Edit

Share via

Queries for the OEPDataplaneLogs table

  • Article

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

Visualizing Error Response Codes

Categorize log messages by HTTP response codes, filters out logs without a response code, and summarizes the count of each response code over a specified time granularity. It then renders a column chart for visualization.

OEPDataplaneLogs
// Categorize messages based on HTTP response codes
| extend ResponseCode = case(
    Message has_any ("Status=500", "Internal Server Error"), "500",
    Message has_any ("Status=401", "Unauthorized"), "401",
    Message has_any ("Status=403", "Forbidden"), "403",
    Message has_any ("Status=429", "RequestBodyTooLarge"), "429",
    ""
)
// Filter out logs without a response code
| where ResponseCode != ""
// Summarize the count of each response code over a specified time range
| summarize Count = count() by bin(TimeGenerated, 5m), ResponseCode
// Render a column chart for visualization
| render columnchart

Analyzing User Activity in Storage Logs

Extract UserId values, filters logs to include only those with a UserId and belonging to the StorageLogs category, and checks for specific HTTP methods. It then summarizes the count of logs per user over daily intervals and renders a pie chart for visualization.

OEPDataplaneLogs
// Extract UserId from the Message field using a regular expression
| extend UserId = extract(@"user-id=([a-zA-Z0-9_-@.]+)", 1, Message)
// Filter out logs without a UserId
| where UserId != ""
// Filter logs to include only those in the "StorageLogs" category
| where Category == "StorageLogs"
// Filter logs to include only those with specific HTTP methods
| where Message has_any (  
  "GET",
  "POST",
  "PUT",
  "DELETE",
  "PATCH",
  "HEAD",
  "OPTIONS" 
)
// Summarize the count of logs per user over daily intervals
| summarize Count = count() by bin(TimeGenerated, 1d), UserId
// Render a pie chart for visualization
| render piechart

Categorizing Logs by OSDU Service

This KQL query summarizes the count of logs by category over the last 24 hours and renders a pie chart for visualization.

OEPDataplaneLogs
// Summarize the count of logs by category over the last day
| summarize Count = count() by bin(TimeGenerated, 1d), Category
// Render a pie chart for visualization
| render piechart

Visualizing User Activity

Extract UserId values, filters out logs without a UserId, and summarizes the count of logs per user over the last 24 hours. Renders a pie chart to visualize user activity.

OEPDataplaneLogs
// Extract UserId from the Message field using a regular expression
| extend UserId = extract(@"user-id=([a-zA-Z0-9_-@.]+)", 1, Message)
// Filter out logs without a UserId
| where UserId != ""
// Summarize the count of logs per user over the last day
| summarize Count = count() by bin(TimeGenerated, 1d), UserId
// Render a pie chart to visualize user activity
| render piechart

Visualizing Recent Activity

Filters logs to the last 30 minutes, categorizes them by HTTP response codes, and counts the total number of logs and errors. It then summarizes these counts in 15-second intervals and renders a timechart for visual analysis.

OEPDataplaneLogs
// Filter logs to the last 30 minutes
| where TimeGenerated >= ago(30m)
// | extend UserId = extract(@"user-id=([a-zA-Z0-9_-@.]+)", 1, Message) // Uncomment if you want to only display user actions
// | where notempty(UserId) //// Uncomment if you want to only display user actions
// Categorize messages based on HTTP response codes
| extend ResponseCode = case(
    Message has_any ("Status=500", "Internal Server Error"), "500",
    Message has_any ("Status=401", "Unauthorized"), "401",
    Message has_any ("Status=403", "Forbidden"), "403",
    Message has_any ("Status=429", "RequestBodyTooLarge"), "429",
    ""
)
// Mark entries as errors if they match specific response codes
| extend ErrorCount = ResponseCode has_any ("500", "401", "403", "429")
// Summarize total logs and errors in 15-second intervals
| summarize Total = count(), Errors = count(ErrorCount) by bin(TimeGenerated, 15s)
// Render a timechart for visual analysis
| render timechart with (ysplit=axes)

Ensuring Correlation ID Presence

Ensures that each log entry has a CorrelationId. If the CorrelationId is missing, it extracts the value from the Message field using a regular expression.

OEPDataplaneLogs
// Ensure each log entry has a CorrelationId by using the existing one or extracting it from the Message field
| extend CorrelationId = iff(notempty(CorrelationId), CorrelationId, extract(@"correlation-id=([a-zA-Z0-9_-]+)", 1, Message))

Extracting and Categorizing HTTP Response Codes

Categorize log messages based on HTTP response codes. It extends the log data with a new column called ResponseCode and displays only relevant fields.

OEPDataplaneLogs
// Define ResponseCodes based on Message content and extends into a separate column.
| extend ResponseCode = case(
    Message has_any ("Status=500", "Internal Server Error"), "500",  // Internal Server Error
    Message has_any ("Status=401", "Unauthorized"), "401",           // Unauthorized Access
    Message has_any ("Status=403", "Forbidden"), "403",              // Forbidden Access
    Message has_any ("Status=429", "RequestBodyTooLarge"), "429",    // Request Body Too Large
    Message has_any ("Status=200", "200 OK"), "200",                 // Successful Request
    Message has "Status=201", "201",                                 // Resource Created
    ""                                                               // Default case if no match
)
//
// Displays only relevant columns
//
| project TimeGenerated, Category, Message, LogLevel, CorrelationId, ResponseCode