Using Azure Log Analytics Distinct Operator

This post is aimed at beginners with Azure Log Analytics. I’ll be discussing how you can use the Azure Log Analytics Distinct operator when you query data in your Log Analytics workspace. The Distinct operator is useful when you want to DE-duplicate your data. Or if you want to generate a report, or finding how many unique values you have in a solution.

Examples:

First, using:

Perf
| distinct Computer

We can find all the computers that are reporting performance data to Log Analytics.

azure log analytics distinct

Using the same method we can find the computers that are reporting data for any solution, simply by replacing Perf with the field name in the workspace.

Using the same performance example, what if we wanted to find all the object types that we have performance data for?

We would use:

Perf
| distinct ObjectName

azure log analytics distinct

And finally we want to see all the metrics for each object, in this case CounterName.

Perf
| distinct ObjectName, CounterName

azure log analytics distinct

This shows all the metrics we are currently collecting for performance data.

Moving on to a different solution. We’ll use the Update Management solution, which you’ll need if you want to try these queries.

We can get our Windows Update Settings for all servers we’re managing with the Update Management solution.

UpdateSummary
| distinct Computer, WindowsUpdateSetting

azure log analytics distinct

However, we’re not limited to just one or two fields. We can add more, in this example we’ll get our servers, their update setting, OS version and the oldest update they need in days.

UpdateSummary
| distinct Computer, WindowsUpdateSetting, OsVersion, OldestMissingSecurityUpdateInDays

azure log analytics distinct

Finally, we can quickly build a report of servers needing updates, the KB number and title of the update.

Update
| where UpdateSate == "Needed"
| distinct Computer, KBID, Title

azure log analytics distinct

One thing to note about this last query. When the time frame for the query is longer than 24 hours it could return inaccurate data. For instance some of your servers were updated in that time frame.

This was a quick post on using the Azure Log Analytics Distinct operator. One more thing to note, the new language for Azure Log Analytics is case sensitive, just like the old one.

You can find more documentation from Microsoft on the language here https://docs.loganalytics.io/docs/Language-Reference/Change-log

1 thought on “Using Azure Log Analytics Distinct Operator”

Comments are closed.