Monitor virtual machines with Azure Monitor: Analyze monitoring data

This article is part of the guide Monitor virtual machines and their workloads in Azure Monitor. It describes how to analyze monitoring data for your virtual machines after you've completed their configuration.

Note

This scenario describes how to implement complete monitoring of your Azure and hybrid virtual machine environment. To get started monitoring your first Azure virtual machine, see Monitor Azure virtual machines.

After you've configured data collection for your virtual machines, data will be available for analysis. This article describes the different features of Azure Monitor that you can use to analyze the health and performance of your virtual machines. Several of these features provide a different experience depending on whether you're analyzing a single machine or multiple. Each experience is described here with any unique behavior of each feature depending on which experience is being used.

Single machine experience

Access the single machine analysis experience from the Monitoring section of the menu in the Azure portal for each Azure virtual machine and Azure Arc-enabled server. These options either limit the data that you're viewing to that machine or at least set an initial filter for it. In this way, you can focus on a particular machine, view its current performance and its trending over time, and help to identify any issues it might be experiencing.

Option Description
Overview page Select the Monitoring tab to display alerts, platform metrics, and other monitoring information for the virtual machine host. You can see the number of active alerts on the tab. In the Monitoring tab, you get a quick view of:

Alerts: the alerts fired in the last 24 hours, with some important statistics about those alerts. If you do not have any alerts set up for this VM, there is a link to help you quickly create new alerts for your VM.

Key metrics: the trend over different time periods for important metrics, such as CPU, network, and disk. Because these are host metrics though, counters from the guest operating system such as memory aren't included. Select a graph to work with this data in metrics explorer where you can perform different aggregations, and add more counters for analysis.
Activity log See activity log entries filtered for the current virtual machine. Use this log to view the recent activity of the machine, such as any configuration changes and when it was stopped and started.
Alerts View alerts for the current virtual machine. These alerts only use the machine as the target resource, so there might be other alerts associated with it. You might need to use the Alerts option in the Azure Monitor menu to view alerts for all resources. For details, see Monitor virtual machines with Azure Monitor - Alerts.
Metrics Open metrics explorer with the scope set to the machine. This option is the same as selecting one of the performance charts from the Overview page except that the metric isn't already added.
Diagnostic settings Enable and configure the diagnostics extension for the current virtual machine. This option is different than the Diagnostic settings option for other Azure resources. This is a legacy agent that has been replaced by the Azure Monitor agent.
Workbooks Open the workbook gallery with the workbooks for single machines.

Compare Metrics and Logs

For many features of Azure Monitor, you don't need to understand the different types of data it uses and where it's stored. You just focus on the logic that you're analyzing. As you dig deeper, you'll need to understand the difference between Azure Monitor Metrics and Azure Monitor Logs. Different features of Azure Monitor use different kinds of data. The type of alerting that you use for a particular scenario depends on having that data available in a particular location.

This level of detail can be confusing if you're new to Azure Monitor. The following information helps you understand the differences between the types of data:

  • Any non-numeric data, such as events, is stored in Logs. Metrics can only include numeric data that's sampled at regular intervals.
  • Numeric data can be stored in both Metrics and Logs so that it can be analyzed in different ways and support different types of alerts.
  • Performance data from the guest operating system is sent to either Metrics or Logs or both by the Azure Monitor agent.

Analyze metric data with metrics explorer

By using metrics explorer, you can plot charts, visually correlate trends, and investigate spikes and dips in metrics' values. For details on how to use this tool, see Analyze metrics with Azure Monitor metrics explorer.

The following namespaces are used by virtual machines.

Namespace Description Requirement
Virtual Machine Host Host metrics automatically collected for all Azure virtual machines. Detailed list of metrics at Microsoft.Compute/virtualMachines. Collected automatically with no configuration required.
Virtual Machine Guest Guest operating system and application performance data on Windows machines. Azure Monitor agent installed with a Data Collection Rule.
azure.vm.linux.guestmetrics Guest operating system and application performance data on Linux machines. Azure Monitor agent installed with a Data Collection Rule.

Analyze log data with Log Analytics

Use Log Analytics to perform custom analysis of your log data and when you want to dig deeper into the data used to create the views in workbooks. You might want to analyze different logic and aggregations of that data or correlate security data collected by Microsoft Defender for Cloud and Microsoft Sentinel with your health and availability data.

You don't necessarily need to understand how to write a log query to use Log Analytics. There are multiple prebuilt queries that you can select and either run without modification or use as a start to a custom query. Select Queries at the top of the Log Analytics screen, and view queries with a Resource type of Virtual machines or Virtual machine scale sets. For information on how to use these queries, see Using queries in Azure Monitor Log Analytics. For a tutorial on how to use Log Analytics to run queries and work with their results, see Log Analytics tutorial.

Screenshot that shows virtual machine queries.

When you start Log Analytics from the Logs menu for a machine, its scope is set to that computer. Any queries will only return records associated with that computer. For a simple query that returns all records in a table, double-click a table in the left pane. Work with these results or modify the query for more complex analysis. To set the scope to all records in a workspace, change the scope or select Logs from the Monitor menu.

Screenshot that shows a Table query.

Visualize data with workbooks

Workbooks provide interactive reports in the Azure portal and combine different kinds of data into a single view. Workbooks combine text, log queries, metrics, and parameters into rich interactive reports. Workbooks are editable by any other team members who have access to the same Azure resources.

Workbooks are helpful for scenarios such as:

  • Exploring the usage of your virtual machine when you don't know the metrics of interest in advance like CPU utilization, disk space, memory, and network dependencies. Unlike other usage analytics tools, workbooks let you combine multiple kinds of visualizations and analyses, which make them great for this kind of free-form exploration.
  • Explaining to your team how a recently provisioned VM is performing, by showing metrics for key counters and other log events.
  • Sharing the results of a resizing experiment of your VM with other members of your team. You can explain the goals for the experiment with text. Then you can show each usage metric and analytics queries used to evaluate the experiment, along with clear call-outs for whether each metric was above or below target.
  • Reporting the impact of an outage on the usage of your VM, combining data, text explanation, and a discussion of next steps to prevent outages in the future.

Next steps