How to query custom logs data in Log analytics

March 20, 2019 at 8:14 pm in Azure, Loganalytics by Dieter Wijckmans

This post is a follow-up on how to SCCM custom data into your log analytics environment.

As soon as you have your SCCM custom logs, or any other logs, in log analytics they get indexed under the type you have specified.

In this particular case I used SCCMLOG_CL (note that the CL is mandatory). So lets jump into the log analytics query window to find out what’s in the logs at this time:

Browse to Log analytics => Logs

clip_image002

The log analytics query window will open and will give you the opportunity to start your query journey:

clip_image004

Remember our custom type: SCCMLOGS_CL. Note the autosuggest feature which will help you to create your own queries

clip_image006

If you run this query you will get all the results within the type. This is a great way to check whether data is flying in.

clip_image008

So now we’ll start finding more in detail patterns. If you type where in the next line you’ll get all the fields in your data:

clip_image010

Let’s select Rawdata where the word “error” is in the line:

clip_image011

So we get already a lot of results:

clip_image013

So another trick in your sleeve. You don’t need to type everything. It’s a point and click world to combine your query. Just click the + sign next to a field. In this case “Computer”.

clip_image015

This will add the field AND the content of the field to your query:

clip_image017

So now you can really start building your searches on your custom data.

Next time we’ll go over how you can actually create custom fields you can search on.

Share on FacebookTweet about this on TwitterShare on Google+Share on RedditShare on LinkedIn