Functions in Log Analytics

You can change the function that plots the log facet or label, add a new function, or remove functions entirely.

Add function

  1. Turn on the Use KfuseQL toggle.

    Turn on switch to Use KFuseQL

  2. To add a new function to the graph, click the Sigma (Sigma) icon at the end of the query specification.

    Click Sigma to add function to query

  3. In the drop-down, either search for a function name, or select an existing function category, and then pick the function name.

    See the list of functions for log analytics, FuseQL.

    Here, we demonstrate the Algorithm: Anomalies function.

    log analytics function select

  4. Configure the parameters of the function, if any.

    In the query specification, specify the agile-robust algorithm.

    Select the robust-agile algorithm for the anomaly detection function

  5. In the by (by) clause of the aggregation, select how to group data.

    Here, group by label label:value pair Core:level.

    Make a grouping selection

  6. The interface displays the anomaly detection function.

    Anomalies on logs function

  7. [Optional] You can Use the legend at the bottom of the chart to see both the Warning and Info time series, only the Warning, or only the Info.

    • Warning and Info

    • Warning

    • Info

    Both Warning and Info
    Only Warning
    Only Info

Remove function

Sometimes, you may want to remove a function from a graph. For example, you may want to remove the default aggregation, as described in Remove aggregation.

At other times, you may want to remove a limiting function.

  1. To remove a function, click Remove function (Remove function) icon, next to the function you want to drop.

  2. The interface displays the graph without that function.