# Using Kqlmagic to analyze Azure SQL logs and metrics

There are two main tables in Azure Log Analytics (Azure Monitor Logs) workspace that capture Azure SQL events:
1. AzureDiagnostics
2. AzureMetric


## 1. Connect to Log Analytics workspace

Workspace is similar to what a database is to SQL. You connect to Log Analytics workspace to start querying data. 

### 1.1 Load Kqlmagic
Need to load Kqlmagic first before we can start writing queries.

In [1]:
%reload_ext Kqlmagic

### 1.2 Connect to the desired Log Analytics workspace

In [None]:
tenantID = input("Enter Log Analytics Workspace ID (guid)")
print(tenantID)

In [3]:
%kql loganalytics://code;workspace=tenantID;alias="myLogAnalyticsWorkspace" -try-azcli_login //-!se

## 2. Analyze events by Diagnostic Settings

Let's do a simple query first to analyze the number of events by Operation Name. 

> **Note**: Each row in AzureDiagnostic represents an event for specific Operation or category. Some SQL actions may result in generating multiple events of different types.



In [4]:
%%kql AzureDiagnostics
| summarize count() by OperationName

Unnamed: 0,OperationName,count_
0,AuditEvent,3456
1,DeadlockEvent,5
2,ErrorEvent,143
3,QueryStoreRuntimeStatisticsEvent,8
4,TimeoutEvent,1



The above query's equivalent in SQL is:
```
SELECT COUNT(*) AS [count_]
FROM AzureDiagnostics
GROUP BY OperationName
```


Count my Azure SQL DB events by category / diagnostic settings.

In [5]:
%%kql AzureDiagnostics
| where LogicalServerName_s == "jukoesmasqldb"
| where TimeGenerated >= ago(5d)
| summarize count() by Category
| render barchart with (title = "Azure SQL DB Diagnostic Category")

## 3. Performance troubleshooting Query (from Azure Portal)

Potentially a query or deadlock on the system that could lead to poor performance. The following is a query suggested by Azure Portal.

In [6]:
%%kql 
AzureMetrics
| where ResourceProvider == "MICROSOFT.SQL"
| where TimeGenerated >=ago(60min)
| where MetricName in ('deadlock')
| parse _ResourceId with * "/microsoft.sql/servers/" Resource // subtract Resource name for _ResourceId
| summarize Deadlock_max_60Mins = max(Maximum) by Resource, MetricName

Unnamed: 0,Resource,MetricName,Deadlock_max_60Mins


# AzureMetrics

This is a sample query to dig into AzureMetrics

In [7]:
%%kql
AzureMetrics
| project-away TenantId, ResourceId, SubscriptionId, _ResourceId, ResourceGroup // Don't show sensitive columns :) 
| project TimeGenerated, MetricName, Total, Count, UnitName
| take 10


Unnamed: 0,TimeGenerated,MetricName,Total,Count,UnitName
0,2021-02-03 16:18:00+00:00,sessions_percent,0.0,4.0,Percent
1,2021-02-03 16:18:00+00:00,cpu_percent,0.0,4.0,Percent
2,2021-02-03 16:18:00+00:00,log_write_percent,0.0,4.0,Percent
3,2021-02-03 16:18:00+00:00,physical_data_read_percent,0.0,4.0,Percent
4,2021-02-03 16:18:00+00:00,cpu_used,0.0,1.0,Count
5,2021-02-03 16:18:00+00:00,cpu_limit,10.0,5.0,Count
6,2021-02-03 16:18:00+00:00,storage,29229056.0,1.0,Bytes
7,2021-02-03 16:18:00+00:00,storage_percent,0.0,1.0,Percent
8,2021-02-03 16:18:00+00:00,xtp_storage_percent,0.0,4.0,Percent
9,2021-02-03 16:18:00+00:00,workers_percent,0.0,4.0,Percent


# AzureDiagnostics

This is a sample query to dig into AzureDiagnostics. This table tends to have more details than AzureMetrics.

In [None]:
%%kql
AzureDiagnostics
| project-away TenantId, ResourceId, SubscriptionId, ResourceGroup, _ResourceId // Don't show sensitive columns :) 
| take 10

## Analyze (non-audit) Events

In [9]:
%%kql 
AzureDiagnostics
| summarize event_count=count() by bin(TimeGenerated, 2d), OperationName
| where OperationName <> "AuditEvent"
| render timechart 

## Deadlock Analysis

In [10]:
%%kql
AzureDiagnostics
| where OperationName == "DeadlockEvent"
| project TimeGenerated, Category, Resource, OperationName, Type, deadlock_xml_s
| sort by TimeGenerated desc
| take 50

Unnamed: 0,TimeGenerated,Category,Resource,OperationName,Type,deadlock_xml_s
0,2021-02-03 07:14:30.857000+00:00,Deadlocks,ADVENTUREWORKS,DeadlockEvent,AzureDiagnostics,<deadlock> <victim-list> <victimProcess i...
1,2021-01-31 23:17:10.991000+00:00,Deadlocks,ADVENTUREWORKS,DeadlockEvent,AzureDiagnostics,<deadlock> <victim-list> <victimProcess i...
2,2021-01-31 17:52:44.755000+00:00,Deadlocks,ADVENTUREWORKS,DeadlockEvent,AzureDiagnostics,<deadlock> <victim-list> <victimProcess i...
3,2021-01-31 17:49:57.021000+00:00,Deadlocks,ADVENTUREWORKS,DeadlockEvent,AzureDiagnostics,<deadlock> <victim-list> <victimProcess i...
4,2021-01-31 17:41:58.653000+00:00,Deadlocks,ADVENTUREWORKS,DeadlockEvent,AzureDiagnostics,<deadlock> <victim-list> <victimProcess i...


Find the deadlock query plan

In [11]:
%%kql
AzureDiagnostics
| where OperationName == "DeadlockEvent"
| extend d = parse_xml(deadlock_xml_s)
| project TimeGenerated, QuerhPlanHash = d.deadlock.["process-list"].process[0].executionStack.frame[0]["@queryplanhash"], QueryHash = d.deadlock.["process-list"].process[0].executionStack.frame[0]["@queryhash"]
//| sort by TimeGenerated desc
| take 50

Unnamed: 0,TimeGenerated,QuerhPlanHash,QueryHash
0,2021-01-31 17:41:58.653000+00:00,0x61108d8e53ae0281,0xfb56c41f149be1bf
1,2021-02-03 07:14:30.857000+00:00,0x61108d8e53ae0281,0xfb56c41f149be1bf
2,2021-01-31 23:17:10.991000+00:00,0x61108d8e53ae0281,0xfb56c41f149be1bf
3,2021-01-31 17:49:57.021000+00:00,0x61108d8e53ae0281,0xfb56c41f149be1bf
4,2021-01-31 17:52:44.755000+00:00,0x61108d8e53ae0281,0xfb56c41f149be1bf


## Query Store Runtime Statistics Events

In [12]:
%%kql
AzureDiagnostics
| where OperationName == "QueryStoreRuntimeStatisticsEvent"
| project TimeGenerated, query_hash_s, statement_sql_handle_s, query_plan_hash_s
| take 50

Unnamed: 0,TimeGenerated,query_hash_s,statement_sql_handle_s,query_plan_hash_s
0,2021-01-31 23:28:11.744000+00:00,0xE8E6F7DC2D2909FE,0x0900B90F6497028D7C84720EFD387ECE8C2F00000000...,0x037E2E7A34FBE1AD
1,2021-01-31 23:28:11.744000+00:00,0xD47FA8AE1E407243,0x0900B10677BE63CAE65A693887D6502113BC00000000...,0xFA26A5F6A84C8679
2,2021-01-31 23:43:11.998000+00:00,0xE8E6F7DC2D2909FE,0x0900B90F6497028D7C84720EFD387ECE8C2F00000000...,0x037E2E7A34FBE1AD
3,2021-02-03 07:29:05.360000+00:00,0xE8E6F7DC2D2909FE,0x0900B90F6497028D7C84720EFD387ECE8C2F00000000...,0x037E2E7A34FBE1AD
4,2021-02-03 04:29:02.416000+00:00,0xE8E6F7DC2D2909FE,0x0900B90F6497028D7C84720EFD387ECE8C2F00000000...,0x037E2E7A34FBE1AD
5,2021-02-03 04:29:02.416000+00:00,0xD9BFE0AEB1B674BF,0x0900769CEE691C933F258772430BD1146CFF00000000...,0xEB919DD1DFFE113C
6,2021-02-03 04:29:02.416000+00:00,0x4E8C0B5AF78C4ED1,0x0900C6D4FC50EF5B4E298DBE4E3A7EA7911F00000000...,0xB44B4BF819B82F62
7,2021-02-03 15:29:12.968000+00:00,0xE8E6F7DC2D2909FE,0x0900B90F6497028D7C84720EFD387ECE8C2F00000000...,0x037E2E7A34FBE1AD


## Analyze Errors

In [13]:
%%kql 
AzureDiagnostics
| where OperationName == "ErrorEvent"
| extend ErrorNumber =  tostring(error_number_d) 
| summarize event_count=count() by EventTime = bin(TimeGenerated, 2d), ErrorNumber
| render timechart 

## Find Deleted table

In [14]:
%%kql 
AzureDiagnostics
| where action_name_s in ('BATCH COMPLETED')
| project TimeGenerated, Category, action_name_s, statement_s
| where statement_s contains "DROP TABLE"
| sort by TimeGenerated desc 
| take 10



Unnamed: 0,TimeGenerated,Category,action_name_s,statement_s
0,2021-01-24 03:13:41.751000+00:00,SQLSecurityAuditEvents,BATCH COMPLETED,DROP TABLE dbo.Suppliers\r\nDROP TABLE dbo.Emp...
1,2021-01-24 03:13:41.751000+00:00,SQLSecurityAuditEvents,BATCH COMPLETED,DROP TABLE dbo.Suppliers\r\nDROP TABLE dbo.Emp...
2,2021-01-24 03:09:53.703000+00:00,SQLSecurityAuditEvents,BATCH COMPLETED,DROP TABLE dbo.Suppliers\r\nDROP TABLE dbo.Emp...
3,2021-01-24 03:09:53.703000+00:00,SQLSecurityAuditEvents,BATCH COMPLETED,DROP TABLE dbo.Suppliers\r\nDROP TABLE dbo.Emp...
