{"id":4632,"date":"2020-01-17T11:58:04","date_gmt":"2020-01-17T10:58:04","guid":{"rendered":"http:\/\/contoso.se\/blog\/?p=4632"},"modified":"2020-01-17T11:58:05","modified_gmt":"2020-01-17T10:58:05","slug":"visualize-service-map-data-in-a-workbook","status":"publish","type":"post","link":"http:\/\/contoso.se\/blog\/?p=4632","title":{"rendered":"Visualize Service Map data in a workbook"},"content":{"rendered":"\n

Service Map is a feature in Azure Monitor to automatically discovers communication between applications on both Windows and Linux servers. Service Map visualize collected data in a service map, with servers, processes, inbound and outbound connection latency, and ports across any TCP-connected architecture \u00e2\u20ac\u201d more information about Service Map at Microsoft Docs<\/a>. <\/p>\n\n\n\n


The default Service Map view is very useful in many scenarios, but there is, from time to time, a need for creating custom views and reports based on the Service Map data. Custom views and reports are created with Kusto queries and workbooks. In this blog post, we will look at some examples of a visualize Service map data in a workbook. <\/p>\n\n\n\n


One of the main reasons you may want to create customer workbooks based on Service Map data is that the default Service Map view only shows one hour of data, even if more data is collected.<\/p>\n\n\n\n


Below is an image of Service Map, used in VM Insight. In the figure, you can see Windows server DC00 in the center and all processes on the server that communicates on the network. On the right side of the figure, we can see servers that DC00 communicates with, grouped on network ports. It is possible to select another server, for example, DC11, and see which process on DC11 communicating with the process on DC00. <\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

All service\nmap data is stored in two different tables, VMproccess and VMConnection. VMComputer<\/em> has inventory data for servers. VMprocess has inventory data for TCP-connected\nprocesses on servers.<\/p>\n\n\n\n

Here are a few sample queries to get you started.<\/p>\n\n\n\n

To\nlist all machines that have inbound communication on port 80 last week<\/strong><\/p>\n\n\n\n

VMConnection
| where DestinationPort == \"80\"
| where Direction == \"inbound\" 
| where TimeGenerated > now(-7d)
| distinct Computer<\/pre>\n\n\n\n
To list unique processes on a virtual machine, for last week<\/strong><\/p>\n\n\n\n
VMProcess
| where Computer == \"DC21.NA.contosohotels.com\"
| where TimeGenerated > now(-7d)
| summarize arg_max(TimeGenerated, DisplayName, Description, Computer) by ExecutableName<\/pre>\n\n\n\n
To list all unique communication for a server, for last week<\/strong><\/p>\n\n\n\n
VMProcess\n|VMConnection\n| where Computer == \"DC21.NA.contosohotels.com\" \n| where TimeGenerated > now(-7d)\n| summarize arg_max(TimeGenerated, Computer, Direction, ProcessName) by RemoteIp, DestinationPort  <\/pre>\n\n\n\n
To list all communication between two IP addresses<\/strong><\/p>\n\n\n\n
VMConnection
| where (SourceIp == \"10.1.2.20\" or SourceIp == \"10.3.1.20\") and (DestinationIp == \"10.1.2.20\" or DestinationIp == \"10.3.1.20\")
| where TimeGenerated > now(-7d)
| summarize arg_max(TimeGenerated, SourceIp, DestinationIp, Direction, ProcessName) by DestinationPort <\/pre>\n\n\n\n
With workbooks, you can create dynamic reports to visualize collected data. This is very useful in migration scenarios when building network traffic rules or needs to see dependencies between servers quickly. The picture below shows an example Workbook (download here<\/a>) showing all traffic for a specific server and a summary (total MB) of network traffic per network port. <\/p>\n\n\n\n
\"\"<\/a><\/figure><\/div>\n","protected":false},"excerpt":{"rendered":"
Service Map is a feature in Azure Monitor to automatically discovers communication between applications on both Windows and Linux servers. Service Map visualize collected data in a service map, with servers, processes, inbound and outbound connection latency, and ports across any TCP-connected architecture \u00e2\u20ac\u201d more information about Service Map at Microsoft Docs. The default Service … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"categories":[75],"tags":[77,72,74,80,81,79],"_links":{"self":[{"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/posts\/4632"}],"collection":[{"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4632"}],"version-history":[{"count":3,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/posts\/4632\/revisions"}],"predecessor-version":[{"id":4638,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/posts\/4632\/revisions\/4638"}],"wp:attachment":[{"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4632"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}