Box 1: AzureActivity -
The AzureActivity table has entries from the Azure activity log, which provides insight into subscription-level or management group-level events occuring in Azure.
Let's see only Critical entries during a specific week.
The where operator is common in the Kusto Query Language. where filters a table to rows that match specific criteria. The following example uses multiple commands. First, the query retrieves all records for the table. Then, it filters the data for only records that are in the time range. Finally, it filters those results for only records that have a Critical level.
AzureActivity -
| where TimeGenerated > datetime(10-01-2020) and TimeGenerated < datetime(10-07-2020)
| where Level == 'Critical'
Incorrect:
not Perf: The Perf table has performance data that's collected from virtual machines that run the Log Analytics agent.
Box 2: | project -
Select a subset of columns: project.
Use project to include only the columns you want. Building on the preceding example, let's limit the output to certain columns:
AzureActivity -
| where TimeGenerated > datetime(10-01-2020) and TimeGenerated < datetime(10-07-2020)
| where Level == 'Critical'
| project TimeGenerated, Level, OperationNameValue, ResourceGroup, _ResourceId
Reference:
https://github.com/MicrosoftDocs/dataexplorer-docs/blob/main/data-explorer/kusto/query/tutorial.md
