Running Kusto queries against multiple Log Analytics Workspaces with one single request
You environment may have more than one log analytics workspaces from which you may want to fetch logs in a central view for building PowerBI reports or for any other reasons. Log Analytics Workspace is an extremely powerful tool. If you have looked at some of my other posts you will come across some great use cases and capabilities for log analytics workspace. With the information provided in this article you will be able to create a single kusto query which will span across multiple workspaces to which you may have access. These workspaces may be in the same tenancy or different tenancies and you may have a CSP delegated account or an account that has read permissions on all the workspaces you want your query to fetch data from. The trick is to use the “Union”.
Example
You want to fetch AzureActivity from multiple workspaces. The query can be simply run the query
union AzureActivity, workspace(“d090b96d-a7a2-4674-a6c5-ce82696561d4”).AzureActivity, workspace(“a282cdb4-6819-4460-9bcb-3f716f9e8fa2”).AzureActivity
| where TimeGenerated >= ago(1h)
This will fetch the AzureActivity logs from the current workspace you are connected to and from the two workspaces “d090b96d-a7a2-4674-a6c5-ce82696561d4” and “a282cdb4-6819-4460-9bcb-3f716f9e8fa2”. You can then simply build rest of the query as usual.
(Note: Please note that the workspace ID’s and subscriptions ID’s are not real and the script will not work as is. You will need to replace the workspace ID’s with the actual workspace ID’s accessible to you.)
You can also specify the query as shown below.
workspace(“/subscriptions/b2a7d1ef-79b0-4598-9766-c32bcee26000/resourcegroups/TestLAWWorkspaceRG/providers/Microsoft.OperationalInsights/workspaces/ TestLAWWorkspace”).AzureActivity | Where TimeGenerated >= ago(1h)
Other Use Cases
Making a remote query using REST API or using Powershell will offload the task of bringing the data from different workspaces to the Log Analytics Workspace, you will need to authenticate faster and only once and most importantly the data will be received from multiple workspaces as a single dataset processing which will be must faster than pulling data from more than one source and then joining them using coding logic.
The number of Application Insights resources and Log Analytics workspaces that you can include in a single query is limited to 100.
For any queries or help please feel free to reach out to me.