Using KQL in Azure for Application Monitoring and Insights

Introduction

As organizations grow their cloud footprint, the need to monitor and analyze application performance becomes increasingly critical. In Microsoft Azure, Kusto Query Language (KQL) is one of the most effective ways to query and visualize telemetry data. Whether you’re tracking application usage patterns or investigating performance bottlenecks, KQL enables structured analysis of large-scale logs and metrics.

In this blog, we’ll explore how KQL works, where it fits within Azure, and how you can use it to gain real insights from your applications. To provide a practical context, we’ll also include real query examples from AppRequests and Usage tables, using screenshots directly from Azure Log Analytics.

What is KQL and Why Use It?

KQL (Kusto Query Language) is a read-only language designed for querying log data stored in Azure Monitor, Log Analytics, and Application Insights. It uses a pipe-based syntax, making it easy to chain together filters, aggregations, and visualizations in a logical flow.

KQL is primarily used to:

• Query logs and metrics in near real-time
• Analyze performance and usage trends
• Troubleshoot errors and latency
• Build custom visualizations for dashboards

Unlike SQL, KQL focuses on telemetry and observability data, not relational datasets. It’s optimized for time-series analysis, which is essential when monitoring application health or usage over time.

Key Use Areas in Azure

You’ll encounter KQL in several Azure services, most notably:

• Log Analytics Workspace: Where logs from multiple sources are stored and queried.
• Application Insights: For examining application performance, user behavior, and dependencies.
• Microsoft Sentinel: For security analytics and threat detection.

All of these services offer a consistent query experience using KQL.

Writing Your First KQL Queries

KQL queries are composed of tabular statements, filters, summarization logic, and visualization commands. Here’s a basic example to understand the structure:

<TableName>

| where <filter_condition>

| summarize <aggregation> by <field>

| order by <field> desc

Below is an actual screenshot from our Azure Monitor workspace showcasing a sample query in action.

This query filters all requests that took longer than 10 Ms. and lists them in descending order by duration. The AppRequests table captures telemetry about each application request, including its duration, result code, and timestamp.

Real-World Examples Using AppRequests and Usage Tables

1. Identifying High-Latency Requests

To find which requests are taking the longest, the following query is useful:

AppRequests

| where duration > 1000

| project timestamp=TimeGenerated, Name, ResultCode, DurationMs, Url

| order by DurationMs desc

This can help identify slow endpoints or potential backend performance issues.

2. Summarize Usage Quantity by Resource

This query is useful for tracking which resources are consuming the most usage quantity (e.g., metered events or feature usage).

Usage

| summarize Total Cost = sum(Quantity) by Resource Uri

| order by Total Cost desc

In this query, we summarize the Usage table by aggregating the total Quantity field per ResourceId. It gives a clear picture of which Azure resource (or application component) is driving the highest usage, which can be linked to cost considerations or scalability planning.

Best Practices for Using KQL in Azure

While KQL is powerful, getting the most value requires a thoughtful approach:

• Filter early: Use where early to reduce the dataset size before aggregating.
• Be specific with projections: Limit the output columns with project for better readability.
• Visualize when needed: Use render for time-based charts, especially when building workbooks or dashboards.
• Handle JSON fields: Use parse_json() when dealing with complex log entries containing nested objects.

These practices ensure better query performance and cleaner outputs.

When to Use AppRequests vs. Usage Table

• AppRequests: Ideal for analyzing performance metrics like request duration, success/failure rates, and dependency behavior.
• Usage: Best suited for tracking user activity, feature adoption, and session behavior.

Using both in combination can give you a complete view of how users interact with your app and how well it performs under load.

Conclusion

Understanding and using Kusto Query Language is a foundational skill for anyone working with monitoring, observability, or security in Azure. With just a few lines of KQL, you can extract actionable insights, build real-time dashboards, and proactively monitor application behavior.

By analyzing data from AppRequests and Usage tables, teams can gain a 360-degree view of both application performance and user engagement—critical for driving continuous improvement.

For those looking to deepen their skills, we recommend exploring our Deploy and configure Azure Monitor course which guides you through real-world query scenarios in Azure.

About CloudThat