5.1 KiB
Kusto tutorial with Log Analytics
This tutorial will guide you through the first steps with the Kusto query language in the context of the DevOps OpenHack. You create a graph that display how may trips have been completed by the simulator each half hour during the last 24 hours.
Pre-requisites
In order to walk through this tutorial, it is expected that you have created and configured an Azure Log Analytics workspace to collect the logs from your AKS cluster.
Your first query
Open the query editor in your analytics workspace by selecting Logs in the log analytics menu and enter the following code:
ContainerLog
| search "simulator"
Click the Run button.
This query uses ContainerLog as data source and searches for the entries that contain the word "simulator". The rows matching the criteria are returned.
Expand the first entry by clicking on the arrow on the left of the line. The key/value pairs will help understand the fields of each returned row.
Look more specifically at the following fields:
- TimeGenerated[UTC]: This is the time at which the log entry has been generated
- Image: This is the name of the container image that has generated the entry, copy the name of the image we will use it in the next step. It should be similar to this "openhackcj19acr.azurecr.io/devopsoh/simulator:latest"
- LogEntry: The text that was written on the stdout of the container
Filter the data
The command where allows to filter the data based on specific criteria like the generation time. The following query will apply a first filter on the data.
ContainerLog
| where TimeGenerated > ago(24h)
Let's now filter the content to only have the entries generated by the simulator container. Replace the query with the following and click Run :
ContainerLog
| where TimeGenerated > ago(24h)
| where Image contains "devopsoh/simulator:latest"
When the simulator completes a trip an entry similar to the following is generated:
Trip Completed at : 11/01/2018 04:42:03.
Let's update our query to select only those entries:
ContainerLog
| where TimeGenerated > ago(24h)
| where Image contains "devopsoh/simulator:latest"
| where LogEntry contains "Trip Completed"
Click Run to see the result.
The where clause also understands regular expressions(RE). REs can be used to extract a specific value from a log entry and write this value into an additional column using extend. More information on the use of extend is available on this page: https://docs.microsoft.com/en-us/azure/log-analytics/query-language/get-started-queries?toc=/azure/azure-monitor/toc.json#project-and-extend-select-and-compute-columns
Reduce the number of columns
Update the query to get only the information that interest us: time of generation, the log entry and the containerId.
ContainerLog
| where TimeGenerated > ago(24h)
| where Image contains "devopsoh/simulator:latest"
| where LogEntry contains "Trip Completed"
| project TimeGenerated, LogEntry, ContainerID
The project command will display only the comma seperated list of column names in the result of the query.
Click Run to see the result.
Count the number of entries per time slot
We will use the summarize command to perform the aggregation according to the time of generation.
The bin function will round a value to its bin size; bin(TimeGenerated, 1m) round the TimeGenerated to the minute.
Our query becomes:
ContainerLog
| where TimeGenerated > ago(24h)
| where Image contains "devopsoh/simulator:latest"
| where LogEntry contains "Trip Completed"
| project TimeGenerated, LogEntry, ContainerID
| summarize count(LogEntry) by bin(TimeGenerated, 30m)
Click Run to see the result.
A picture worth thousand words
To represent the data on a graph we will use the render function and define the format, in our case we want a timechart
ContainerLog
| where TimeGenerated > ago(24h)
| where Image contains "devopsoh/simulator:latest"
| where LogEntry contains "Trip Completed"
| project TimeGenerated, LogEntry, ContainerID
| summarize count(LogEntry) by bin(TimeGenerated, 30m)
| render timechart
Render operator Creating Charts and Diagrams From Log Analytics
Click Run to render the graph.
Reference documents
- Getting stated with log analytics portal: https://docs.microsoft.com/en-us/azure/log-analytics/query-language/get-started-analytics-portal
- Getting started with query: https://docs.microsoft.com/en-us/azure/log-analytics/query-language/get-started-analytics-portal
- String operations with Kusto: https://docs.microsoft.com/en-us/azure/log-analytics/query-language/string-operations
- Search queries in Log Analytics: https://docs.microsoft.com/en-us/azure/log-analytics/query-language/search-queries
- Add or select new column in a query: https://docs.microsoft.com/en-us/azure/log-analytics/query-language/get-started-queries?toc=/azure/azure-monitor/toc.json#project-and-extend-select-and-compute-columns