Share via

creating 2 datatables and join them in Azure log analytics logs terminal

Olbrich Marc (YIAGI) 65 Reputation points
2024-01-24T09:17:23.5233333+00:00

In Azure Log Analytics, i want to create two datatables from a transformation of the traces and join them at a specific column, such this i end up with one joined datatable that includes the information i need for further calculations in powerBI. Unfortunately the commands like ".create", "let", "set", "table" "datatable" doesn't seem to work in the log analytics terminal . How can i do this? Here is my transformation of the traces for the first datatable:

union traces
| union exceptions
| order by timestamp desc
| project
    timestamp,
    message = iff(message != '', message, iff(innermostMessage != '', innermostMessage, customDimensions.['prop__{OriginalFormat}'])),
    logLevel = customDimensions.['LogLevel']
| where logLevel == 'Information'
| where message !contains "'LogId':'000000000000000000000000'"
| where message contains 'LogMessage'
| where message contains "'API':'AMR'"
| where message contains "'Label':{'pred'"
| parse message with * "'Label':{'pred':'" pred_val:string"'" *
| parse message with * "'confidence':'" conf_val:string"'" *
| parse message with * "'Zaehlwerk':{'pred':'" zaehlwerk:string"'" *
| parse message with * "'Client':'" client:string"'" *
| parse message with * "'Sparte':{'true':'" sparte:string"'" *
| parse message with * "'LogId':'" log_id:string"'" *
| parse message with * "'ParentLogId':'" parent_log_id:string"'" *
| parse message with * "'DetectionId':'" detection_id:string"'" *

This worked fine. Now, i want to set this transformation to a datatable, called "table_1", where the columns are give by:

timestamp, pred_val, conf_val, zaehlwerk, client, sparte, log_id, parent_log_id, detection_id

But something like the following command doesn't work. Can you help me?

User's image This is the query from the image:

datatable table_1
| union traces
| union exceptions
| order by timestamp desc
| project
    timestamp,
    message = iff(message != '', message, iff(innermostMessage != '', innermostMessage, customDimensions.['prop__{OriginalFormat}'])),
    logLevel = customDimensions.['LogLevel']
| where logLevel == 'Information'
| where message !contains "'LogId':'000000000000000000000000'"
| where message contains 'LogMessage'
| where message contains "'API':'AMR'"
| where message contains "'Label':{'pred'"
| parse message with * "'Label':{'pred':'" pred_val: string"'" *
| parse message with * "'confidence':'" conf_val: string"'" *
| parse message with * "'Zaehlwerk':{'pred':'" zaehlwerk: string"'" *
| parse message with * "'Client':'" client: string"'" *
| parse message with * "'Sparte':{'true':'" sparte: string"'" *
| parse message with * "'LogId':'" log_id: string"'" *
| parse message with * "'ParentLogId':'" parent_log_id: string"'" *
| parse message with * "'DetectionId':'" detection_id: string"'" *
| project timestamp, pred_val, conf_val, zaehlwerk, client, sparte, log_id, parent_log_id, detection_id
Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
0 comments
Answer accepted by question author
  1. Clive Watson 7,946 Reputation points MVP Volunteer Moderator
    2024-01-24T17:54:39.4033333+00:00

    You are correct those specific commands work in ADX (Azure Data Explorer) not Log Analytics, have you looked at using a join to do this? https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/tutorials/join-data-from-multiple-tables

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.