Examples of LogAnalytics queries

General LA

Get LogAnalytics table growth by time

union withsource = tt *
| where TimeGenerated >= ago(31d) 
| summarize count() by bin(TimeGenerated,10m), Source=tt
| render timechart title = "Monthly growth"

AKS

Get audit logs occurrences by a Service Account

AzureDiagnostics 
| where TimeGenerated >= ago(8h)
| where Category == "kube-audit-admin"
| extend json=parse_json(log_s)
| extend username=parse_json(json.user).username
| summarize count() by tostring(username)
| sort by count_
| limit 10 

Get number of calls to each requestURI by a Service Account

AzureDiagnostics 
| where TimeGenerated >= ago(24h)
| where Category == "kube-audit-admin"
| extend json=parse_json(log_s)
| extend username=parse_json(json.user).username
| where username == "system:serviceaccount:gdp-gitops:argocd-application-controller"
| summarize count() by tostring(json.requestURI)