Azure Log Analytics Workspace GUI is a little rough, and if you need to debug an issue in a hurry it’s much nicer to have your useful queries in the bash history in order to quickly begin reviewing logs. Luckily the Azure cli provides an interface for querying these logs directly.

az monitor log-analytics query --workspace `az monitor log-analytics workspace list | jq -r '.[] | select(.name=="my-logs-workspace-name") | "\(.customerId)"'` --analytics-query 'AzureDiagnostics | where Category == "ApplicationGatewayAccessLog" | where requestUri_s contains "someStringICareAbout"' -t P0DT01H | jq '.[] | "\(.timeStamp_t) | \(.clientIP_s) | \(.serverStatus_s) | \(.requestUri_s)"'

Let’s break down the above block:

  1. The first thing you might notice is that I have a query within the query here; I’m listing my subscription’s workspace instances in order to pull out the workspace customer id and feeding it into the outer query’s --workspace option. The main reason I’m doing this is that this ID is machine generated and you can’t really tell which instance of log analytics you are querying.

  2. I’m relying heavily on jq here to reduce the noise of the output. There’s a lot of great content coming back from the service but usually you’re only interested in a few fields at once.

  3. The timespace option (shortened to -t): Azure makes frequent use of the ISO 8601 duration format, it’s fairly human readable and here you can see I’m requesting one hour’s worth of logs.