I have listed down few queries which will help you to filter the AVD Logs, In order to get the logs please make sure you have enabled the diagnostic settings for AVD, To enable AVD diagnostics please visit https://techgenius.blog/2020/11/28/enable-wvd-diagnostics/

Advertisements

To list connected users over a certain time

WVDConnections 
| where State == "Connected" 
| project _ResourceId, UserName
| project-rename Hostpool = _ResourceId 
| summarize DistinctUsers= dcount(UserName) by Hostpool
| extend HostPool=toupper(strcat(split(Hostpool,"/")[4],".",split(Hostpool,"/")[8]))
| project HostPool,DistinctUsers

User Active time Query

WVDConnections 
| where State == "Connected"  
| project CorrelationId , UserName, ConnectionType , StartTime=TimeGenerated,_ResourceId 
| project-rename Hostpool = _ResourceId 
| extend HostPool=toupper(strcat(split(Hostpool,"/")[4],".",split(Hostpool,"/")[8]))
| join (WVDConnections  
    | where State == "Completed"  
    | project EndTime=TimeGenerated, CorrelationId)  
    on CorrelationId  
| project UserName,HostPool,ConnectionType,Duration = EndTime - StartTime,StartTime,EndTime
| sort by Duration desc
Advertisements

To find the pool Creation date

WVDManagement | where Route contains "createHostPool" | project TimeGenerated,UserName,Route,ClientSideIPAddress,_ResourceId
| project-rename Hostpool = _ResourceId 
| extend HostPool=toupper(strcat(split(Hostpool,"/")[4],".",split(Hostpool,"/")[8]))

To find the Session host added date

WVDHostRegistrations | project _ResourceId,TimeGenerated,SessionHostName
| project-rename Hostpool = _ResourceId 
| extend HostPool=toupper(strcat(split(Hostpool,"/")[4],".",split(Hostpool,"/")[8]))
Advertisements

To find any specific user active time

Change the userupn to required name

let Events = WVDConnections | where UserName == "userupn" ;
Events
| where State == "Connected"
| project CorrelationId , UserName, ResourceAlias , StartTime=TimeGenerated
| join (Events
| where State == "Completed"
| project EndTime=TimeGenerated, CorrelationId)
on CorrelationId
| project UserName, ResourceAlias, StartTime,EndTime,Duration = EndTime - StartTime
| sort by Duration asc

To find user connection types

WVDConnections | where State contains "Completed" | project UserName,ClientOS,ClientType,ConnectionType, _ResourceId
| project-rename Hostpool = _ResourceId 
| extend HostPool=toupper(strcat(split(Hostpool,"/")[4],".",split(Hostpool,"/")[8]))

Top users with highest RTT

WVDConnectionNetworkData
| join kind=leftouter (
    WVDConnections
    | distinct CorrelationId, UserName
) on CorrelationId
| summarize AvgRTT=avg(EstRoundTripTimeInMs),RTT_P95=percentile(EstRoundTripTimeInMs,95) by UserName
| top 10 by AvgRTT desc

Top users with low bandwidth

WVDConnectionNetworkData
| join kind=leftouter (
    WVDConnections
    | distinct CorrelationId, UserName
) on CorrelationId
| summarize AvgBW=avg(EstAvailableBandwidthKBps),BW_P95=percentile(EstAvailableBandwidthKBps,95) by UserName
| top 10 by AvgBW asc
Advertisements

To find the errors count by pool

WVDErrors 
| project _ResourceId, CodeSymbolic
| project-rename Hostpool = _ResourceId 
| extend HostPool=toupper(strcat(split(Hostpool,"/")[4],".",split(Hostpool,"/")[8]))
| summarize Count=count() by CodeSymbolic, HostPool

Apart from this, not sure if you have noticed, there are few queries available which you can check on

Bookmark this page, I will keep updating for more queries and share your comments if you are using different queries as part of your daily operations.