Analyze data using Log Analytics Simple mode
Log Analytics now offers two modes that make log data simpler to explore and analyze for both basic and advanced users:
- Simple mode provides the most commonly used Azure Monitor Logs functionality in an intuitive, spreadsheet-like experience. Just point and click to filter, sort, and aggregate data to get to the insights you need 80% of the time.
- KQL mode gives advanced users the full power of Kusto Query Language (KQL) to derive deeper insights from their logs using the Log Analytics query editor.
You can switch seamlessly between Simple and KQL modes, and advanced users can share complex queries that anyone can continue working with in Simple mode.
Note
Configure Log Analytics settings to open Log Analytics in Simple or KQL mode by default.
This article explains how to use Log Analytics Simple mode to explore and analyze data in Azure Monitor Logs.
Here's a video that provides a quick overview of how to query logs in Log Analytics using both Simple and KQL modes:
How Simple mode works
Simple mode lets you get started quickly by retrieving data from one or more tables with one click. You then use a set of intuitive controls to explore and analyze the retrieved data.
This section orients you with the controls available in Log Analytics Simple mode.
Top query bar
In Simple mode, the top bar has controls for working with data and switching to KQL mode.
| Option | Description |
|---|---|
| Time range | Select the time range for the data available to the query. In KQL mode, if you set a different time range in your query, the time range you set in the time picker is overridden. |
| Show | Configure the number of entries Log Analytics retrieves in Simple mode. The default limit is 1000. For more information on query limits, see Configure query results limit. |
| Add | Add filters, and apply Simple mode operators, as described in Explore and analyze data in Simple mode. |
| Simple/KQL mode | Switch between Simple and KQL mode. |
Left pane
The collapsible left pane gives you access to tables, example and saved queries, functions, and query history.
Pin the left pane to keep it open while you work, or maximize your query window by selecting an icon from the left pane only when you need it.
| Option | Description |
|---|---|
| Tables | Lists the tables that are part of the selected scope. Select Group by to change the grouping of the tables. Hover over a table name to view the table's description and a link to its documentation. Expand a table to view its columns. Select a table to run a query on it. |
| Queries | Lists example and saved queries. This is the same list that's in the Queries Hub. Select Group by to change the grouping of the queries. Hover over a query to view the query's description. Select a query to run it. |
| Functions | Lists functions, which allow you to reuse predefined query logic in your log queries. |
| Query history | Lists your query history. Select a query to rerun it. |
More tools
This section describes more tools available above the query area of the screen, as shown in this screenshot, from left to right.
| Option | Description |
|---|---|
| Tab context menu | Change query scope or rename, duplicate, or close tab. |
| Save | Save a query to a query pack or as a function, or pin your query to a workbook, an Azure dashboard, or Grafana dashboard. |
| Share | Copy a link to your query, the query text, or query results, or export data to Excel, CSV, or Power BI. |
| New alert rule | Create a new alert rule. |
| Search job mode | Run a search job. |
| Log Analytics settings | Define default Log Analytics settings, including time zone, whether Log Analytics opens in Simple or KQL mode, and whether to display tables with no data. |
| Switch back to classic Logs | Switch back to the classic Log Analytics user interface. |
| Queries Hub | Open the example queries dialog that appears when you first open Log Analytics. |
Get started in Simple mode
When you select a table or a predefined query or function in Simple mode, Log Analytics automatically retrieves the relevant data for you to explore and analyze.
This lets you retrieve logs with one click whether you open Log Analytics in resource or workspace context.
To get started, you can:
Click Select a table and select a table from the Tables tab to view table data.
Alternatively, select Tables from the left pane to view the list of tables in the workspace.
Use an existing query, such as a shared or saved query, or an example query.
Select a query from your query history.
Select a function.
Important
Functions let you reuse query logic and often require input parameters or additional context. In such cases, the function won't run until you switch to KQL mode and provide the required input.
Explore and analyze data in Simple mode
After you get started in Simple mode, you can explore and analyze data using the top query bar.
Note
The order in which you apply filters and operators affects your query and results. For example, if you apply a filter and then aggregate, Log Analytics applies the aggregation to the filtered data. If you aggregate and then filter, the aggregation is applied to the unfiltered data.
Change time range and number of records displayed
By default, Simple mode lists the latest 1,000 entries in the table from the last 24 hours.
To change the time range and number of records displayed, use the Time range and Show selectors. For more information about result limit, see Configure query result limit.
Filter by column
Select Add and choose a column.
Select a value to filter by, or enter text or numbers in the Search box.
If you filter by selecting values from a list, you can select multiple values. If the list is long, you'll see a Not all results are shown message. Scroll to the bottom of the list and select Load more results to retrieve more values.
Search for entries that have a specific value in the table
Select Search.
Enter a string in the Search this table box and select Apply.
Log Analytics filters the table to show only entries that contain the string you entered.
Important
We recommend using Filter if you know which column holds the data you're searching for. The search operator is substantially less performant than filtering, and might not function well on large volumes of data.
Aggregate data
Select Aggregate.
Select a column to aggregate by and select an operator to aggregate by, as described in Use aggregation operators.
Show or hide columns
Select Show columns.
Select or clear columns to show or hide them, then select Apply.
Sort by column
Select Sort.
Select a column to sort by.
Select Ascending or Descending, then select Apply.
Select Sort again to sort by another column.
Use aggregation operators
Use aggregation operators to summarize data from multiple rows, as described in this table.
| Operator | Description |
|---|---|
| count | Counts the number of times each distinct value exists in the column. |
| dcount | For the dcount operator, you select two columns. The operator counts the total number of distinct values in the second column correlated to each value in the first column. For example, this shows the distinct number of result codes for successful and failed operations:
|
| sum avg max min |
For these operators, you select two columns. The operators calculate the sum, average, maximum, or minimum of all values in the second column for each value in the first column. For example, this shows the total duration of each operation in milliseconds for the past 24 hours:
|
Important
Basic logs tables don't support aggregation using the avg and sum operators.
Switch modes
To switch modes, select Simple mode or KQL mode from the dropdown in the top right corner of the query editor.
When you begin to query logs in Simple mode and then switch to KQL mode, the query editor is prepopulated with the KQL query related to your Simple mode analysis. You can then edit and continue working with the query.
For straightforward queries on a single table, Log Analytics displays the table name at the right of the top query bar in Simple mode. For more complex queries, Log Analytics displays User Query at the left of the top query bar. Select User Query to return to the query editor and modify your query at any time.
Configure query result limit
Select Show to open the Show results window.
Select one of the preset limits, or enter a custom limit.
The maximum number of results that you can retrieve in the Log Analytics portal experience, in both Simple mode and KQL mode, is 30,000. However, when you share a Log Analytics query with an integrated tool, or use the query in a search job, the query limit is set based on the tools you choose.
Select Max. limit to return the maximum number of results provided by any of the tools available on the Share window or using a search job.
This table lists the maximum result limits of Azure Monitor log queries using the various tools:
Tool Description Max. limit Log Analytics Queries you run in the Azure portal. 30,000 Excel, Power BI, Log Analytics Query API Queries you use in Excel and Power BI, which are integrated with Log Analytics, and queries you run using the API. 500,000 Search job Azure Monitor reingests the results of a query your run in search job mode into a new table in your Log Analytics. 1,000,000
Next steps
- Walk through a tutorial on using KQL mode in Log Analytics.
- Access the complete reference documentation for KQL.