Searching and visualizing Azure logs - brian-anderson01/Capstone GitHub Wiki

Now that you have your Log Analytics workspace setup with logs and metrics configured, it's time to view all of those logs
To start, go to the Azure portal and navigate to your Log Analytics workspace
Once you are here, scroll down to General and choose Logs
You will be met with a window to create a new query, this is how we will search for our logs. Once you create a query, click Run to execute it and view the logs

The first query I made was very simple and just search for all event logs that have been sent to Azure
This query can be manipulated to only show certain computers, EventLogs, UserName, etc. This can be done using the where operator and specifying the column as well as the term you want to filter by.
The query below will find all events from the System event log with the event ID of 7036
If you want to save a query you created to use it again in the future click Save at the top and choose Save as a query. Name the query, select a Category and label if you want and the click save

Start by querying for all of the metrics from your computer. To do this run the query shown below with the computer name replaced
After running this query you can get an idea of what the object names are as well as the counter names etc.
Below is a query I use to get the processor utilization metric from one of my computers
This can be replicated with different object names and counter names to view disk useage, ram useage etc.

Now that you have some queries to view your systems metrics you can view them in the form of a graph for easier visualization
Start by inputting your query or selecting it from your saved queries and click Run
Once the query has run, click Chart just below the query window
Once you are in the chart view, click chart formatting on the right
Set the X axis as TimeGenerated and the Y axis to the value you are measuring, this will more than likely be CounterValue
Choose the Chart Type to one that you prefer for your dataset
Finally, change Split-by to the appropriate variable, choosing Computer if you are querying more than one Computer, or CounterName if you are measuring more than one metric, etc. If you are only measuring a single metric I'd recommend choosing CounterName so that the legend is easier to understand.
Below is an example of my query and chart with two metrics input into the chart. In this insance the CounterValue is the number of bytes being read or written

Once you have a query created that you like and have generated a graph, or just want the list of logs then continue on
From either the graph window or the Results window, choose Pin to from the top and select Azure Dashboard
If you do not have an existing dashboard, click create new or just choose your dashboard from the drop down and click pin
When creating a new dashboard, name the dashboard and the click Create and pin
Repeat this process until you have pinned all of your queries onto your dashboard
Return to the Azure portal home page and scroll down to Navigate
Select Dashboard and click the dropdown in the very top left to change between dashboards
You can set an auto refresh interval in the top left as well as the time frame to see results from
The titles for your pinned graphs will likely not be useful so click the button screenshotted below to change them
Graphs can also be resized and moved by right clicking in some whitespace in on the dashboard and selecting Edit
Resize and move each graph around to your liking and the click Save at the top
You should now have a dashboard where you can view logs and metrics from one or more computers that you are monitoring. I input a screenshot of my dashboard below for reference