Microsoft Operations Management Suite Cookbook

上QQ阅读APP看书，第一时间看更新

How it works...

A table-based query starts with, or references, a table in the first part of the query. This defines the scope of the query and determines what initial result set gets returned or passed on to subsequent parts of the query for further filtering or processing. In the previous example query that we walked through, a table of the name Heartbeat is used to define the scope of the query.

Queries can be written in various ways to arrive at the same result, provided that the query is syntactically correct. For instance, the following query is used to return an aggregated count of all records in the table with the name of Heartbeat:

Heartbeat
| summarize AggregatedValue = count() by Type

This query can also be written in the following form to return the exact same result:

union withsource = $table Heartbeat
| extend Type = $table
| summarize AggregatedValue = count() by Type

While these two queries will return the same data, the query behavior is rather different. While both are table-based queries (they both reference a table with the name Heartbeat), the first query simply scopes the initial result set to the data records in the Heartbeat table and passes it on to the filter with the summarize tabular operator, which uses the aggregation argument and count ( ) aggregation function to return the count of all records in the Heartbeat table. These records are, as seen in the output, of the Heartbeat type.

The second query produces the same result, but does it slightly differently:

union withsource = $table Heartbeat

The query starts by using a union tabular operator and uses the source argument to return all rows of the table with the name Heartbeat:

| extend Type = $table

It then passes the initial result set on to a filter that features the extend tabular operator. This takes the input tabular result set from the preceding query line, creates calculated columns for the Heartbeat data, and appends it to the result set before passing it to on the next part of the query for processing:

| summarize AggregatedValue = count() by Type

The filtered data is then passed into the next filter with the summarize tabular operator—which uses the aggregation argument—and the count ( ) aggregation function to return the count of all records in the Heartbeat table.

When you can arrive at a desired result from using various queries, use the simplest and most efficient queries, as this will result in noticeable query performance gains, especially when working with very large data sets.

As we will see later on with search-based queries, although the search term is case insensitive, when using search-based queries, the Log Analytics query language is, in fact, case-sensitive.

Query operators, functions, expressions, and other language keywords are typically written in lowercase. For table names and table column names, refer to the correct case in the Analytics portal schema pane.