8

I am looking at Azure log analytics for a web app, and I have multiple out-of-the-box "tables" containing data: traces, requests, exceptions, etc.

Can I construct a query that runs on data from multiple tables? I don't want to join data from different sources, I just want to concatenate/interleave it, so I can look for e.g. "all traces and exceptions that contain the string 'SQL'".

Notionally, something like:

traces, exceptions
| where * contains "SQL"
| order by timestamp desc
| limit 100

Is this possible?

Peter
  • 3,619
  • 3
  • 31
  • 37
  • Does this answer your question? [How to write Kusto query to get results in one table?](https://stackoverflow.com/questions/55538434/how-to-write-kusto-query-to-get-results-in-one-table) – Liam Feb 19 '21 at 16:18
  • @liam that question is about interleaving results from two queries (which may or may not have the same "table" as a source). This one is about querying data from two tables in a single query. – Peter Feb 19 '21 at 20:12

2 Answers2

10

you can use union. Something I found very useful is to union all tables with union *. For example:

union *
| where * contains "SQL"

This way you will search in all tables for any column that contains SQL

If you want specific tables (for example traces and exceptions):

traces 
| union exceptions
| where * contains "SQL"

[Edit] There is also a newer command, with the same result (no benefits or cons with the previous one)

search in (table1, table2, table3) "SQL"
| where timestamp > ago(6h)
Carlos Garcia
  • 2,771
  • 1
  • 17
  • 32
0

You might also want to consider the search operator

search in (exceptions, traces) "SQL"
| order by timestamp desc 
| take 100

https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/searchoperator?pivots=azuredataexplorer

Matthias Güntert
  • 4,013
  • 6
  • 41
  • 89