One of the major use cases for log analytics is root cause investigation. For this, many times you just want to look at all your data, and find records that relate to a specific session, operation, or error. I already showed one way you can do this using ‘search’, but I want to show how you can do this using ‘union *‘ which is a more versatile.
union * | where timestamp > ago(1d) | where operation_Id contains '7' | project timestamp, operation_Id, name, message
In fact I already used ‘union *’ when I wanted to count users across all tables.
Another useful tool is searching across all fields – you can do this with ‘where *‘:
union * | where timestamp > ago(1d) | where * contains 'error' | project timestamp, operation_Id, name, message
This is really powerful, and can be used to basically do a full table scan across all your data.
But one thing that always annoyed me is that you never know which table the data came from. I just discovered a really easy way to get this – using the ‘withsource’ qualifier:
union withsource=sourceTable * | where timestamp > ago(1d) | where * contains 'error' | project sourceTable, timestamp, operation_Id, name, message