Merge pull request #267538 from osalzberg/add-new-basiclogs-tables

PMEds28 · web-flow · commit fdcd45085d22 · 2024-02-28T10:50:19.000Z
Update azure-monitor-data-explorer-proxy.md
diff --git a/articles/azure-monitor/logs/azure-monitor-data-explorer-proxy.md b/articles/azure-monitor/logs/azure-monitor-data-explorer-proxy.md
@@ -124,29 +124,6 @@ More use cases:
 -	Use a tag to determine whether VMs should be running 24x7 or should be shut down at night.
 -	Show alerts on any server that contains a certain number of cores.
 
-### Combine Azure Resource Graph tables with a Log Analytics workspace
-
-Use the `union` command to combine cluster tables with a Log Analytics workspace.
-
-For example:
-
-```kusto
-union AzureActivity, arg("").Resources
-| take 10
-```
-```kusto
-let CL1 = arg("").Resources ;
-union AzureActivity, CL1 | take 10
-```
-
-When you use the [`join` operator](/azure/data-explorer/kusto/query/joinoperator) instead of union, you need to use a [`hint`](/azure/data-explorer/kusto/query/joinoperator#join-hints) to combine the data in Azure Resource Graph with data in the Log Analytics workspace. Use `Hint.remote={Direction of the Log Analytics Workspace}`. For example:
-
-```kusto
-Perf | where ObjectName == "Memory" and (CounterName == "Available MBytes Memory")
-| extend _ResourceId = replace_string(replace_string(replace_string(_ResourceId, 'microsoft.compute', 'Microsoft.Compute'), 'virtualmachines','virtualMachines'),"resourcegroups","resourceGroups")
-| join hint.remote=left (arg("").Resources | where type =~ 'Microsoft.Compute/virtualMachines' | project _ResourceId=id, tags) on _ResourceId | project-away _ResourceId1 | where tostring(tags.env) == "prod"
-```
-
 ## Create an alert based on a cross-service query
 
 To create a new alert rule based on a cross-service query, follow the steps in [Create a new alert rule](../alerts/alerts-create-new-alert-rule.md), selecting your Log Analytics workspace on the **Scope** tab.
@@ -163,19 +140,43 @@ To create a new alert rule based on a cross-service query, follow the steps in [
 * Database names are case sensitive.
 * Identifying the Timestamp column in the cluster isn't supported. The Log Analytics Query API won't pass the time filter.
 * Cross-service queries support data retrieval only. 
-* [Private Link](../logs/private-link-security.md) (private endpoints) and [IP restrictions](/azure/data-explorer/security-network-restrict-public-access) do not support cross-service queries.
-* `mv-expand` is limited to 2000 records.
-* Azure Monitor Logs does not support the `external_table()` function, which lets you query external tables in Azure Data Explorer. To query an external table, define `external_table(<external-table-name>)` as a parameterless function in Azure Data Explorer. You can then call the function using the expression `adx("").<function-name>`.
+* [Private Link](../logs/private-link-security.md) (private endpoints) and [IP restrictions](/azure/data-explorer/security-network-restrict-public-access) don't support cross-service queries.
+* `mv-expand` is limited to 2,000 records.
+* Azure Monitor Logs doesn't support the `external_table()` function, which lets you query external tables in Azure Data Explorer. To query an external table, define `external_table(<external-table-name>)` as a parameterless function in Azure Data Explorer. You can then call the function using the expression `adx("").<function-name>`.
 
 ### Azure Resource Graph cross-service query limitations
 
-* Microsoft Sentinel does not support cross-service queries to Azure Resource Graph.
+* Microsoft Sentinel doesn't support cross-service queries to Azure Resource Graph.
 * When you query Azure Resource Graph data from Azure Monitor:
-    * The query returns the first 1000 records only.
+    * The query returns the first 1,000 records only.
     * Azure Monitor doesn't return Azure Resource Graph query errors.
     * The Log Analytics query editor marks valid Azure Resource Graph queries as syntax errors.
     * These operators aren't supported: `smv-apply()`, `rand()`, `arg_max()`, `arg_min()`, `avg()`, `avg_if()`, `countif()`, `sumif()`, `percentile()`, `percentiles()`, `percentilew()`, `percentilesw()`, `stdev()`, `stdevif()`, `stdevp()`, `variance()`, `variancep()`, `varianceif()`.
 
+
+### Combine Azure Resource Graph tables with a Log Analytics workspace
+
+Use the `union` command to combine cluster tables with a Log Analytics workspace.
+
+For example:
+
+```kusto
+union AzureActivity, arg("").Resources
+| take 10
+```
+```kusto
+let CL1 = arg("").Resources ;
+union AzureActivity, CL1 | take 10
+```
+
+When you use the [`join` operator](/azure/data-explorer/kusto/query/joinoperator) instead of union, you need to use a [`hint`](/azure/data-explorer/kusto/query/joinoperator#join-hints) to combine the data in Azure Resource Graph with data in the Log Analytics workspace. Use `Hint.remote={Direction of the Log Analytics Workspace}`. For example:
+
+```kusto
+Perf | where ObjectName == "Memory" and (CounterName == "Available MBytes Memory")
+| extend _ResourceId = replace_string(replace_string(replace_string(_ResourceId, 'microsoft.compute', 'Microsoft.Compute'), 'virtualmachines','virtualMachines'),"resourcegroups","resourceGroups")
+| join hint.remote=left (arg("").Resources | where type =~ 'Microsoft.Compute/virtualMachines' | project _ResourceId=id, tags) on _ResourceId | project-away _ResourceId1 | where tostring(tags.env) == "prod"
+```
+
 ## Next steps
 * [Write queries](/azure/data-explorer/write-queries)
 * [Perform cross-resource log queries in Azure Monitor](../logs/cross-workspace-query.md)
