| title | description | services | documentationcenter | author | manager | editor | ms.assetid | ms.service | ms.workload | ms.tgt_pltfrm | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Search queries in Log Analytics | Microsoft Docs |
This article provides a tutorial for getting started writing search queries in Log Analytics. |
log-analytics |
bwren |
carmonm |
log-analytics |
na |
na |
conceptual |
08/06/2018 |
bwren |
Note
You should complete Get started with queries in Log Analytics before completing this lesson.
[!INCLUDE log-analytics-demo-environment]
Azure Log Analytics queries can start with either a table name or a search command. This tutorial covers search-based queries. There are advantages to each method.
Table-based queries start by scoping the query and therefore tend to be more efficient than search queries. Search queries are less structured which makes them the better choice when searching for a specific value across columns or tables. search can scan all columns in a given table, or in all tables, for the specified value. The amount of data being processed could be enormous, which is why these queries could take longer to complete and might return very large result sets.
The search command is typically used to search a specific term. In the following example, all columns in all tables are scanned for the term "error":
search "error"
| take 100While they're easy to use, unscoped queries like the one showed above are not efficient and are likely to return many irrelevant results. A better practice would be to search in the relevant table, or even a specific column.
To search a term in a specific table, add in (table-name) just after the search operator:
search in (Event) "error"
| take 100or in multiple tables:
search in (Event, SecurityEvent) "error"
| take 100By default, search will evaluate all columns in the data set. To search only a specific column, use this syntax:
search in (Event) Source:"error"
| take 100Tip
If you use == instead of :, the results would include records in which the Source column has the exact value "error", and in this exact case. Using ':' will not include records where Source has values such as "error code 404" or "Error".
By default, term search is case-insensitive, so searching "dns" could yield results such as "DNS", "dns", or "Dns". To make the search case-sensitive, use the kind option:
search kind=case_sensitive in (Event) "DNS"
| take 100The search command supports wild cards, at the beginning, end or middle of a term.
To search terms that start with "win":
search in (Event) "win*"
| take 100To search terms that end with ".com":
search in (Event) "*.com"
| take 100To search terms that contain "www":
search in (Event) "*www*"
| take 100To search terms that starts with "corp" and ends in ".com", such as "corp.mydomain.com""
search in (Event) "corp*.com"
| take 100You can also get everything in a table by using just a wild card: search in (Event) *, but that would be the same as writing just Event.
Tip
While you can use search * to get every column from every table, it's recommended that you always scope your queries to specific tables. Unscoped queries may take a while to complete and might return too many results.
Use and to search for records that contain multiple terms:
search in (Event) "error" and "register"
| take 100Use or to get records that contain at least one of the terms:
search in (Event) "error" or "register"
| take 100If you have multiple search conditions, you can combine them into the same query using parentheses:
search in (Event) "error" and ("register" or "marshal*")
| take 100The results of this example would be records that contain the term "error" and also contain either "register" or something that starts with "marshal".
Just like any other command, search can be piped so search results can be filtered, sorted, and aggregated. For example, to get the number of Event records that contain "win":
search in (Event) "win"
| count- See further tutorials on the Log Analytics query language site.