Cross workspace reporting in log analytics



We had some consultants in last week talking about many different Azure topics - one of the things i mentioned was that it was really annoying that there seemed to be no way to report across multiple log analytics workspaces from a single point - take the example that i have some data in one workspace that also has some related data in a dashboard i want to built in a completely different workspace - there is no way (or at least i thought there was no way) to do this.

Anyway the consultant came back quite quickly and revealed there is a way (thanks Tobias) - it seems to be very new (only February this year) and it didn't seem to get a big fanfare announcement which maybe explained how i missed it (well that and the thousands of other announcements that are happening i guess.....) - but anyway it is there and it works just fine - and here is a quick demo of me checking that.

The way this has been enabled is to enable a new kind of higher level object which data can be fetched from - in the normal case to refer to data in you current workspace you would just start with something like

Alert|blah blah

The new feature enabled is to do something like this

workspace("workspace-name-here").Alert | blah blah

This then sources the data from a different log analytics workspace. Note there is more than one syntax for the workspace identifier - i'm just using the 'short name' version here but there are other methods including a fully qualified azure path.

To give a fuller example I want to display some of the info i get from the backup summary workspace i have (this i got from here https://azure.microsoft.com/de-de/blog/oms-monitoring-solution-for-azure-backup-using-azure-log-analytics/ ) It annoyed me how this had to go in a separate workspace as then i couldnt show it where i wanted to show it - anyway that seems to be resolved now :-)

So now i can take one of the queries from this prebuilt report and run that same query in any workspace i like - so i take the original query (which i can take zero credit for - the person who wrote it has more OMS skill than me)

let Events = AzureDiagnostics    | where Category == "AzureBackupReport" ;    Events    | where OperationName == "Storage"    | project ProtectedServerUniqueId_s, Resource, CloudStorageInBytes_s, TimeGenerated      | join kind=inner    (Events      | where OperationName == "ProtectedServer"   | where ProtectedServerFriendlyName_s !=""    | distinct ProtectedServerUniqueId_s, ProtectedServerFriendlyName_s      | project ProtectedServerUniqueId_s, ProtectedServerFriendlyName_s)     on ProtectedServerUniqueId_s     | project ProtectedServerFriendlyName_s, Resource, CloudStorageInBytes_s, TimeGenerated         | extend Vault= Resource      | extend CloudStorageInGB = todouble(CloudStorageInBytes_s) / 1073741824      | where TimeGenerated > ago(1d)   | top 5 by CloudStorageInGB desc  |project ProtectedServerFriendlyName_s, CloudStorageInGB 

(nich eh)

anyway the result of that is the top 5 consumers of backup space - in graphic form this looks like this

So my top server has 6000GB of backup......

To show this report on my 'other' workspace all i need to do is this (just add that little bit of orange text)

let Events = workspace("backup-worskpace-name-here").AzureDiagnostics    | where Category == "AzureBackupReport" ;    Events    | where OperationName == "Storage"    | project ProtectedServerUniqueId_s, Resource, CloudStorageInBytes_s, TimeGenerated      | join kind=inner    (Events      | where OperationName == "ProtectedServer"   | where ProtectedServerFriendlyName_s !=""    | distinct ProtectedServerUniqueId_s, ProtectedServerFriendlyName_s      | project ProtectedServerUniqueId_s, ProtectedServerFriendlyName_s)     on ProtectedServerUniqueId_s     | project ProtectedServerFriendlyName_s, Resource, CloudStorageInBytes_s, TimeGenerated         | extend Vault= Resource      | extend CloudStorageInGB = todouble(CloudStorageInBytes_s) / 1073741824      | where TimeGenerated > ago(1d)   | top 5 by CloudStorageInGB desc  |project ProtectedServerFriendlyName_s, CloudStorageInGB

Then it works transparently in any other workspace i have access too - very nice.

There is more info on the announcement here and some examples of the other workspace() functions syntax.

https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-cross-workspace-search

I guess you could try and use this around the size limit per day for ingestion if you wanted to - but that would quickly get out of hand i feel :-)

Might avoid this though.....




Comments