Azure Log Analytics Project Operator

This post is aimed at beginners with Azure Log Analytics. I’ll be discussing how you can use the Azure Log Analytics Project operator when you query data in your Log Analytics workspace. The Project operator works similarly to Select-Object in Powershell.

If we do:


Perf
| where TimeGenerated ago(1h)

We get a bunch of fields back. Including our TenantId, which I have blurred.

log analytics project operator

But if we do:

Perf
| where TimeGenerated ago(1h))
| project Computer, CounterName, InstanceName

log analytics project operator

You can see that it returns back only the fields I have included behind the project operator.

 

Project can also be used to rename columns.

If we do:

Perf
| where TimeGenerated ago(1h)
| project ComputationalDeviceName = Computer, Countername, InstanceName

log analytics project operator

We have renamed our Computer column to “ComputationalDeviceName”

 

There is also a project-away operator. This does the opposite of the project operator. Any field included behind project-away will be excluded from the data set results.

Perf
| where TimeGenerated ago(1h)
| project-away TenantId

log analytics project operator

This removes the TenantId field but includes everything else.

 

Summary

Use the log analytics project operator to limit results to fields you want, rename fields or project-away fields. Limiting the results, is especially useful in creating alerts in Log Analytics to limit the alert results to only the pertinent information.