Resources - New Azure Log Analytics Language Cheat Sheets

@20aman    Feb 19, 2018

Azure Log Analytics (part of the OMS suite) has a very versatile query language. To investigate and report on the data you need to know the query language at least at the basic level. Recently the language had a complete overhaul with new syntax coming in and various new features being incorporated into the new language. This blog post talks about the resources to quickly learn the new syntax. Specifically, if you know the older syntax or you know T-SQL syntax then how to translate that knowledge.

Older to new Query Language syntax

If you have been working with the older Log Analytics query syntax, then you have two options to convert that knowledge to newer query language syntax:

  1. Use the in portal legacy syntax converter and learn as you convert
  2. Use the Microsoft provided Cheat Sheet

When you navigate to OMS log analytics portal and go to the Log search section, there you will see a link above the query text window for "Show legacy language converter". When you click on this link a new text box will appear above the query text box. Type your legacy query and then click on "Convert" button. The query will be converted into the new language syntax. Click Run to execute the query. If there will be any errors in the query you will be notified of the same.

OMS Language Converter

In the above example, "Event" type is being fetched and then only Source, EventLog, EventID properties are selected. In the older format the query syntax used to be:

Type=Event | select Source, EventLog, EventID

In the newer format the same query looks as below:

Event | project Source, EventLog, EventID

Pointers for key query syntax can be found in the complete cheat sheet which can be found here: Legacy to new Azure Log Analytics Query Language cheat sheet

T-SQL to new Query Language syntax

If you are well versed in the T-SQL query syntax and are new to OMS Azure Log Analytics, then you can easily translate that to the Log Analytics query language with the help of the cheat sheet provided by Microsoft for the key syntax.

E.g. if we want to select records for only columns name and resultCode from a table named dependencies then the query syntax in T-SQL will look like:

SELECT name, resultCode FROM dependencies

Syntax for the same query in newer Log Analytics language will look like:

dependencies 
| project name, resultCode

As you might have guessed already, "project" is a key word in newer language to select specific columns. Selecting a table is as simple as typing the name of the table.

The complete cheat sheet can be found here: SQL to Azure Log Analytics query language cheat sheet





Comments powered by Disqus