Jump to content

Azure Monitor Logs search job experience


Recommended Posts

Posted

Introduction

 

 

With the introduction of new Azure Monitor Logs capabilities like Basic Logs and Logs Archive we are happy to introduce a new way to query and explore your logs - search job.

Search job allows users to run a reduced KQL a-synchronous query that explores big quantities of data and produces a persistent result set that may be the basis of further exploration.

 

Read more about Azure Monitor Logs new capacities in our Microsoft Ignite Announcement.

 

Basic Logs and Archive

 

 

Basic Logs and Archive offers a unique set of capabilities for Logs users.

Basic Logs a cheaper tier of logs that allows users to collect and retain Logs cheaply, while maintaining basic query capabilities.

 

Archive Logs allows cheap, long term retention of Logs for an extended period of time.

 

These new offerings empower users and organizations to optimize their logs cost planning to optimize logs cost and create a better suited logs estate.

 

These new capabilities require a new type of exploration experience - Search Job.

 

Search Job

 

 

Search job is an effective way to explore logs in the following cases:

 

1. A query in an Analytics table meets one of it's limitations - in this case, using a search job to create an interim table might help in reaching the desired insight.

 

2. When exploring Basic Logs for a period that exceeds the last 8 days

 

3. When exploring Archive Logs

 

 

 

Search Job uses reduced KQL and an a-synchronous query pattern to distribute the query and run multiple instances of the query to reduce time to result and explore a large data set.

 

Search Job ingests the result set to a new Analytics table - this allows persistency of results and allows the exploration of the result set using full KQL interactive experience.

 

Read more about how Search Job works in this article - Azure Monitor Logs Search Job.

 

The Search Job Experience

 

 

To use Search Job you must first enable the Search Job mode in Log Analytics.

 

To enable search job mode, go to the ellipsis menu on the right hand side of the screen and toggle Search Job mode on:

 

largevv2px999.gif.656e9cf29f4724c122db2e78373bd330.gif

 

Enabling Search Job Mode will optimize your experience for ruining search jobs:

 

1. Run button will change it's appearance to indicate Azure Monitor Logs is in Search Job mode

 

2. Azure Monitor Logs intellisense will adjust to support reduced KQL and assist when composing a query:

 

largevv2px999.png.8c12ab76be4f272f45bc079f5091b0b8.png

 

Please note: it is recommended to compose and optimize your query before submitting a search job.

 

When you are ready, click the 'Search Job' button.

You will be asked to provide a name for the result set table:

 

largevv2px999.png.10df5894c3e773b6117b35e2c045ae81.png

 

Once you initiate the search job, Logs will create a new table in your workspace and will run your query.

 

Results will start flowing to the newly created results table:

 

largevv2px999.gif.32f410329565b8dafce4d206301fe192.gif

 

As results become available, you will be able to explore and query the new results table, as with any other Log Analytics table.

While the query is running, the experience will show specific banners that update on the status of the results table:

largevv2px999.png.61074be24518c40ffed864a7ded033d8.png

 

Result Set

 

 

The Search Job results set will be ingested as a new, fully featured Log Analytics table, this means you may run full KQL analytics queries on the results table.

Additionally, the fact that the result set persists as a new table offers many advantages such as retention control for the results table and the ability to use the data in the results table with other results tables or other Log Analytics tables to achieve rich insights.

 

All search Job tables will appear under the 'Search Results' group in the tables side blade:

 

largevv2px999.png.fa1306d64276fa5a905f4407ce1b8e24.png

 

 

 

 

 

 

Summary and Feedback

 

 

We hope you enjoy this new addition to Azure Monitor Logs.

 

Have thoughts and comments about the feature? Please let us know what you think by commenting on this blog or using our feedback feature in Azure Monitor Logs.

 

Simply click the Feedback button and share your thoughts:

 

largevv2px999.png.c3a5e10c0baa6299935237fc1f90e380.png

 

Continue reading...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...