Azure Log Analytics Workspace Overview - Azure Monitor

Azure log analytics workspace
Azure Log Analytics is a tool in the Azure portal to edit and run log queries from data collected by Azure Monitor Logs and interactively analyze their results. You can use Log Analytics queries to retrieve records matching particular criteria, identify trends, analyze patterns, and provide a variety of insights into your data.

A Kusto query is a read-only request to process data and return results. The request is stated in plain text, using a data-flow model designed to make the syntax easy to read, author, and automate. The query uses schema entities that are organized in a hierarchy similar to SQL's: databases, tables, and columns.

The query consists of a sequence of query statements, delimited by a semicolon (;), with at least one statement being a tabular expression statement which is a statement that produces data arranged in a table-like mesh of columns and rows. The query's tabular expression statements produce the results of the query.

The syntax of the tabular expression statement has tabular data flow from one tabular query operator to another, starting with data source (e.g. a table in a database, or an operator that produces data) and then flowing through a set of data transformation operators that are bound together through the use of the pipe (|) delimiter.

Azure Monitor Logs is based on Azure Data Explorer, and log queries are written using the same Kusto query language (KQL). This is a rich language designed to be easy to read and author, so you should be able to start writing queries with some basic guidance.

Areas in Azure Monitor where you will use queries include the following:

Log Analytics. Primary tool in the Azure portal for editing log queries and interactively analyzing their results. Even if you intend to use a log query elsewhere in Azure Monitor, you'll typically write and test it in Log Analytics before copying it to its final location.
Log alert rules. Proactively identify issues from data in your workspace. Each alert rule is based on a log query that is automatically run at regular intervals. The results are inspected to determine if an alert should be created.
Workbooks. Include the results of log queries using different visualizations in interactive visual reports in the Azure portal.
Azure Dashboards. Pin the results of any query into an Azure dashboard which allow you to visualize log and metric data together and optionally share with other Azure users.
Logic Apps. Use the results of a log query in an automated workflow using Logic Apps.
PowerShell. Use the results of a log query in a PowerShell script from a command line or an Azure Automation runbook that uses Get-AzOperationalInsightsSearchResults.
Azure Monitor Logs API. Retrieve log data from the workspace from any REST API client. The API request includes a query that is run against Azure Monitor to determine the data to retrieve.