Merge pull request #286203 from kainawroth/kainawroth-tutorial-2

Updating Log Analytics tutorial doc [from PR #285439]

Author: v-dirichards

articles/azure-monitor/logs/log-analytics-tutorial.md

@@ -5,15 +5,15 @@ ms.topic: tutorial
 author: guywild
 ms.author: guywild
 ms.reviewer: roygal
-ms.date: 10/31/2023
+ms.date: 09/05/2024
 
 ---
 
 # Log Analytics tutorial
 
 Log Analytics is a tool in the Azure portal to edit and run log queries from data collected by Azure Monitor logs and interactively analyze their results. You can use Log Analytics queries to retrieve records that match particular criteria, identify trends, analyze patterns, and provide various insights into your data.
 
-This tutorial walks you through the Log Analytics interface, gets you started with some basic queries, and shows you how you can work with the results. You'll learn how to:
+This tutorial walks you through the Log Analytics interface, gets you started with some basic queries, and shows you how you can work with the results. You learn how to:
 
 > [!div class="checklist"]
 > * Understand the log data schema.
@@ -23,17 +23,20 @@ This tutorial walks you through the Log Analytics interface, gets you started wi
 > * Load, export, and copy queries and results.
 
 > [!IMPORTANT]
-> In this tutorial, you'll use Log Analytics features to build one query and use another example query. When you're ready to learn the syntax of queries and start directly editing the query itself, read the [Kusto Query Language tutorial](/azure/data-explorer/kusto/query/tutorial?pivots=azuremonitor). That tutorial walks you through example queries that you can edit and run in Log Analytics. It uses several of the features that you'll learn in this tutorial.
+> In this tutorial, you use Log Analytics features to build one query and use another example query. When you're ready to learn the syntax of queries and start directly editing the query itself, read the [Kusto Query Language tutorial](/azure/data-explorer/kusto/query/tutorial?pivots=azuremonitor). That tutorial walks you through example queries that you can edit and run in Log Analytics. It uses several of the features that you learn in this tutorial.
 
 ## Prerequisites
 
 This tutorial uses the [Log Analytics demo environment](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring_Logs/DemoLogsBlade), which includes plenty of sample data that supports the sample queries. You can also use your own Azure subscription, but you might not have data in the same tables.
 
+> [!NOTE]
+> Log Analytics has two modes - Simple and KQL. *This tutorial walks you through KQL mode.* For information on Simple mode, see [Analyze data using Log Analytics Simple mode (Preview)](log-analytics-simple-mode.md).
+
 ## Open Log Analytics
 
 Open the [Log Analytics demo environment](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring_Logs/DemoLogsBlade), or select **Logs** from the Azure Monitor menu in your subscription. This step sets the initial scope to a Log Analytics workspace so that your query selects from all data in that workspace. If you select **Logs** from an Azure resource's menu, the scope is set to only records from that resource. For details about the scope, see [Log query scope](./scope.md).
 
-You can view the scope in the upper-left corner of the screen. If you're using your own environment, you'll see an option to select a different scope. This option isn't available in the demo environment.
+You can view the scope in the upper-left corner of the Logs experience, below the name of your active query tab. If you're using your own environment, you see an option to select a different scope. This option isn't available in the demo environment.
 
 :::image type="content" source="media/log-analytics-tutorial/log-analytics-query-scope.png" alt-text="Screenshot that shows the Log Analytics scope for the demo." lightbox="media/log-analytics-tutorial/log-analytics-query-scope.png":::
 
@@ -45,19 +48,21 @@ Expand the **Log Management** solution and locate the **AppRequests** table. You
 
 :::image type="content" source="media/log-analytics-tutorial/table-details.png" alt-text="Screenshot that shows the Tables view." lightbox="media/log-analytics-tutorial/table-details.png":::
 
-Select the link below **Useful links** to go to the table reference that documents each table and its columns. Select **Preview data** to have a quick look at a few recent records in the table. This preview can be useful to ensure that this is the data that you're expecting before you run a query with it.
+* Select the link below **Useful links** (in this example [AppRequests](/azure/azure-monitor/reference/tables/AppRequests)) to go to the table reference that documents each table and its columns.
+
+* Select **Preview data** to have a quick look at a few recent records in the table. This preview can be useful to ensure it's the data you're expecting before you run a query with it.
 
 :::image type="content" source="media/log-analytics-tutorial/preview-data.png" alt-text="Screenshot that shows preview data for the AppRequests table." lightbox="media/log-analytics-tutorial/preview-data.png":::
 
 ## Write a query
 
-Let's write a query by using the **AppRequests** table. Double-click its name to add it to the query window. You can also type directly in the window. You can even get IntelliSense that will help complete the names of tables in the current scope and Kusto Query Language (KQL) commands.
+Let's write a query by using the **AppRequests** table. Double-click its name or hover over it and click on **Use in editor** to add it to the query window. You can also type directly in the window. You can even get IntelliSense which helps completing the names of tables in the current scope and Kusto Query Language (KQL) commands.
 
 This is the simplest query that we can write. It just returns all the records in a table. Run it by selecting the **Run** button or by selecting **Shift+Enter** with the cursor positioned anywhere in the query text.
 
 :::image type="content" source="media/log-analytics-tutorial/query-results.png" alt-text="Screenshot that shows query results." lightbox="media/log-analytics-tutorial/query-results.png":::
 
-You can see that we do have results. The number of records that the query has returned appears in the lower-right corner.
+You can see that we do have results. The number of records that the query returns appears in the lower-right corner. The maximum number of results that you can retrieve in the Log Analytics portal experience is 30,000.
 
 ### Time range
 
@@ -72,21 +77,30 @@ Let's change the time range of the query by selecting **Last 12 hours** from the
 
 :::image type="content" source="media/log-analytics-tutorial/query-time-range.png" alt-text="Screenshot that shows the time range." lightbox="media/log-analytics-tutorial/query-time-range.png":::
 
-### Multiple query conditions
+### Multiple filters
+
+Let's reduce our results further by adding another filter condition. A query can include any number of filters to target exactly the set of records that you want. On the left side of the screen where the **Tables** tab is active, select the **Filter** tab instead. If you can't find it, click on the ellipsis to view more tabs.
+
+On the **Filter** tab, select **Load old filters** to view the top 10 values for each filter.
 
-Let's reduce our results further by adding another filter condition. A query can include any number of filters to target exactly the set of records that you want. Select **Get Home/Index** under **Name**, and then select **Apply & Run**.
+:::image type="content" source="media/log-analytics-tutorial/load-old-filters.png" alt-text="Screenshot that shows the query tab with the option to load old filters." lightbox="media/log-analytics-tutorial/load-old-filters.png":::
+
+Select **Get Home/Index** under **Name**, then click on **Apply & Run**.
 
 :::image type="content" source="media/log-analytics-tutorial/query-multiple-filters.png" alt-text="Screenshot that shows query results with multiple filters." lightbox="media/log-analytics-tutorial/query-multiple-filters.png":::
 
 ## Analyze results
 
-In addition to helping you write and run queries, Log Analytics provides features for working with the results. Start by expanding a record to view the values for all of its columns.
+In addition to helping you write and run queries, Log Analytics provides features for working with the results. Start by expanding a record to view the values for all of its columns by clicking the chevron on the left side of the row.
 
 :::image type="content" source="media/log-analytics-tutorial/expand-query-search-result.png" alt-text="Screenshot that shows a record expanded in the search results." lightbox="media/log-analytics-tutorial/expand-query-search-result.png":::
 
 Select the name of any column to sort the results by that column. Select the filter icon next to it to provide a filter condition. This action is similar to adding a filter condition to the query itself, except that this filter is cleared if the query is run again. Use this method if you want to quickly analyze a set of records as part of interactive analysis.
 
-For example, set a filter on the **DurationMs** column to limit the records to those that took more than **150** milliseconds.
+Set a filter on the **DurationMs** column to limit the records to those that took more than **150** milliseconds.
+
+1. The results table allows you to filter just like in Excel. Select the ellipsis in the **Name** column header.
+1. Uncheck **Select All**, then search for **Get Home/Index** and check it. Filters are automatically applied to your results.
 
 :::image type="content" source="media/log-analytics-tutorial/query-results-filter.png" alt-text="Screenshot that shows a query results filter." lightbox="media/log-analytics-tutorial/query-results-filter.png":::
 
@@ -104,9 +118,9 @@ To better visualize your data, you can reorganize and summarize the data in the
 
 Select **Columns** to the right of the results pane to open the **Columns** sidebar.
 
-:::image type="content" source="media/log-analytics-tutorial/query-results-group-columns.png" alt-text="Screenshot that shows the Column link to the right of the results pane, which you select to open the Columns sidebar." lightbox="media/log-analytics-tutorial/query-results-group-columns.png":::
+:::image type="content" source="media/log-analytics-tutorial/query-results-columns.png" alt-text="Screenshot that shows the Column link to the right of the results pane, which you select to open the Columns sidebar." lightbox="media/log-analytics-tutorial/query-results-columns.png":::
 
-In the sidebar, you'll see a list of all available columns. Drag the **Url** column into the **Row Groups** section. Results are now organized by that column, and you can collapse each group to help you with your analysis. This action is similar to adding a filter condition to the query, but instead of refetching data from the server, you're processing the data your original query returned. When you run the query again, Log Analytics retrieves data based on your original query. Use this method if you want to quickly analyze a set of records as part of interactive analysis.
+In the sidebar, you see a list of all available columns. Drag the **Url** column into the **Row Groups** section. Results are now organized by that column, and you can collapse each group to help you with your analysis. This action is similar to adding a filter condition to the query, but instead of refetching data from the server, you're processing the data your original query returned. When you run the query again, Log Analytics retrieves data based on your original query. Use this method if you want to quickly analyze a set of records as part of interactive analysis.
 
 :::image type="content" source="media/log-analytics-tutorial/query-results-grouped.png" alt-text="Screenshot that shows query results grouped by URL." lightbox="media/log-analytics-tutorial/query-results-grouped.png":::
 
@@ -128,15 +142,19 @@ Now let's sort the results by longest maximum call duration by selecting the **m
 
 ## Work with charts
 
-Let's look at a query that uses numerical data that we can view in a chart. Instead of building a query, we'll select an example query.
+Let's look at a query that uses numerical data that we can view in a chart. Instead of building a query, we select an example query.
+
+Select **Queries** on the left pane. This pane includes example queries that you can add to the query window. If you're using your own workspace, you should have various queries in multiple categories.<!-- If you're using the demo environment, you might see only a single **Log Analytics workspaces** category. Expand that to view the queries in the category. -->
+
+Load the **Function Error rate** query in the **Applications** category to the editor. To do so, double-click the query or hover over the query name to show more information, then select **Load to editor**.
 
-Select **Queries** on the left pane. This pane includes example queries that you can add to the query window. If you're using your own workspace, you should have various queries in multiple categories. If you're using the demo environment, you might see only a single **Log Analytics workspaces** category. Expand that to view the queries in the category.
+:::image type="content" source="media/log-analytics-tutorial/query-info.png" alt-text="Screenshot that shows info about the query." lightbox="media/log-analytics-tutorial/query-info.png":::
 
-Select the query called **Function Error rate** in the **Applications** category. This step adds the query to the query window. Notice that the new query is separated from the other by a blank line. A query in KQL ends when it encounters a blank line, so these are considered separate queries.
+Notice that the new query is separated from the other by a blank line. A query in KQL ends when it encounters a blank line, making them separate queries.
 
 :::image type="content" source="media/log-analytics-tutorial/example-query.png" alt-text="Screenshot that shows a new query." lightbox="media/log-analytics-tutorial/example-query.png":::
 
-The current query is the one that the cursor is positioned on. You can see that the first query is highlighted, indicating that it's the current query. Click anywhere in the new query to select it, and then select the **Run** button to run it.
+Click anywhere in a query to select it, then click on the **Run** button to run it.
 
 :::image type="content" source="media/log-analytics-tutorial/example-query-output-table.png" alt-text="Screenshot that shows the query results table." lightbox="media/log-analytics-tutorial/example-query-output-table.png":::