Microsoft Azure Log Analytics integration configuration fields

Release version: Xanadu

Updated April 7, 2025

4 minutes to read

Summarize

Summarized using AI

Summary of Microsoft Azure Log Analytics integration configuration fields

This document details the configuration fields available when setting up the Microsoft Azure Log Analytics integration within the ServiceNow Health Log Analytics application (version 26.0.17 and later). It guides you through specifying integration details, authentication, data retrieval methods, and advanced settings to enable log data ingestion from Azure Log Analytics into your ServiceNow instance.

Show full answer Show less

Integration Configuration Details

Integration Name: Provide a unique identifier for your integration; this name dynamically updates the generic name displayed on the form.
Execute on: Choose whether the integration uses a specific MID Server or a MID Server cluster for pulling log data.
MID Server / MID Server Cluster: Select the MID Server or failover MID Server cluster (supporting only basic authentication) responsible for ingesting logs. The system automatically enables log ingestion if not already enabled. Note the default limit of 10 streaming integrations per MID Server, adjustable via MID Server properties.
Service Instance: Bind the log data to a specific ServiceNow service instance (required).
Data Source: This is fixed as Azure Log Analytics and is read-only.
Description: Optionally add descriptive text to help identify the integration.

Data Retrieval Method Configuration

Redirect URL: Required URL that matches the Microsoft Azure redirecturi authorization property, essential for OAuth authorization.
Authentication Method: Select or create Azure Service Principal credentials (Tenant ID, Client ID, Secret key) to authenticate with Azure resources.
Workspace ID: Provide the Azure Log Analytics Customer ID to access the REST API.
Table Name: Specify the Azure Log Analytics table name from which to fetch logs.
Event Time Property Name: Indicate the Azure Log Analytics field used to detect event timestamps.

Advanced Settings

Event Processor Workers and Queue Size: Configure concurrency and queue capacity for event processing batches.
Sub Sample Drop and Receive Ratios: Control event batching and selective discarding to manage event load.
Max Documents per Query and Columns to Select: Define query limits and the specific log columns to retrieve (ignored if a custom query is used).
Character Encoding: Set the character encoding for the data input.
Sleep Interval and Polling Interval: Define wait times between queries and polls when no new events are returned.
Drop if Queue is Full: Decide whether to discard logs to prevent MID Server overload.
Log Query: Optionally override default query parameters with a custom Azure Log Analytics query in JSON format, enabling precise control over data retrieval.

Practical Implications for ServiceNow Customers

By properly configuring these fields, ServiceNow customers can reliably stream log data from Microsoft Azure Log Analytics into their ServiceNow Health Log Analytics environment. This integration ensures continuous monitoring and analysis of Azure logs, supports failover with MID Server clusters, and provides flexibility through advanced query customization and load management options. Customers should ensure MID Servers support basic authentication and that necessary credentials and service instances are correctly specified to enable seamless data ingestion.

Description of the fields on the Microsoft Azure Log Analytics integration configuration forms for Health Log Analytics.

Table 1. Provide details
Field	Description
Integration Name	Unique name of this integration. For example: My Azure Log Analytics integration. This field is required. Note: When you fill in this field, the generic name displayed on the form adjusts automatically to match the name you entered.
Execute on	Option to determine whether to use a specific MID Server or a MID Server cluster. This feature is supported in the Health Log Analytics application, Version 26.0.17 - February 2023 and later, available from the ServiceNow Store.
MID server name	(Only when the Execute on field is set to Specific MID Server) MID Server to which log data from Microsoft Azure Log Analytics is pulled. This field is required. Note: You can select only MID Servers that support basic authentication. MID Servers that support mTLS are not listed. The default maximum number of integrations streaming logs to a single MID Server is 10. You can modify this number in the MID Server properties. If log ingestion is not enabled for the selected MID Server, Health Log Analytics enables it automatically.
MID MID Server Cluster	(Only when the Execute on field is set to Specific MID Server Cluster) The MID Server cluster to which the log data is pulled. The data input runs on a single MID Server in the cluster until that MID Server fails. The system then moves all the data input tasks to the next available MID Server in the cluster according to the configured order. This feature is supported in the Health Log Analytics application, Version 26.0.17 - February 2023 and later, available from the ServiceNow Store. Note: Health Log Analytics supports only failover MID Server clusters. In these clusters, multiple MID Servers are grouped together for failover protection. When selecting a cluster from the data input form, the MID Server Clusters list displays only failover clusters. The MID Server cluster must include only MID Servers that support basic authentication. mTLS is not supported for log ingestion. Log ingestion must be enabled for each MID Server in the cluster. If log ingestion is not enabled for the active MID Server, Health Log Analytics enables it automatically. The default maximum number of data inputs streaming logs to a single MID Server is 10. A cluster passes capacity validation if it contains at least one MID Server with fewer than 10 data inputs running on it, even when that MID Server is down. For more information about MID Server clusters, see Configure a MID Server cluster. This field is required.
Service instance	The service instance (formerly the application service) to which to bind the log data. This field is required.
Data source	The source of the log data that the integration pulls to your ServiceNow instance: Azure Log Analytics. This field is read-only.
Description	Option to add a brief description of the integration to help identify it.

Table 2. Set data retrieval method
Field	Description
Redirect url	The redirect URL of the access log application. This field is required. The URL refers to the Microsoft Azure redirect_uri authorization property. For more information, see the Authorization code URL (GET request) section in the Microsoft Azure documentation.
Authentication method	The credentials used to access Microsoft Azure resources. This field is required. If no credentials exist, select Create new Azure Service Principal credential. Create a credential by filling in the fields and then selecting Submit. For information on the Tenant ID, Client ID, and Secret key fields, refer to the Microsoft Azure documentation. When you have created a credential, you can select it from the drop-down list.
Workspace ID	The Customer ID used to call the Microsoft Azure Log Analytics REST API. This field is required.
Table name	The name of the table in Microsoft Azure Log Analytics where the data input fetches the log data. For more information, see the View table information section in the Microsoft Azure documentation. This field is required.
Event time property name	The Microsoft Azure Log Analytics field in which to detect the event time. This field is required.

Table 3. Advanced settings
Field	Description
Event Processor workers	The number of concurrent event processing workers, where each worker processes a batch of events independently.
Workers queue size	The queue size of the Event Processor workers.
Sub sample drop ratio	The number of events to batch together, out of which one will be discarded. This setting is used to reduce the number of fetched events.
Sub sample receive ratio	The number of events to batch together, out of which all but one will be discarded. This setting is used to decrease the number of received events.
Max documents per query	The highest number of rows retrieved in each query.
Columns to select	Comma-separated list of column names to return. Note: This field is ignored when you provide a custom query.
Character encoding	The character encoding for this data input.
Sleep interval (seconds)	The interval, in seconds, to wait before querying again after a query has returned no events.
Polling interval	The interval, in seconds, to wait before polling for new events.
Drop if queue is full	Option for selecting to discard logs if there is a load on the MID Server.
Log Query	Option to define your own Log Analytics query. This field overrides the values configured in the other query settings fields. Note: If this field is empty, Health Log Analytics generates the query using the values set in the other fields. For your custom query, use the following JSON format: `{"query": "query \| where TimeGenerated > %s \| take 500"}` For example: `{ "query":"ContainerLog \| where LogEntry contains 'cartservice' \| where TimeGenerated > %s \| take 500", "workspaces": ["defaultworkspace-3ab145ff-f9cd-433f-8533-d1b1ee24aee6-eus"], "project": ["TimeGenerated", "LogEntry", "LogEntrySource"] }`