# Kusto tutorial with Log Analytics

This tutorial will guide you through the first steps with the Kusto query language in the context of the DevOps OpenHack.
You create a graph that display how may trips have been completed by the simulator each half hour during the last 24 hours.

## Pre-requisites

In order to walk through this tutorial, it is expected that you have created and configured an Azure Log Analytics workspace to collect the logs from your AKS cluster.

## Your first query

Open the query editor in your analytics workspace by selecting **Logs** in the log analytics menu and enter the following code:

```kusto
ContainerLog
| search "simulator"
```

Click the **Run** button.

This query uses **ContainerLog** as data source and searches for the entries that contain the word "simulator". The rows matching the criteria are returned.

Expand the first entry by clicking on the arrow on the left of the line. The key/value pairs will help understand the fields of each returned row.

Look more specifically at the following fields:
- TimeGenerated\[UTC\]: This is the time at which the log entry has been generated
- Image: This is the name of the container image that has generated the entry, copy the name of the image we will use it in the next step. It should be similar to this "openhackcj19acr.azurecr.io/devopsoh/simulator:latest"
- LogEntry: The text that was written on the stdout of the container

## Filter the data

The command `where` allows to filter the data based on specific criteria like the generation time. The following query will apply a first filter on the data.

```kusto
ContainerLog
| where TimeGenerated > ago(24h)
```

Let's now filter the content to only have the entries generated by the simulator container.
Replace the query with the following and click **Run** :

```kusto
ContainerLog
| where TimeGenerated > ago(24h)
| where Image contains "devopsoh/simulator:latest"
```

When the simulator completes a trip an entry similar to the following is generated: 
```
Trip Completed at : 11/01/2018 04:42:03.
```

Let's update our query to select only those entries:

```kusto
ContainerLog
| where TimeGenerated > ago(24h)
| where Image contains "devopsoh/simulator:latest"
| where LogEntry contains "Trip Completed"
```

Click **Run** to see the result.

The `where` clause also understands regular expressions(RE). REs can be used to extract a specific value from a log entry and write this value into an additional column using `extend`. More information on the use of `extend` is available on this page: https://docs.microsoft.com/en-us/azure/log-analytics/query-language/get-started-queries?toc=/azure/azure-monitor/toc.json#project-and-extend-select-and-compute-columns 

## Reduce the number of columns

Update the query to get only the information that interest us: time of generation, the log entry and the containerId.

```kusto
ContainerLog
| where TimeGenerated > ago(24h)
| where Image contains "devopsoh/simulator:latest"
| where LogEntry contains "Trip Completed"
| project TimeGenerated, LogEntry, ContainerID
```

The `project` command will display only the comma seperated list of column names in the result of the query. 

Click **Run** to see the result.

## Count the number of entries per time slot

We will use the `summarize` command to perform the aggregation according to the time of generation.
The `bin` function will round a value to its bin size; `bin(TimeGenerated, 1m)` round the TimeGenerated to the minute.
Our query becomes:

```kusto
ContainerLog
| where TimeGenerated > ago(24h)
| where Image contains "devopsoh/simulator:latest" 
| where LogEntry contains "Trip Completed"
| project TimeGenerated, LogEntry, ContainerID
| summarize count(LogEntry) by bin(TimeGenerated, 30m)
```

Click **Run** to see the result.

## A picture worth thousand words

To represent the data on a graph we will use the `render` function and define the format, in our case we want a `timechart`

```kusto
ContainerLog
| where TimeGenerated > ago(24h)
| where Image contains "devopsoh/simulator:latest"
| where LogEntry contains "Trip Completed"
| project TimeGenerated, LogEntry, ContainerID
| summarize count(LogEntry) by bin(TimeGenerated, 30m)
| render timechart
```

[Render operator](https://docs.microsoft.com/en-us/azure/kusto/query/renderoperator)
[Creating Charts and Diagrams From Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/query-language/charts?toc=/azure/azure-monitor/toc.json)

Click **Run** to render the graph.

## Reference documents

- Getting stated with log analytics portal:  https://docs.microsoft.com/en-us/azure/log-analytics/query-language/get-started-analytics-portal
- Getting started with query: https://docs.microsoft.com/en-us/azure/log-analytics/query-language/get-started-analytics-portal
- String operations with Kusto: https://docs.microsoft.com/en-us/azure/log-analytics/query-language/string-operations
- Search queries in Log Analytics: https://docs.microsoft.com/en-us/azure/log-analytics/query-language/search-queries
- Add or select new column in a query: https://docs.microsoft.com/en-us/azure/log-analytics/query-language/get-started-queries?toc=/azure/azure-monitor/toc.json#project-and-extend-select-and-compute-columns