How to query custom logs data in Log analytics

March 20, 2019 at 8:14 pm in Azure, Loganalytics by Dieter Wijckmans

This post is a follow-up on how to SCCM custom data into your log analytics environment.

As soon as you have your SCCM custom logs, or any other logs, in log analytics they get indexed under the type you have specified.

In this particular case I used SCCMLOG_CL (note that the CL is mandatory). So lets jump into the log analytics query window to find out what’s in the logs at this time:

Browse to Log analytics => Logs


The log analytics query window will open and will give you the opportunity to start your query journey:


Remember our custom type: SCCMLOGS_CL. Note the autosuggest feature which will help you to create your own queries


If you run this query you will get all the results within the type. This is a great way to check whether data is flying in.


So now we’ll start finding more in detail patterns. If you type where in the next line you’ll get all the fields in your data:


Let’s select Rawdata where the word “error” is in the line:


So we get already a lot of results:


So another trick in your sleeve. You don’t need to type everything. It’s a point and click world to combine your query. Just click the + sign next to a field. In this case “Computer”.


This will add the field AND the content of the field to your query:


So now you can really start building your searches on your custom data.

Next time we’ll go over how you can actually create custom fields you can search on.

Share on FacebookTweet about this on TwitterShare on Google+Share on RedditShare on LinkedIn