Skip to content
Related Articles

Related Articles

Microsoft Azure – Query Application Event Log Data using Azure KQL

View Discussion
Improve Article
Save Article
Like Article
  • Last Updated : 21 Mar, 2022

Here in this article, we will find the application event log data from log analytics data sources using the custom query language(KQL). Application Event Logs that are captured should be retrieved using the KQL event operator. This KQL Event operator helps users to troubleshoot the application failures, warnings, and other informational sources for all the applications without logging into the application. The data can be captured or exported from the azure monitor itself.

Pre-requisite: 

  • Log Analytics Workspace Agent Configurations should be enabled to capture the log events.

1. Get Application Event Logs from Select Subscription:

The default KQL Query to find all the Event Logs from select subscription or subscriptions or a scope:

Event 
| where EventLog has "Application" and TimeGenerated > ago(1d)

Output:

2. Get all Application Event Log IDs from Select Scope:

The KQL Query to find all the captured application event log IDs from the select scope.

Event 
| where EventLog has "Application" and TimeGenerated > ago(1d)
| distinct EventID

Output:

3.  Get Application Event Logs for  Select Event ID: 

The KQL Query to the find the application event logs for the select event id or for the multiple event ids

Example 1: To find the application event logs for the select event id let’s say 455 from the select scope.

Event 
| where EventLog has "Application" and TimeGenerated > ago(1d)
| where EventID == "455"

Output:

Example 2:  To the find the application event logs for the multiple event id let’s say 455 and 1022 from select scope.

Event 
| where EventLog has "Application" and TimeGenerated > ago(1d)
| where EventID == "455" or EventID == "1022"

Output:

4. Get Generated Events:

The KQL Log Query to find all the events generated for the select subscription or subscriptions and project only the information of event timestamp, Source Application , Event Log Type, Event ID, Event Log Description and Event Generated Resource ID.

Event | where EventLog has "Application" and TimeGenerated > ago(1d)
| where EventID != ""
| project TimeGenerated, Source, EventLog, EventID, RenderedDescription, _ResourceId

Output:

My Personal Notes arrow_drop_up
Recommended Articles
Page :

Start Your Coding Journey Now!