Open In App

Microsoft Azure – Query Application Event Log Data using Azure KQL

Last Updated : 31 Mar, 2023
Improve
Improve
Like Article
Like
Save
Share
Report

Here in this article, we will find the application event log data from log analytics data sources using the custom query language(KQL). Application Event Logs that are captured should be retrieved using the KQL event operator. This KQL Event operator helps users to troubleshoot the application failures, warnings, and other informational sources for all the applications without logging into the application. The data can be captured or exported from the azure monitor itself.

Pre-requisite: 

  • Log Analytics Workspace Agent Configurations should be enabled to capture the log events.

1. Get Application Event Logs from Select Subscription:

The default KQL Query to find all the Event Logs from select subscription or subscriptions or a scope:

Event 
| where EventLog has "Application" and TimeGenerated > ago(1d)

Output:

2. Get all Application Event Log IDs from Select Scope:

The KQL Query to find all the captured application event log IDs from the select scope.

Event 
| where EventLog has "Application" and TimeGenerated > ago(1d)
| distinct EventID

Output:

3.  Get Application Event Logs for  Select Event ID: 

The KQL Query to the find the application event logs for the select event id or for the multiple event ids

Example 1: To find the application event logs for the select event id let’s say 455 from the select scope.

Event 
| where EventLog has "Application" and TimeGenerated > ago(1d)
| where EventID == "455"

Output:

Example 2:  To the find the application event logs for the multiple event id let’s say 455 and 1022 from select scope.

Event 
| where EventLog has "Application" and TimeGenerated > ago(1d)
| where EventID == "455" or EventID == "1022"

Output:

4. Get Generated Events:

The KQL Log Query to find all the events generated for the select subscription or subscriptions and project only the information of event timestamp, Source Application , Event Log Type, Event ID, Event Log Description and Event Generated Resource ID.

Event | where EventLog has "Application" and TimeGenerated > ago(1d)
| where EventID != ""
| project TimeGenerated, Source, EventLog, EventID, RenderedDescription, _ResourceId

Output:


Like Article
Suggest improvement
Previous
Microsoft Azure - Enable Local Cache on Azure App
Next
Microsoft Azure - Fetch License Details of Azure Servers
Share your thoughts in the comments

Similar Reads

Microsoft Azure - Query System Event Log Data Using Azure KQL
Microsoft Azure - Tracking Memory Utilization of Azure VM using KQL Log Query
Microsoft Azure - Track CPU Utilization of a Azure Virtual Machines using KQL Log Query
Microsoft Azure - Heartbeat KQL Log Monitoring Query
Microsoft Azure - Azure VM Disk Space in Percentage using Azure KQL
Microsoft Azure - Query Azure Storage Logs in Azure Monitor Log Analytics
Microsoft Azure - Export the List of Azure Storage Services using KQL
Microsoft Azure - Check Resource Owner in Azure using KQL
Microsoft Azure - Troubleshoot Azure VM Process using KQL
Microsoft Azure - Using KQL in Various Methods With Azure Tools
author
jaysurya9
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox