1 00:00:01,840 --> 00:00:07,460 I'll paste that code in, sign in with my administrative credential. Yes, 2 00:00:07,460 --> 00:00:11,130 I'm trying to sign in to Azure Connected Machine agent. 3 00:00:11,130 --> 00:00:13,040 Great! Let's click Close. 4 00:00:13,040 --> 00:00:18,250 Let's go back to our PowerShell terminal. Successfully onboarded the resource 5 00:00:18,250 --> 00:00:22,340 to Azure, good. Looks like it's just finishing up here. 6 00:00:22,340 --> 00:00:24,240 Okay, yeah, that's what we want to see. 7 00:00:24,240 --> 00:00:27,340 Excellent! So let me exit out of my console. 8 00:00:27,340 --> 00:00:30,740 Let's come back to Azure Arc and refresh the view. 9 00:00:30,740 --> 00:00:32,860 So now I've got this machine connected. 10 00:00:32,860 --> 00:00:34,640 What can you do here? 11 00:00:34,640 --> 00:00:40,240 Well, you can service the off‑cloud machine via the VM extension model. 12 00:00:40,240 --> 00:00:44,900 So, one other way that we can onboard monitoring for this Azure 13 00:00:44,900 --> 00:00:50,120 Arc‑enabled server would be to go to Add, and then we could deploy the 14 00:00:50,120 --> 00:00:53,870 Log Analytics agent for Azure Arc. I don't need to do that here because 15 00:00:53,870 --> 00:00:55,770 I'm already hooked into the workspace. 16 00:00:55,770 --> 00:00:58,540 I just want to show you these possibilities. 17 00:00:58,540 --> 00:01:00,900 All right, what about the log search experience? 18 00:01:00,900 --> 00:01:03,440 Well, you can do that from the workspace. 19 00:01:03,440 --> 00:01:08,110 We also can go to Azure Monitor, and we'll want to look for Logs. 20 00:01:08,110 --> 00:01:13,340 I'm just going to click it right here. And after we get rid of the 21 00:01:13,340 --> 00:01:16,880 introductory video, we'll be asked to select a search scope. 22 00:01:16,880 --> 00:01:21,520 You can be as wide and intentional or as targeted as you want. 23 00:01:21,520 --> 00:01:25,990 I'm going to scope mine to the entire subscription, and now we're 24 00:01:25,990 --> 00:01:29,750 given this interface to begin writing our queries. 25 00:01:29,750 --> 00:01:32,390 We can see it left all of the virtual tables. 26 00:01:32,390 --> 00:01:35,910 Now, the list of virtual tables you have is going to depend 27 00:01:35,910 --> 00:01:39,840 entirely on what resources you've deployed in Azure. 28 00:01:39,840 --> 00:01:44,130 Here's a good tip for you. Go to Queries, and you can group these 29 00:01:44,130 --> 00:01:49,520 by Resource type, by Category, whatever. I'm going to come down all 30 00:01:49,520 --> 00:01:54,140 the way down to Virtual machines. And these are pre‑built queries 31 00:01:54,140 --> 00:01:55,750 that Microsoft has created. 32 00:01:55,750 --> 00:02:00,310 Let's see, Chart CPU usage trends. That I think would be useful. 33 00:02:00,310 --> 00:02:03,540 So let's just take a look at this sample query. Notice that 34 00:02:03,540 --> 00:02:08,740 KQL uses a C# style line comment notation. 35 00:02:08,740 --> 00:02:12,820 So in this case, we're doing perf as our table. That happens to be the 36 00:02:12,820 --> 00:02:18,070 virtual table that tracks Windows Performance Monitor counters, and then 37 00:02:18,070 --> 00:02:21,790 we're doing where CounterName is Processor Time, 38 00:02:21,790 --> 00:02:25,340 the object is Processor, and we're doing a summarization. 39 00:02:25,340 --> 00:02:30,190 Let me move up so we can see the toolbar. We can change the time 40 00:02:30,190 --> 00:02:33,880 range, either in the query, or we can adjust it here. 41 00:02:33,880 --> 00:02:37,490 I'm going to back it out to seven days. There's a whole 42 00:02:37,490 --> 00:02:41,220 notation here or a syntax to the language. I would suggest 43 00:02:41,220 --> 00:02:43,840 that you look in the Pluralsight library. 44 00:02:43,840 --> 00:02:48,010 My Pluralsight colleague, Robert Cain, has created at least two courses on 45 00:02:48,010 --> 00:02:52,680 KQL. He'll definitely sort you out getting comfortable with the language. 46 00:02:52,680 --> 00:02:55,720 Let's run this query and see what comes back. 47 00:02:55,720 --> 00:02:56,600 No results. 48 00:02:56,600 --> 00:03:00,910 Okay, well that's a little bit disappointing, actually. The render here, 49 00:03:00,910 --> 00:03:07,440 you can render your data as a time chart or just a table result. 50 00:03:07,440 --> 00:03:10,770 Let me go back here. Let me zoom out, Queries. 51 00:03:10,770 --> 00:03:14,830 Let's try a more general query. What data is being 52 00:03:14,830 --> 00:03:18,040 collected? Let's load that to the editor. 53 00:03:18,040 --> 00:03:20,160 This is just a very basic query. 54 00:03:20,160 --> 00:03:25,240 I'm going to select just those lines and click Run. 55 00:03:25,240 --> 00:03:28,650 So this is just mentioning, well, that makes sense. 56 00:03:28,650 --> 00:03:33,110 It's bringing back basic Performance Monitor counter data that 57 00:03:33,110 --> 00:03:35,750 I've specified in my agent configuration. 58 00:03:35,750 --> 00:03:38,440 What about virtual machine disk space? 59 00:03:38,440 --> 00:03:42,370 Let's load that into the editor. And to run just this query, 60 00:03:42,370 --> 00:03:45,840 I'll select those lines and click Run. 61 00:03:45,840 --> 00:03:50,540 Wow, that's really disappointing! Let me go back to Select scope. 62 00:03:50,540 --> 00:03:56,590 Maybe I should be more intentional here. Let's go and select my AZ‑801 63 00:03:56,590 --> 00:04:01,930 resource group or see if we can select specific machines. 64 00:04:01,930 --> 00:04:02,450 Yeah, 65 00:04:02,450 --> 00:04:06,480 well, I don't want just the machine, actually. I want to bring in that 66 00:04:06,480 --> 00:04:11,180 resource group, so let's apply that, rerun the query. 67 00:04:11,180 --> 00:04:13,970 Yeah, I guess not enough time has elapsed. 68 00:04:13,970 --> 00:04:15,830 So what I want to do, I'm going to proceed. 69 00:04:15,830 --> 00:04:19,560 I want to give you a heads up that there's a really nice query playground. 70 00:04:19,560 --> 00:04:26,020 If you point your browser to portal.loganalytics.io/demo, this is a 71 00:04:26,020 --> 00:04:30,680 sandbox environment that's free for your use. The thing to note about 72 00:04:30,680 --> 00:04:34,690 this query playground is that you have to sign into it with either your 73 00:04:34,690 --> 00:04:38,810 Azure AD credential or your Microsoft account. Once there though, you 74 00:04:38,810 --> 00:04:43,780 can run KQL queries against Microsoft's sample dataset. I'm having some 75 00:04:43,780 --> 00:04:45,250 DNS issues here. 76 00:04:45,250 --> 00:04:49,140 The so‑called demo gods are not working with me here at all. 77 00:04:49,140 --> 00:04:50,340 I'm kind of bummed. 78 00:04:50,340 --> 00:04:54,240 Okay, well if at first you don't succeed, try, try again. 79 00:04:54,240 --> 00:04:58,070 I was able to finally load up the Log Analytics query 80 00:04:58,070 --> 00:05:00,590 playground on another computer. 81 00:05:00,590 --> 00:05:02,310 So, here we go. 82 00:05:02,310 --> 00:05:07,340 I'm using the Log Analytics scope demo here as my search scope, 83 00:05:07,340 --> 00:05:11,850 and I've run that CPU usage patterns by virtual machine here. And 84 00:05:11,850 --> 00:05:14,240 again, notice it's rendering a chart. 85 00:05:14,240 --> 00:05:16,920 There's a live chart that's really potentially useful. 86 00:05:16,920 --> 00:05:19,940 There's a lot being plotted on this particular one. 87 00:05:19,940 --> 00:05:25,010 We can change the results to see the table view, and this allows us then to 88 00:05:25,010 --> 00:05:28,200 come in here and edit the query to our heart's content. 89 00:05:28,200 --> 00:05:35,320 I'm going to throw in another where clause where Computer =, say, "JBOX10". 90 00:05:35,320 --> 00:05:41,970 Put that in double quotes, and then let's run that again. And now we see the 91 00:05:41,970 --> 00:05:46,220 CPU usage trends for just a single machine. That's running pretty darn high, 92 00:05:46,220 --> 00:05:56,000 actually. Wow! So this actually is a good example of how we can feed a log search query into an alert rule.