Tag: Azure Monitor

Simple Mode – I have mixed feelings. Yes, Simple Mode in Azure Monitor Log Analytics is useful. Yes, it makes querying logs easier. But does it strip away too much of the power that Kusto Query Language (KQL) offers? Let’s break it down.

---

What is Simple Mode?

Simple Mode is Microsoft’s latest attempt to make Azure Monitor’s Log Analytics more accessible. Instead of writing KQL queries, you can now use a simplified, form-based approach to retrieve logs. This means:

✅ No more KQL wrangling for simple queries
✅ Drop-down selections to filter logs
✅ Pre-built query templates for common scenarios

It’s perfect for beginners and those who just want quick answers without learning the intricacies of KQL. But for those of us who love the flexibility and depth of KQL, it feels a bit… underwhelming.

---

Where Simple Mode Shines

Okay, I’ll admit—it has its moments:

1. Fast Troubleshooting – Need to check VM performance? Find failed logins? Simple Mode makes it quick.
2. Less Query Anxiety – Not everyone wants to remember where TimeGenerated >= ago(7d). Fair enough.
3. Better Team Accessibility – Non-technical users (like project managers or business analysts) can actually use Log Analytics now.

It’s a great tool for entry-level users, and it can certainly speed up basic troubleshooting.

---

Where It Falls Short (for Power Users)

If you’re used to writing KQL like a pro, Simple Mode will probably feel like training wheels on a motorcycle.

🔻 Limited Query Complexity – No advanced joins, unions, or calculated fields
🔻 Less Control Over Data Filtering – Drop-downs are great until you need a specific filter that isn’t there
🔻 Can Hide Critical Insights – Sometimes, the best debugging happens in the nitty-gritty details, which Simple Mode glosses over

It’s like being handed a “Dummies Guide to PowerShell” when you’ve been scripting automation for years. You appreciate the effort, but it’s just… not for you.

---

Can You Still Use KQL?

Thankfully YES. Microsoft isn’t forcing Simple Mode on us. You can toggle back to KQL mode whenever you want.

1. Start with Simple Mode
2. Switch to KQL Mode when you need more control
3. Mix and match based on what you need

It’s a decent compromise, but I wouldn’t be surprised if Microsoft keeps nudging us toward using Simple Mode more in the future.

Let’s take a look back at the year and see what major features the Program Groups delivered!

Cya, old AppInsights!

One of the most notable milestones was the retirement of Classic Application Insights on February 29, 2024. This move encouraged users to transition to workspace-based resources, offering improved integration and advanced features within Azure Monitor.

Farewell MMA/OMS

Although some people will say OMS was never a thing (Bwren – talking about you), August 31, 2024, marked the retirement of the Log Analytics Agent (MMA/OMS). Users were advised to migrate to the Azure Monitor Agent (AMA) to benefit from enhanced performance, security, and support for new data sources.

Classic Storage Metrics

On January 9, 2024, classic metrics in Azure Storage were retired.

Enhanced Logging for AKS

December 2024 brought significant enhancements to Azure Kubernetes Service (AKS) logging. New metadata and log severity levels were introduced in Azure Monitor Logs, providing more granular insights into AKS operations.

Monitoring without a solid strategy is like driving without a dashboard—sooner or later, something’s going to break, and you won’t see it coming. That’s where Azure Monitor Baseline Alerts (AMBA) steps in, acting as your pre-configured, expert-driven monitoring blueprint for Azure resources.

Instead of spending hours manually configuring alerts, AMBA provides ready-to-deploy alert recommendations, automation templates, and best practices to ensure your environment stays resilient and well-monitored from day one.

Expert Recommendations: AMBA offers a curated list of alert recommendations and expert guidance tailored for various Azure resources, ensuring you’re always ahead of potential issues.

Proactive Notifications: With near real-time alerts, AMBA ensures you can swiftly identify and address problems, minimizing downtime and maintaining optimal performance.

Seamless Automation: Deploying alert policies has never been easier. AMBA’s Azure Policy templates allow for consistent and efficient implementation across your environment.

There are three main sections in AMBA – Resources, Patterns/Scenarios, and Visualizations. AMBA will deploy the necessary alerts based on resource level guidance with patterns (for Azure Landing Zones), along with various workbooks, dashboards – Azure or Grafana. And to top it all off – there is an accelerator now available for it! (see the image below)

Let’s face it—manually setting alert thresholds in Azure Monitor can feel like trying to hit a moving target while blindfolded. Just when you think you’ve nailed the perfect threshold, your application’s behavior decides to take a detour, leaving you drowning in false positives or, worse, missing critical alerts. Azure Monitor’s dynamic thresholds for log search alerts are here to save the day!

Why Dynamic Thresholds Are a Game-Changer

Dynamic thresholds in Azure Monitor analyze historical data to establish expected performance patterns, automatically adjusting alert thresholds as your application’s behavior changes.

• Automatic Calibration – Say goodbye to manual tuning. Dynamic thresholds adjust themselves based on your system’s historical data
• Intelligent Learning – By understanding patterns and trends—be it daily spikes or weekly lulls—dynamic thresholds adapt to your application’s changing situations.
• Scalable Alerts – Dynamic thresholds allow for a single alert rule to handle multiple dimensions, defining specific alert bands for each combination.

It’s still in Private Preview (boo!), but it won’t be long before we get our hands on it in public preview!

So what does it look like? Here is a sample ARM template that sets a dynamic threshold on CPU percentage – notice the new criterionType of DynamicThresholdCriterion.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "scheduledqueryrules_PerfDemoRule_name": {
      "defaultValue": "PerfDemoRule",
      "type": "String"
    },
    "workspaces_PerfDemoWorkspace_externalid": {
      "defaultValue": "/subscriptions/XXXX-XXXX-XXXX-XXXX/resourceGroups/XXXX/providers/Microsoft.OperationalInsights/workspaces/PerfDemoWorkspace",
      "type": "String"
    }
  },
  "resources": [
    {
      "type": "microsoft.insights/scheduledqueryrules",
      "apiVersion": "2024-01-01-preview",
      "name": "[parameters('scheduledqueryrules_PerfDemoRule_name')]",
      "location": "eastus2",
      "properties": {
        "displayName": "[parameters('scheduledqueryrules_PerfDemoRule_name')]",
        "severity": 3,
        "enabled": true,
        "evaluationFrequency": "PT5M",
        "scopes": [
          "[parameters('workspaces_PerfDemoWorkspace_externalid')]"
        ],
        "targetResourceTypes": [
          "Microsoft.Compute/virtualMachines"
        ],
        "criteria": {
          "allOf": [
            {
              "criterionType": "DynamicThresholdCriterion",
              "metricName": "Percentage CPU",
              "timeAggregation": "Average",
              "dimensions": [
                {
                  "name": "Computer",
                  "operator": "Include",
                  "values": [ "*" ]
                }
              ],
              "alertSensitivity": "Medium"
            }
          ]
        }
      }
    }
  ]
}