Heat map makes it easier to visualize more values such as counts or utilization against time. Various colors, that you can select in the settings, represent values over time so you can quickly spot areas that might be of concern. The visualization is based on the timestats command.

Example heat map:

The above heat map is generated for the following query:

Label not in ('Action Succeeded', 'Action Failed', 'Configuration Error')
   | timestats count as logrecords by Label
   | bucket logrecords as labels_buckets none = 0 - 0, low = 1 - 2, medium = 3 - 10, high = 10 - 20

From the heat map you can notice the count of various labels displayed against time. It's easier to determine the labels that have higher count. It's also easier to notice the behavior in specific time slots.

1. Open the navigation menu and click Observability & Management. Under Logging Analytics, click Log Explorer.

2. Search for logs for a set of entities. See Search Logs by Entities.

3. From the Visualize panel, select Heat Map ().

   
   
   
   
   

   The heat map for the following default query is displayed:

   * | timestats topcount = 20 count as logrecords by 'Log Source' | sort -logrecords

   Time is plotted along the y-axis of the chart. Along x-axis, the field which is the input to the timestats command is plotted, for example, Log Source. Each rectangle along a row represents the count of log records for a slot of time. The color of the rectangle represents the range in which the count belongs. The ranges are displayed at the top of the chart. Hover your cursor over the rectangles to view the values corresponding to them. To drill down further on s specific set of log records represented by a rectangle, click on it. The number of rectangles in a row is determined by the time range selected for the analysis. For example, if the selected time range is Last 60 Minutes, then each row has 60 rectangles corresponding to each minute of the time range.

   Additionally, a time series table is also displayed below the heat map chart. Each row of the table corresponds to a rectangle in a row in the chart.

4. You can change the colors displayed in the chart by clicking the Color under Display Options. Select the color palette that best suits the requirement. For example, if the higher ranges indicate warnings and errors as in case of Severity or Problem Priority, then use the palette that has red for the higher ranges. On the other hand, if the lower values are of concern as in case of Memory Available, then use the palette that has red for the lower ranges.

   In the following heat map, the one red rectangle which represents the highest range clearly indicates that the occurrence of events are more than usual in a specific time slot:

   
   
   
   
   

5. By default, 6 ranges are used to automatically distribute the values in the chart. Based on the number of ranges, they are sized equally to cover the entire set of log records. To change the number of ranges, click Settings under Display Options. There can a minimum of 3 and maximum of 11 ranges.

   The above ranges setting only applies when the buckets are automatically generated. They cannot be applied when you use the bucket command to define the ranges.

   To change the gray squares to color squares, enable the check box Include results with no values in lowest range.

   To define your own ranges, use the bucket command in your query. For example:

   * | timestats topcount = 20 count as logrecords by 'Log Source'
      | sort -logrecords
      | bucket logrecords as mybuckets low = 0 - 100, medium = 101 - 500, large = 501 - 1000, others = huge

   In the above query, the buckets are create for the 4 ranges low, medium, large, and others.

   When you define your own ranges, consider having topcount = 20 in your timestats query to group the top 20 largest values. Depending on the ranges defined, the graph might be skewed with one large bucket like others.

   Ensure to use the alias with the bucket command, for example, mybuckets in the above query. The others bucket must always be used in this approach.