-## Logs
+## Logs (Analytics Tables, Application Insights)
 
-With workbooks, you can query logs from the following sources:
+With workbooks, you can use the `Logs (Analytics)` data source query logs from the following sources:
 
-* Azure Monitor Logs (Application Insights resources and Log Analytics workspaces)
+* Azure Monitor Logs (Application Insights resources and Log Analytics workspaces analytics tables)
 * Resource-centric data (activity logs)
 
 You can use Kusto query language (KQL) queries that transform the underlying resource data to select a result set that can be visualized as text, charts, or grids.
@@ -47,6 +48,22 @@ See also: [Workbooks best practices and hints for logs queries](workbooks-create
 
 Tutorial: [Making resource centric log queries in workbooks](workbooks-create-workbook.md#tutorial---resource-centric-logs-queries-in-workbooks)
 
+## Logs (Basic and Auxiliary Tables)
+
+Workbooks also supports querying Log Analytics Basic and Auxiliary tables through a separate `Logs (Basic)` data source. Basic and Auxiliary logs tables reduce the cost of ingesting high-volume verbose logs and let you query the data they store with some limitations. 
+
+
+> [!NOTE]
+> Basic and Auxiliary logs and the workbook `Logs (Basic)` data source have limitations compared to the `Log (Analytics)` data source, most notably
+>  * *Extra cost*, including per-query costs. See [Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/) for details.
+> * Basic logs does not support the full KQL language
+> * Basic logs only operates on single Log Analyics Workspace, it does not have cross-resource or resource centric query support.
+> * Basic logs does not support "set in query" style time ranges, an explicit time range (or parameter) must be specified.
+
+For a full list of details and limitations, see [Query data in a Basic and Auxiliary table in Azure Monitor Logs](../logs/basic-logs-query.md)
+
+See also: [Log Analytics query optimization tips](../logs/query-optimization.md)
+
 ## Metrics
 
 Azure resources emit [metrics](../essentials/data-platform-metrics.md) that can be accessed via workbooks. Metrics can be accessed in workbooks through a specialized control that allows you to specify the target resources, the desired metrics, and their aggregation. You can then plot this data in charts or grids.
@@ -59,22 +76,22 @@ Azure resources emit [metrics](../essentials/data-platform-metrics.md) that can
 
 Workbooks support querying for resources and their metadata by using Azure Resource Graph. This functionality is primarily used to build custom query scopes for reports. The resource scope is expressed via a KQL subset that Resource Graph supports, which is often sufficient for common use cases.
 
-To make a query control that uses this data source, use the **Query type** dropdown and select **Azure Resource Graph**. Then select the subscriptions to target. Use **Query control** to add the Resource Graph KQL subset that selects an interesting resource subset.
+To make a query control that uses this data source, use the **Query type** dropdown and select **Azure Resource Graph**. Then choose at which level of data you wish to target, either Subscriptions, Management groups, or the entire Tenant/Directory. Then select the subscriptions to target.  Use **Query control** to add the Resource Graph KQL query that selects an interesting resource subset.
 <!-- convertborder later -->
 :::image type="content" source="./media/workbooks-data-sources/azure-resource-graph.png" lightbox="./media/workbooks-data-sources/azure-resource-graph.png" alt-text="Screenshot that shows an Azure Resource Graph KQL query." border="false":::
 
 ## Azure Resource Manager
 
 Azure Workbooks supports Azure Resource Manager REST operations so that you can query the management.azure.com endpoint without providing your own authorization header token.
 
-To make a query control that uses this data source, use the **Data source** dropdown and select **Azure Resource Manager**. Provide the appropriate parameters, such as **Http method**, **url path**, **headers**, **url parameters**, and **body**.  Azure Resource Manager data source is intended to be used as a data source to power data *visualizations*; as such, it does not support `PUT` or `PATCH` operations.  The data source supports the following HTTP methods, with these expecations and limitations:
+To make a query control that uses this data source, use the **Data source** dropdown and select **Azure Resource Manager**. Provide the appropriate parameters, such as **Http method**, **url path**, **headers**, **url parameters**, and **body**. Azure Resource Manager data source is intended to be used as a data source to power data *visualizations*; as such, it does not support `PUT` or `PATCH` operations. The data source supports the following HTTP methods, with these expecations and limitations:
 
 * `GET` - the most common operation for visualization, execute a query and parse the `JSON` result using settings in the "Result Settings" tab. 
-* `GETARRAY` - for ARM APIs that may return multiple "pages" of results using the ARM standard `nextLink` or `@odata.nextLink` style response (See [Async operations, throttling, and paging](/rest/api/azure/#async-operations-throttling-and-paging), this method will make followup calls to the API for each `nextLink`, and merge those results into an array of results.
+* `GETARRAY` - for ARM APIs that may return multiple "pages" of results using the ARM standard `nextLink` or `@odata.nextLink` style response (See [Async operations, throttling, and paging](/rest/api/azure/#async-operations-throttling-and-paging), this method makes followup calls to the API for each `nextLink` result, and merge those results into an array of results.
 * `POST` - This method is used for APIs that pass information in a POST body.
   
 > [!NOTE]
-> The Azure Resource Manager data source only supports results that return a 200 `OK` response, indicating the result is synchronous.  APIs returning asynchronous results with 202 `ACCEPTED` asynchronous result and a header with a result URL are not supported.
+> The Azure Resource Manager data source only supports results that return a 200 `OK` response, indicating the result is synchronous. APIs returning asynchronous results with 202 `ACCEPTED` asynchronous result and a header with a result URL are not supported.
 
 ## Azure Data Explorer
 
@@ -87,7 +104,7 @@ See also: [Azure Data Explorer query best practices](/azure/data-explorer/kusto/
 
 ## JSON
 
-The JSON provider allows you to create a query result from static JSON content. It's most commonly used in parameters to create dropdown parameters of static values. Simple JSON arrays or objects will automatically be converted into grid rows and columns. For more specific behaviors, you can use the **Results** tab and JSONPath settings to configure columns.
+The JSON provider allows you to create a query result from static JSON content. It's most commonly used in parameters to create dropdown parameters of static values. Simple JSON arrays or objects are converted into grid rows and columns. For more specific behaviors, you can use the **Results** tab and JSONPath settings to configure columns.
 
 > [!NOTE]
 > Do *not* include sensitive information in fields like headers, parameters, body, and URL, because they'll be visible to all the workbook users.
@@ -98,15 +115,15 @@ This provider supports [JSONPath](workbooks-jsonpath.md).
 
 Merging data from different sources can enhance the insights experience. An example is augmenting active alert information with related metric data. Merging data allows users to see not just the effect (an active alert) but also potential causes, for example, high CPU usage. The monitoring domain has numerous such correlatable data sources that are often critical to the triage and diagnostic workflow.
 
-With workbooks, you can query different data sources. Workbooks also provide simple controls that you can use to merge or join data to provide rich insights. The *merge* control is the way to achieve it.  A single merge data source can do many merges in one step.  For example, a *single* merge data source can merge results from a step using Azure Resource Graph with Azure Metrics, and then merge that result with another step using the Azure Resource Manager data source in one query item.
+With workbooks, you can query different data sources. Workbooks also provide simple controls that you can use to merge or join data to provide rich insights. The *merge* control is the way to achieve it. A single merge data source can do many merges in one step. For example, a *single* merge data source can merge results from a step using Azure Resource Graph with Azure Metrics, and then merge that result with another step using the Azure Resource Manager data source in one query item.
 
 > [!NOTE]
 > Although hidden query and metrics steps run if they're referenced by a merge step, hidden query items that use the merge data source don't run while hidden.
 > A step that uses merge and attempts to reference a hidden step by using merge data source won't run until that hidden step becomes visible.
-> A single merge step can merge many data sources at once.  There's rarely a case where a merge data source will reference another merge data source.
+> A single merge step can merge many data sources at once. There's rarely a case where a merge data source will reference another merge data source.
 
 
-### Combine alerting data with Log Analytics VM performance data
+### Combine alerting data with Log Analytics Virtual Machine (VM) performance data
 
 The following example combines alerting data with Log Analytics VM performance data to get a rich insights grid.
 <!-- convertborder later -->
@@ -142,13 +159,13 @@ Workbooks support getting data from any external source. If your data lives outs
 
 To make a query control that uses this data source, use the **Data source** dropdown and select **Custom Endpoint**. Provide the appropriate parameters, such as **Http method**, **url**, **headers**, **url parameters**, and **body**. Make sure your data source supports [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS). Otherwise, the request will fail.
 
-To avoid automatically making calls to untrusted hosts when you use templates, you need to mark the used hosts as trusted. You can either select **Add as trusted** or add it as a trusted host in workbook settings. These settings will be saved in [browsers that support IndexDb with web workers](https://caniuse.com/#feat=indexeddb).
+To avoid automatically making calls to untrusted hosts when you use templates, you need to mark the used hosts as trusted. You can either select **Add as trusted** or add it as a trusted host in workbook settings. These settings are saved locally in [browsers that support IndexDb with web workers](https://caniuse.com/#feat=indexeddb).
 
 This provider supports [JSONPath](workbooks-jsonpath.md).
 
 ## Workload health
 
-Azure Monitor has functionality that proactively monitors the availability and performance of Windows or Linux guest operating systems. Azure Monitor models key components and their relationships, criteria for how to measure the health of those components, and which components alert you when an unhealthy condition is detected. With workbooks, you can use this information to create rich interactive reports.
+Azure Monitor has functionality that proactively monitors the availability and performance of Windows or Linux guest operating systems. Azure Monitor models key components and their relationships, criteria for how to measure the health of those components, and can alert you when an unhealthy condition is detected. With workbooks, you can use this information to create rich interactive reports.
 
 To make a query control that uses this data source, use the **Query type** dropdown to select **Workload Health**. Then select subscription, resource group, or VM resources to target. Use the health filter dropdowns to select an interesting subset of health incidents for your analytic needs.
 <!-- convertborder later -->
@@ -164,9 +181,9 @@ To make a query control that uses this data source, use the **Query type** dropd
 
 ## Azure RBAC
 
-The Azure role-based access control (RBAC) provider allows you to check permissions on resources. It's most commonly used in parameters to check if the correct RBACs are set up. A use case would be to create a parameter to check deployment permission and then notify the user if they don't have deployment permission.
+The Azure role-based access control (RBAC) provider allows you to check permissions on resources. It's can be used in parameters to check if the correct RBACs are set up. A use case would be to create a parameter to check deployment permission and then notify the user if they don't have deployment permission.
 
-Simple JSON arrays or objects will automatically be converted into grid rows and columns or text with a `hasPermission` column with either true or false. The permission is checked on each resource and then either `or` or `and` to get the result. The [operations or actions](../../role-based-access-control/resource-provider-operations.md) can be a string or an array.
+Simple JSON arrays or objects are converted into grid rows and columns or text with a `hasPermission` column with either true or false. The permission is checked on each resource and then either `or` or `and` to get the result. The [operations or actions](../../role-based-access-control/resource-provider-operations.md) can be a string or an array.
 
   **String:**
    ```
