# Using Kqlmagic to analyze Azure SQL logs and metrics

There are two main tables in Azure Log Analytics (Azure Monitor Logs) workspace that capture Azure SQL events:
1. AzureDiagnostics
2. AzureMetric


## 1. Connect to Log Analytics workspace

Workspace is similar to what a database is to SQL. You connect to Log Analytics workspace to start querying data. 

### 1.1 Load Kqlmagic
Need to load Kqlmagic first before we can start writing queries.

In [1]:
%reload_ext Kqlmagic

### 1.2 Connect to the desired Log Analytics workspace

In [None]:
tenantID = input("Enter Log Analytics Workspace ID (guid)")
print(tenantID)

In [3]:
%kql loganalytics://code;workspace=tenantID;alias="myLogAnalyticsWorkspace" -try-azcli_login //-!se

## 2. Analyze events by Diagnostic Settings

Let's do a simple query first to analyze the number of events by Operation Name. 

> **Note**: Each row in AzureDiagnostic represents an event for specific Operation or category. Some SQL actions may result in generating multiple events of different types.



In [19]:
%%kql AzureDiagnostics
| summarize count() by OperationName

Unnamed: 0,OperationName,count_
0,AuditEvent,3404
1,DeadlockEvent,5
2,ErrorEvent,139
3,QueryStoreRuntimeStatisticsEvent,7
4,TimeoutEvent,1



The above query's equivalent in SQL is:
```
SELECT COUNT(*) AS [count_]
FROM AzureDiagnostics
GROUP BY OperationName
```


Count my Azure SQL DB events by category / diagnostic settings.

In [9]:
%%kql AzureDiagnostics
| where LogicalServerName_s == "jukoesmasqldb"
| where TimeGenerated >= ago(5d)
| summarize count() by Category
| render barchart with (title = "Azure SQL DB Diagnostic Category")

## 3. Performance troubleshooting Query (from Azure Portal)

Potentially a query or deadlock on the system that could lead to poor performance. The following is a query suggested by Azure Portal.

In [20]:
%%kql 
AzureMetrics
| where ResourceProvider == "MICROSOFT.SQL"
| where TimeGenerated >=ago(60min)
| where MetricName in ('deadlock')
| parse _ResourceId with * "/microsoft.sql/servers/" Resource // subtract Resource name for _ResourceId
| summarize Deadlock_max_60Mins = max(Maximum) by Resource, MetricName

Unnamed: 0,Resource,MetricName,Deadlock_max_60Mins
0,jukoesmasqldb/databases/adventureworks,deadlock,1.0


# AzureMetrics

This is a sample query to dig into AzureMetrics

In [21]:
%%kql
AzureMetrics
| project-away TenantId, ResourceId, SubscriptionId, _ResourceId, ResourceGroup // Don't show sensitive columns :) 
| project TimeGenerated, MetricName, Total, Count, UnitName
| take 10


Unnamed: 0,TimeGenerated,MetricName,Total,Count,UnitName
0,2021-02-03 04:39:00+00:00,storage,58458112.0,2.0,Bytes
1,2021-02-03 04:39:00+00:00,physical_data_read_percent,0.0,4.0,Percent
2,2021-02-03 04:39:00+00:00,storage_percent,0.0,2.0,Percent
3,2021-02-03 04:39:00+00:00,sessions_percent,0.0,4.0,Percent
4,2021-02-03 04:39:00+00:00,cpu_percent,0.0,4.0,Percent
5,2021-02-03 04:39:00+00:00,allocated_data_storage,67108864.0,2.0,Bytes
6,2021-02-03 04:39:00+00:00,workers_percent,0.0,4.0,Percent
7,2021-02-03 04:39:00+00:00,log_write_percent,0.0,4.0,Percent
8,2021-02-03 04:39:00+00:00,cpu_limit,12.0,6.0,Count
9,2021-02-03 04:39:00+00:00,xtp_storage_percent,0.0,4.0,Percent


# AzureDiagnostics

This is a sample query to dig into AzureDiagnostics. This table tends to have more details than AzureMetrics.

In [22]:
%%kql
AzureDiagnostics
| project-away TenantId, ResourceId, SubscriptionId, ResourceGroup, _ResourceId // Don't show sensitive columns :) 
| take 10

Unnamed: 0,TimeGenerated,Category,ResourceProvider,Resource,ResourceType,OperationName,ResultType,CorrelationId,ResultDescription,Tenant_g,JobId_g,RunbookName_s,StreamType_s,Caller_s,requestUri_s,Level,DurationMs,CallerIPAddress,OperationVersion,ResultSignature,id_s,status_s,LogicalServerName_s,Message,clientInfo_s,httpStatusCode_d,identity_claim_appid_g,identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,userAgent_s,ruleName_s,identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s,systemId_g,isAccessPolicyMatch_b,EventName_s,httpMethod_s,subnetId_s,type_s,instanceId_s,macAddress_s,vnetResourceGuid_g,direction_s,subnetPrefix_s,primaryIPv4Address_s,conditions_sourcePortRange_s,priority_d,conditions_destinationPortRange_s,conditions_destinationIP_s,conditions_None_s,conditions_sourceIP_s,httpVersion_s,matchedConnections_d,startTime_t,endTime_t,DatabaseName_s,clientIP_s,host_s,requestQuery_s,sslEnabled_s,clientPort_d,httpStatus_d,receivedBytes_d,sentBytes_d,timeTaken_d,resultDescription_ErrorJobs_s,resultDescription_ChildJobs_s,identity_claim_http_schemas_microsoft_com_identity_claims_scope_s,workflowId_s,resource_location_s,resource_workflowId_g,resource_resourceGroupName_s,resource_subscriptionId_g,resource_runId_s,resource_workflowName_s,_schema_s,correlation_clientTrackingId_s,properties_sku_Family_s,properties_sku_Name_s,properties_tenantId_g,properties_enabledForDeployment_b,code_s,resultDescription_Summary_MachineId_s,resultDescription_Summary_ScheduleName_s,resultDescription_Summary_Status_s,resultDescription_Summary_StatusDescription_s,resultDescription_Summary_MachineName_s,resultDescription_Summary_TotalUpdatesInstalled_d,resultDescription_Summary_RebootRequired_b,resultDescription_Summary_TotalUpdatesFailed_d,resultDescription_Summary_InstallPercentage_d,resultDescription_Summary_StartDateTimeUtc_t,resource_triggerName_s,resultDescription_Summary_InitialRequiredUpdatesCount_d,properties_enabledForTemplateDeployment_b,resultDescription_Summary_EndDateTimeUtc_s,resultDescription_Summary_DurationInMinutes_s,resource_originRunId_s,properties_enabledForDiskEncryption_b,resource_actionName_s,correlation_actionTrackingId_g,resultDescription_Summary_EndDateTimeUtc_t,resultDescription_Summary_DurationInMinutes_d,conditions_protocols_s,identity_claim_ipaddr_s,ElasticPoolName_s,identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s,RunOn_s,query_hash_s,SourceSystem,MG,ManagementGroupName,Computer,RawData,interval_start_time_d,interval_end_time_d,logical_io_writes_d,max_logical_io_writes_d,physical_io_reads_d,max_physical_io_reads_d,logical_io_reads_d,max_logical_io_reads_d,execution_type_d,count_executions_d,cpu_time_d,max_cpu_time_d,dop_d,max_dop_d,rowcount_d,max_rowcount_d,query_max_used_memory_d,max_query_max_used_memory_d,duration_d,max_duration_d,num_physical_io_reads_d,max_num_physical_io_reads_d,log_bytes_used_d,max_log_bytes_used_d,query_id_d,plan_id_d,statement_sql_handle_s,error_state_d,deadlock_xml_s,query_plan_hash_s,error_number_d,Severity,user_defined_b,state_d,package_s,event_s,sessionName_s,originalEventTimestamp_t,audit_schema_version_d,event_time_t,sequence_number_d,action_id_s,action_name_s,succeeded_s,is_column_permission_s,session_id_d,server_principal_id_d,database_principal_id_d,target_server_principal_id_d,target_database_principal_id_d,object_id_d,user_defined_event_id_d,transaction_id_d,class_type_s,class_type_description_s,securable_class_type_s,duration_milliseconds_d,response_rows_d,affected_rows_d,client_ip_s,permission_bitmask_g,sequence_group_id_g,session_server_principal_name_s,server_principal_name_s,server_principal_sid_s,database_principal_name_s,target_server_principal_name_s,target_server_principal_sid_s,target_database_principal_name_s,server_instance_name_s,database_name_s,schema_name_s,object_name_s,statement_s,additional_information_s,user_defined_information_s,application_name_s,connection_id_g,data_sensitivity_information_s,host_name_s,session_context_s,is_server_level_audit_s,event_id_g,AdditionalFields,Type
0,2021-02-03 04:22:13.290000+00:00,SQLSecurityAuditEvents,MICROSOFT.SQL,MASTER,SERVERS/DATABASES,AuditEvent,,,,,,,,,,,,,,,,,jukoesmasqldb,,,,,,,,,,,,,,,,,,,,,,,,,,,,,NaT,NaT,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,NaT,,,,,,,,,,NaT,,,,,,,,Azure,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SecAudit,audit_event_shoebox,audit_session_for_shoebox,2021-02-03 04:22:13.289000+00:00,1.0,2021-02-03 04:22:13.024000+00:00,1.0,DBAS,DATABASE AUTHENTICATION SUCCEEDED,True,False,99.0,0.0,1.0,0.0,0.0,5.0,0.0,0.0,DB,DATABASE,DATABASE,0.0,0.0,0.0,131.107.174.142,00000000-0000-0000-0000-000000000000,64ec90b3-f5f4-496e-ab72-75595f06a6f2,adslivesite,adslivesite,01060000000001640000000000000000cef04990da1423...,dbo,,,,jukoesmasqldb,AdventureWorks,,AdventureWorks,,,,azdata-GeneralConnection,b40baaea-b083-427f-ac02-6fd367e02a5f,,MSSQLGIRL-01,,True,21fb301b-8f69-4543-b40d-fdd92c8dd825,,AzureDiagnostics
1,2021-02-03 04:22:13.290000+00:00,SQLSecurityAuditEvents,MICROSOFT.SQL,MASTER,SERVERS/DATABASES,AuditEvent,,,,,,,,,,,,,,,,,jukoesmasqldb,,,,,,,,,,,,,,,,,,,,,,,,,,,,,NaT,NaT,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,NaT,,,,,,,,,,NaT,,,,,,,,Azure,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SecAudit,audit_event_shoebox,audit_session_for_shoebox,2021-02-03 04:22:13.289000+00:00,1.0,2021-02-03 04:22:13.180000+00:00,1.0,BCM,BATCH COMPLETED,True,False,99.0,0.0,1.0,0.0,0.0,5.0,0.0,0.0,DB,DATABASE,DATABASE,61.0,1.0,1.0,131.107.174.142,00000000-0000-0000-0000-000000000000,e687a6dd-2190-412f-ae83-11ce041878b7,adslivesite,adslivesite,01060000000001640000000000000000cef04990da1423...,dbo,,,,jukoesmasqldb,AdventureWorks,,AdventureWorks,"SELECT SERVERPROPERTY('EngineEdition'), SERVER...",,,azdata-GeneralConnection,b40baaea-b083-427f-ac02-6fd367e02a5f,,MSSQLGIRL-01,,True,b903d7fc-82ef-4579-b09a-4b1e1b08cc93,,AzureDiagnostics
2,2021-02-03 04:22:13.290000+00:00,SQLSecurityAuditEvents,MICROSOFT.SQL,MASTER,SERVERS/DATABASES,AuditEvent,,,,,,,,,,,,,,,,,jukoesmasqldb,,,,,,,,,,,,,,,,,,,,,,,,,,,,,NaT,NaT,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,NaT,,,,,,,,,,NaT,,,,,,,,Azure,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SecAudit,audit_event_shoebox,audit_session_for_shoebox,2021-02-03 04:22:13.289000+00:00,1.0,2021-02-03 04:22:13.259000+00:00,1.0,BCM,BATCH COMPLETED,True,False,99.0,0.0,1.0,0.0,0.0,5.0,0.0,0.0,DB,DATABASE,DATABASE,0.0,1.0,1.0,131.107.174.142,00000000-0000-0000-0000-000000000000,bea05548-107f-4e8a-8f86-b9b3fcef8888,adslivesite,adslivesite,01060000000001640000000000000000cef04990da1423...,dbo,,,,jukoesmasqldb,AdventureWorks,,AdventureWorks,"SELECT ISNULL(SESSIONPROPERTY ('ANSI_NULLS'), ...",,,azdata-GeneralConnection,b40baaea-b083-427f-ac02-6fd367e02a5f,,MSSQLGIRL-01,,True,035a19e4-0949-4e33-a258-e443706b8960,,AzureDiagnostics
3,2021-02-03 04:22:14.290000+00:00,SQLSecurityAuditEvents,MICROSOFT.SQL,MASTER,SERVERS/DATABASES,AuditEvent,,,,,,,,,,,,,,,,,jukoesmasqldb,,,,,,,,,,,,,,,,,,,,,,,,,,,,,NaT,NaT,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,NaT,,,,,,,,,,NaT,,,,,,,,Azure,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SecAudit,audit_event_shoebox,audit_session_for_shoebox,2021-02-03 04:22:14.285000+00:00,1.0,2021-02-03 04:22:13.290000+00:00,1.0,BCM,BATCH COMPLETED,True,False,99.0,0.0,1.0,0.0,0.0,5.0,0.0,0.0,DB,DATABASE,DATABASE,0.0,1.0,1.0,131.107.174.142,00000000-0000-0000-0000-000000000000,3ae1aaaf-c1bc-4965-a895-7c0c921b66f5,adslivesite,adslivesite,01060000000001640000000000000000cef04990da1423...,dbo,,,,jukoesmasqldb,AdventureWorks,,AdventureWorks,"SELECT SERVERPROPERTY('EngineEdition'), SERVER...",,,azdata-GeneralConnection,b40baaea-b083-427f-ac02-6fd367e02a5f,,MSSQLGIRL-01,,True,56b83ff2-759f-408a-91bd-ffcd95d63308,,AzureDiagnostics
4,2021-02-03 04:22:14.290000+00:00,SQLSecurityAuditEvents,MICROSOFT.SQL,MASTER,SERVERS/DATABASES,AuditEvent,,,,,,,,,,,,,,,,,jukoesmasqldb,,,,,,,,,,,,,,,,,,,,,,,,,,,,,NaT,NaT,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,NaT,,,,,,,,,,NaT,,,,,,,,Azure,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SecAudit,audit_event_shoebox,audit_session_for_shoebox,2021-02-03 04:22:14.285000+00:00,1.0,2021-02-03 04:22:13.305000+00:00,1.0,BCM,BATCH COMPLETED,True,False,99.0,0.0,1.0,0.0,0.0,5.0,0.0,0.0,DB,DATABASE,DATABASE,0.0,1.0,1.0,131.107.174.142,00000000-0000-0000-0000-000000000000,35a0e915-9e87-4ae2-b1eb-dab303d3879e,adslivesite,adslivesite,01060000000001640000000000000000cef04990da1423...,dbo,,,,jukoesmasqldb,AdventureWorks,,AdventureWorks,"SELECT ISNULL(SESSIONPROPERTY ('ANSI_NULLS'), ...",,,azdata-GeneralConnection,b40baaea-b083-427f-ac02-6fd367e02a5f,,MSSQLGIRL-01,,True,d85b82df-a271-4116-bb4e-a1e53370f7d7,,AzureDiagnostics
5,2021-02-03 04:22:14.290000+00:00,SQLSecurityAuditEvents,MICROSOFT.SQL,MASTER,SERVERS/DATABASES,AuditEvent,,,,,,,,,,,,,,,,,jukoesmasqldb,,,,,,,,,,,,,,,,,,,,,,,,,,,,,NaT,NaT,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,NaT,,,,,,,,,,NaT,,,,,,,,Azure,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SecAudit,audit_event_shoebox,audit_session_for_shoebox,2021-02-03 04:22:14.285000+00:00,1.0,2021-02-03 04:22:13.337000+00:00,1.0,BCM,BATCH COMPLETED,True,False,99.0,0.0,1.0,0.0,0.0,5.0,0.0,0.0,DB,DATABASE,DATABASE,0.0,1.0,1.0,131.107.174.142,00000000-0000-0000-0000-000000000000,82be3fad-8051-48c7-8827-f77c409862cf,adslivesite,adslivesite,01060000000001640000000000000000cef04990da1423...,dbo,,,,jukoesmasqldb,AdventureWorks,,AdventureWorks,"SELECT CONVERT(NVARCHAR(36), CONTEXT_INFO())",,,azdata-GeneralConnection,b40baaea-b083-427f-ac02-6fd367e02a5f,,MSSQLGIRL-01,,True,a8bc2dd8-7bb0-4a91-8097-1ecbdaf22f82,,AzureDiagnostics
6,2021-02-03 04:22:14.290000+00:00,SQLSecurityAuditEvents,MICROSOFT.SQL,MASTER,SERVERS/DATABASES,AuditEvent,,,,,,,,,,,,,,,,,jukoesmasqldb,,,,,,,,,,,,,,,,,,,,,,,,,,,,,NaT,NaT,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,NaT,,,,,,,,,,NaT,,,,,,,,Azure,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SecAudit,audit_event_shoebox,audit_session_for_shoebox,2021-02-03 04:22:14.285000+00:00,1.0,2021-02-03 04:22:13.352000+00:00,1.0,BCM,BATCH COMPLETED,True,False,99.0,0.0,1.0,0.0,0.0,5.0,0.0,0.0,DB,DATABASE,DATABASE,0.0,1.0,1.0,131.107.174.142,00000000-0000-0000-0000-000000000000,95fac0fa-208b-4192-b50a-6f57017251c4,adslivesite,adslivesite,01060000000001640000000000000000cef04990da1423...,dbo,,,,jukoesmasqldb,AdventureWorks,,AdventureWorks,"SELECT ISNULL(SESSIONPROPERTY ('ANSI_NULLS'), ...",,,azdata-GeneralConnection,b40baaea-b083-427f-ac02-6fd367e02a5f,,MSSQLGIRL-01,,True,362067bc-d00d-4ad0-8c9b-851b85644e9e,,AzureDiagnostics
7,2021-02-03 04:22:14.290000+00:00,SQLSecurityAuditEvents,MICROSOFT.SQL,MASTER,SERVERS/DATABASES,AuditEvent,,,,,,,,,,,,,,,,,jukoesmasqldb,,,,,,,,,,,,,,,,,,,,,,,,,,,,,NaT,NaT,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,NaT,,,,,,,,,,NaT,,,,,,,,Azure,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SecAudit,audit_event_shoebox,audit_session_for_shoebox,2021-02-03 04:22:14.285000+00:00,1.0,2021-02-03 04:22:13.384000+00:00,1.0,BCM,BATCH COMPLETED,True,False,99.0,0.0,1.0,0.0,0.0,5.0,0.0,0.0,DB,DATABASE,DATABASE,0.0,1.0,1.0,131.107.174.142,00000000-0000-0000-0000-000000000000,e1340822-f73f-47dc-be3e-7217a80fc204,adslivesite,adslivesite,01060000000001640000000000000000cef04990da1423...,dbo,,,,jukoesmasqldb,AdventureWorks,,AdventureWorks,"SELECT CONVERT(NVARCHAR(36), CONTEXT_INFO())",,,azdata-GeneralConnection,b40baaea-b083-427f-ac02-6fd367e02a5f,,MSSQLGIRL-01,,True,a9dc4216-43c8-4d07-ace7-c0c4782594a5,,AzureDiagnostics
8,2021-02-03 04:22:14.290000+00:00,SQLSecurityAuditEvents,MICROSOFT.SQL,MASTER,SERVERS/DATABASES,AuditEvent,,,,,,,,,,,,,,,,,jukoesmasqldb,,,,,,,,,,,,,,,,,,,,,,,,,,,,,NaT,NaT,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,NaT,,,,,,,,,,NaT,,,,,,,,Azure,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SecAudit,audit_event_shoebox,audit_session_for_shoebox,2021-02-03 04:22:14.285000+00:00,1.0,2021-02-03 04:22:13.399000+00:00,1.0,BCM,BATCH COMPLETED,True,False,99.0,0.0,1.0,0.0,0.0,5.0,0.0,0.0,DB,DATABASE,DATABASE,0.0,0.0,0.0,131.107.174.142,00000000-0000-0000-0000-000000000000,54ed3e99-a9af-43c9-80c0-a1d8c08858c8,adslivesite,adslivesite,01060000000001640000000000000000cef04990da1423...,dbo,,,,jukoesmasqldb,AdventureWorks,,AdventureWorks,set LOCK_TIMEOUT 5000,,,azdata-GeneralConnection,b40baaea-b083-427f-ac02-6fd367e02a5f,,MSSQLGIRL-01,,True,7c0a1b81-e9e3-4a0f-962d-7b76860f1f6c,,AzureDiagnostics
9,2021-02-03 04:22:14.290000+00:00,SQLSecurityAuditEvents,MICROSOFT.SQL,MASTER,SERVERS/DATABASES,AuditEvent,,,,,,,,,,,,,,,,,jukoesmasqldb,,,,,,,,,,,,,,,,,,,,,,,,,,,,,NaT,NaT,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,NaT,,,,,,,,,,NaT,,,,,,,,Azure,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SecAudit,audit_event_shoebox,audit_session_for_shoebox,2021-02-03 04:22:14.285000+00:00,1.0,2021-02-03 04:22:13.430000+00:00,1.0,BCM,BATCH COMPLETED,True,False,99.0,0.0,1.0,0.0,0.0,5.0,0.0,0.0,DB,DATABASE,DATABASE,0.0,0.0,0.0,131.107.174.142,00000000-0000-0000-0000-000000000000,cc15a3f9-017a-4384-b195-87bdc2d53378,adslivesite,adslivesite,01060000000001640000000000000000cef04990da1423...,dbo,,,,jukoesmasqldb,AdventureWorks,,AdventureWorks,"SET ANSI_NULLS, ANSI_PADDING, ANSI_WARNINGS, A...",,,azdata-GeneralConnection,b40baaea-b083-427f-ac02-6fd367e02a5f,,MSSQLGIRL-01,,True,fa4f9388-c09e-44cd-9ee4-4ca7fd4f7941,,AzureDiagnostics


## Analyze (non-audit) Events

In [23]:
%%kql 
AzureDiagnostics
| summarize event_count=count() by bin(TimeGenerated, 10m), OperationName
| where OperationName <> "AuditEvent"
| render timechart 

## Deadlock Analysis

In [24]:
%%kql
AzureDiagnostics
| where OperationName == "DeadlockEvent"
| project TimeGenerated, Category, Resource, OperationName, Type, deadlock_xml_s
| sort by TimeGenerated desc
| take 50

Unnamed: 0,TimeGenerated,Category,Resource,OperationName,Type,deadlock_xml_s
0,2021-02-03 07:14:30.857000+00:00,Deadlocks,ADVENTUREWORKS,DeadlockEvent,AzureDiagnostics,<deadlock> <victim-list> <victimProcess i...
1,2021-01-31 23:17:10.991000+00:00,Deadlocks,ADVENTUREWORKS,DeadlockEvent,AzureDiagnostics,<deadlock> <victim-list> <victimProcess i...
2,2021-01-31 17:52:44.755000+00:00,Deadlocks,ADVENTUREWORKS,DeadlockEvent,AzureDiagnostics,<deadlock> <victim-list> <victimProcess i...
3,2021-01-31 17:49:57.021000+00:00,Deadlocks,ADVENTUREWORKS,DeadlockEvent,AzureDiagnostics,<deadlock> <victim-list> <victimProcess i...
4,2021-01-31 17:41:58.653000+00:00,Deadlocks,ADVENTUREWORKS,DeadlockEvent,AzureDiagnostics,<deadlock> <victim-list> <victimProcess i...


Find the deadlock query plan

In [25]:
%%kql
AzureDiagnostics
| where OperationName == "DeadlockEvent"
| extend d = parse_xml(deadlock_xml_s)
| project TimeGenerated, QuerhPlanHash = d.deadlock.["process-list"].process[0].executionStack.frame[0]["@queryplanhash"], QueryHash = d.deadlock.["process-list"].process[0].executionStack.frame[0]["@queryhash"]
//| sort by TimeGenerated desc
| take 50

Unnamed: 0,TimeGenerated,QuerhPlanHash,QueryHash
0,2021-02-03 07:14:30.857000+00:00,0x61108d8e53ae0281,0xfb56c41f149be1bf
1,2021-01-31 23:17:10.991000+00:00,0x61108d8e53ae0281,0xfb56c41f149be1bf
2,2021-01-31 17:49:57.021000+00:00,0x61108d8e53ae0281,0xfb56c41f149be1bf
3,2021-01-31 17:52:44.755000+00:00,0x61108d8e53ae0281,0xfb56c41f149be1bf
4,2021-01-31 17:41:58.653000+00:00,0x61108d8e53ae0281,0xfb56c41f149be1bf


## Query Store Runtime Statistics Events

In [26]:
%%kql
AzureDiagnostics
| where OperationName == "QueryStoreRuntimeStatisticsEvent"
| project TimeGenerated, query_hash_s, statement_sql_handle_s, query_plan_hash_s
| take 50

Unnamed: 0,TimeGenerated,query_hash_s,statement_sql_handle_s,query_plan_hash_s
0,2021-01-31 23:28:11.744000+00:00,0xE8E6F7DC2D2909FE,0x0900B90F6497028D7C84720EFD387ECE8C2F00000000...,0x037E2E7A34FBE1AD
1,2021-01-31 23:28:11.744000+00:00,0xD47FA8AE1E407243,0x0900B10677BE63CAE65A693887D6502113BC00000000...,0xFA26A5F6A84C8679
2,2021-01-31 23:43:11.998000+00:00,0xE8E6F7DC2D2909FE,0x0900B90F6497028D7C84720EFD387ECE8C2F00000000...,0x037E2E7A34FBE1AD
3,2021-02-03 04:29:02.416000+00:00,0xE8E6F7DC2D2909FE,0x0900B90F6497028D7C84720EFD387ECE8C2F00000000...,0x037E2E7A34FBE1AD
4,2021-02-03 04:29:02.416000+00:00,0xD9BFE0AEB1B674BF,0x0900769CEE691C933F258772430BD1146CFF00000000...,0xEB919DD1DFFE113C
5,2021-02-03 04:29:02.416000+00:00,0x4E8C0B5AF78C4ED1,0x0900C6D4FC50EF5B4E298DBE4E3A7EA7911F00000000...,0xB44B4BF819B82F62
6,2021-02-03 07:29:05.360000+00:00,0xE8E6F7DC2D2909FE,0x0900B90F6497028D7C84720EFD387ECE8C2F00000000...,0x037E2E7A34FBE1AD


## Analyze Errors

In [27]:
%%kql 
AzureDiagnostics
| where OperationName == "ErrorEvent"
| extend ErrorNumber =  tostring(error_number_d) 
| summarize event_count=count() by EventTime = bin(TimeGenerated, 10m), ErrorNumber
| render timechart 

## Find Deleted table

In [28]:
%%kql 
AzureDiagnostics
| where action_name_s in ('BATCH COMPLETED')
| project TimeGenerated, Category, action_name_s, statement_s
| where statement_s contains "DROP TABLE"
| sort by TimeGenerated desc 
| take 10



Unnamed: 0,TimeGenerated,Category,action_name_s,statement_s
0,2021-01-24 03:13:41.751000+00:00,SQLSecurityAuditEvents,BATCH COMPLETED,DROP TABLE dbo.Suppliers\r\nDROP TABLE dbo.Emp...
1,2021-01-24 03:13:41.751000+00:00,SQLSecurityAuditEvents,BATCH COMPLETED,DROP TABLE dbo.Suppliers\r\nDROP TABLE dbo.Emp...
2,2021-01-24 03:09:53.703000+00:00,SQLSecurityAuditEvents,BATCH COMPLETED,DROP TABLE dbo.Suppliers\r\nDROP TABLE dbo.Emp...
3,2021-01-24 03:09:53.703000+00:00,SQLSecurityAuditEvents,BATCH COMPLETED,DROP TABLE dbo.Suppliers\r\nDROP TABLE dbo.Emp...
