Mastering Kusto Query Language (KQL) for Smarter Azure Monitoring
Accelerate your experience with Kusto Query Language in Azure AppInsights
It’s 2:00 AM, and Sarah, a senior backend developer at a mid-sized fintech company, receives an urgent alert. Customers are reporting severe latency on the payment processing endpoint—some requests are timing out after 30 seconds. The operations dashboard shows elevated error rates, but the cause remains elusive. Is it a database bottleneck? A downstream API? A memory leak? Without the right tools to query and analyze telemetry data, Sarah is navigating in the dark, losing precious minutes while frustrated customers abandon their transactions.
1. Introduction: Why KQL is Essential for Modern Cloud Monitoring
This scenario plays out in production environments every day. As cloud-native applications grow in complexity—spanning microservices, third-party APIs, databases, and distributed systems—traditional monitoring approaches fall short. Teams need more than simple dashboards and predefined metrics. They need the ability to ask sophisticated questions of their telemetry data and get answers in seconds.
Enter Azure Application Insights and Kusto Query Language (KQL). Application Insights collects comprehensive telemetry from your applications—requests, dependencies, exceptions, traces, and custom events—while KQL provides a powerful, expressive syntax to query that data. Together, they form the backbone of modern observability stacks for Azure-hosted applications.
In this guide, you’ll learn how to leverage KQL to:
Monitor request volume and performance to understand traffic patterns and identify anomalies
Identify and diagnose errors by correlating exceptions with specific endpoints and user flows
Find bottlenecks in your application by analyzing dependencies and slow requests
As W. Edwards Deming famously said: “Without data, you’re just another person with an opinion.” KQL transforms raw telemetry into actionable insights, empowering teams to make data-driven decisions about performance optimization, error resolution, and capacity planning.
📚 Reference: Microsoft Docs: Kusto Query Language (KQL) Overview
2. Understanding Kusto Query Language (KQL) Basics
2.1 What is KQL?
Kusto Query Language (KQL) is a read-only, declarative query language optimized for analyzing large volumes of telemetry and log data. Originally developed for Azure Data Explorer (formerly known as Kusto), KQL has become the standard query language across Microsoft’s analytics platforms, including Azure Monitor, Application Insights, and Log Analytics.
Unlike imperative programming languages, KQL follows a declarative model: you describe what data you want, not how to retrieve it. This makes queries concise and readable, even for complex analytics operations.
Brief comparison with SQL:
While KQL shares some similarities with SQL—both use clauses like where for filtering and summarize/group by for aggregation—KQL diverges in important ways:
Pipe-based syntax: KQL uses the pipe operator (
|) to chain operations, making query flow more intuitive and easier to read left-to-rightNo explicit JOIN syntax: While KQL supports joins, the syntax differs from SQL’s traditional approach
Built-in time-series functions: KQL provides rich support for time-based analysis with functions like
bin(),ago(), and time-series aggregationsCase sensitivity: KQL is case-sensitive for string literals but case-insensitive for operators and keywords
2.2 Key Components
To write effective KQL queries, you need to understand three foundational concepts:
Tables
Application Insights organizes telemetry data into several core tables:
requests– HTTP requests to your application, including duration, result codes, and URLsdependencies– Outbound calls to databases, APIs, or other servicesexceptions– Unhandled exceptions and logged errorstraces– Custom log messages from your applicationcustomEvents– Application-specific events you’ve instrumentedpageViews– Client-side page views (for web applications)
Operators
Operators transform and filter data as it flows through your query pipeline:
where– Filters rows based on conditionssummarize– Aggregates data (similar to SQL’s GROUP BY)extend– Adds calculated columns to your result setproject– Selects specific columns (similar to SQL’s SELECT)join– Combines data from multiple tablesorder by/sort by– Sorts resultstop/take– Limits results to a specified number of rows
Functions
KQL provides a rich library of built-in functions:
bin()– Rounds values into discrete buckets (essential for time-series analysis)ago()– Returns a timestamp relative to now (e.g.,ago(1h)for one hour ago)percentile()– Calculates percentiles (P50, P95, P99)avg(),max(),min(),sum(),count()– Standard aggregation functionsparse/extract– String manipulation and pattern extraction
With these building blocks in hand, let’s dive into practical monitoring scenarios.
3. Monitoring Request Volume and Trends
3.1 Track Request Count Over Time
The most fundamental question in application monitoring is: How much traffic is my application receiving? Understanding request volume helps you identify trends, detect anomalies, and correlate traffic spikes with performance degradation.
Here’s a simple query to track request count over time:
requests
| summarize count() by bin(timestamp, 1h)
Breaking it down:
requests– Queries the requests tablesummarize count()– Counts the number of requestsby bin(timestamp, 1h)– Groups results into 1-hour buckets
This query produces a time series showing request volume per hour. In the Azure Monitor interface, you can visualize this as a line chart or bar graph to quickly spot trends.
Practical tip: Adjust the bin() interval based on your analysis window. For real-time monitoring, use bin(timestamp, 5m) or bin(timestamp, 1m). For longer-term trend analysis, use bin(timestamp, 1d).
3.2 Compare Peak vs. Off-Peak Hours
Traffic patterns reveal much about user behavior and system capacity. By analyzing request volume over time, you can identify peak usage hours, plan capacity accordingly, and detect unusual spikes that may indicate bot traffic, marketing campaigns, or DDoS attacks.
Here’s how to analyze the past 7 days of traffic:
requests
| where timestamp > ago(7d)
| summarize count() by bin(timestamp, 1h)
Key insights to look for:
Regular patterns: Most B2B applications see traffic spikes during business hours; B2C apps may show evening or weekend peaks
Anomalies: Sudden spikes outside normal patterns warrant investigation
Correlation with incidents: If performance degraded at a specific time, check whether it coincided with a traffic spike
Advanced analysis: To compare weekday vs. weekend patterns:
requests
| where timestamp > ago(30d)
| extend dayOfWeek = dayofweek(timestamp)
| summarize count() by bin(timestamp, 1h), dayOfWeek
This helps you understand whether weekends require different capacity planning than weekdays.
3.3 Benchmarking Response Times
Request volume tells only half the story—you also need to understand how quickly your application responds. Response time (or duration) directly impacts user experience and often serves as the first indicator of performance problems.
Query for average and P95 response times:
requests
| where timestamp > ago(1h)
| summarize
avg_duration = avg(duration),
p95_duration = percentile(duration, 95),
p99_duration = percentile(duration, 99)
by bin(timestamp, 5m)
Why percentiles matter:
Averages can be misleading when response times have a long tail. A few extremely slow requests can skew the average, masking the experience of most users. The 95th percentile (P95) tells you that 95% of requests completed faster than this value—a more meaningful metric for setting SLAs and detecting regressions.
Interpreting the results:
Industry benchmarks and Microsoft’s performance guidelines suggest that typical web API response times should fall between 200–800 ms for optimal user experience. If your application is averaging 30 seconds (30,000 ms), you’re experiencing severe performance degradation—users will perceive the application as unresponsive, and you’ll likely see increased abandonment rates.
Action items based on benchmarks:
< 200 ms: Excellent performance; focus on maintaining this level
200–800 ms: Good performance; monitor for gradual degradation
800 ms–2 s: Suboptimal; investigate potential optimizations
> 2 s: Poor performance; urgent investigation required
By establishing baselines and comparing against industry standards, you can quickly identify when performance deviates from acceptable ranges.
4. Monitoring Application Performance and Bottlenecks
4.1 Identifying Slow Requests
Not all endpoints are created equal. Some operations—like generating reports, processing large files, or executing complex database queries—are inherently slower than simple CRUD operations. However, unexpectedly slow endpoints often indicate optimization opportunities or emerging issues.
Query to find slow requests:
requests
| where duration > 1000
| summarize
avg_duration = avg(duration),
max_duration = max(duration),
request_count = count()
by name
| order by avg_duration desc
What this reveals:
name– The endpoint or operation name (e.g.,GET /api/orders/{id})avg_duration– Average response time for this endpointmax_duration– Worst-case response time observedrequest_count– Number of requests to this endpoint
Interpreting results:
Focus on endpoints with both high average duration and high request count. An endpoint that takes 10 seconds but is called once per day may not warrant immediate attention, whereas an endpoint averaging 2 seconds with 10,000 daily requests represents a significant performance opportunity.
Next steps:
Once you’ve identified slow endpoints, drill deeper:
requests
| where name == “GET /api/orders/{id}” and duration > 1000
| project timestamp, duration, resultCode, customDimensions
| order by duration desc
| take 50
This shows the 50 slowest instances of a specific endpoint, allowing you to examine custom dimensions, result codes, and timestamps for patterns.
4.2 Correlating with Dependencies
Your application rarely operates in isolation. Most performance bottlenecks stem from external dependencies: database calls, third-party APIs, cache lookups, or message queue operations. Application Insights tracks these as dependencies, giving you visibility into how external systems impact your application’s performance.
Query to analyze dependency performance:
dependencies
| where timestamp > ago(1h)
| summarize
avg_duration = avg(duration),
p95_duration = percentile(duration, 95),
call_count = count()
by target, type
| order by avg_duration desc
Key fields:
target– The external system being called (e.g., database server name, API hostname)type– Dependency type (e.g., SQL, HTTP, Azure Blob Storage)duration– Time spent waiting for the dependency to respond
Common findings:
Slow database queries: If SQL dependencies show high P95 durations, investigate query performance, missing indexes, or connection pool exhaustion
Third-party API latency: External APIs may have their own performance issues or rate limiting
Cache misses: If cache dependencies show long durations, investigate cache hit rates and cache key design
Real-world example:
A payment processing endpoint averaging 5 seconds may seem problematic until you discover that the payment gateway API dependency averages 4.8 seconds. The issue lies with the external service, not your code—prompting you to either optimize the integration, add caching, or escalate to the vendor.
4.3 Finding Bottlenecks with Joins
The most powerful insights come from correlating requests with their dependencies. By joining these tables, you can answer questions like: “Which slow requests are caused by slow database calls?” or “Do certain endpoints consistently trigger expensive dependencies?”
Query to correlate slow requests with dependencies:
let SlowRequests = requests
| where duration > 2000
| project operation_Id, name, duration;
dependencies
| join kind=inner SlowRequests on operation_Id
| summarize
dep_avg_duration = avg(duration),
request_avg_duration = avg(duration1)
by target, name
| order by request_avg_duration desc
Breaking it down:
Define a
letstatement to identify slow requests (> 2 seconds)Join dependencies with slow requests using
operation_Id(which links related telemetry)Summarize to find which dependencies are associated with which slow endpoints
Pro tip: Use P95 instead of averages
For more accurate insights, use percentile(duration, 95) rather than avg(duration). Percentiles are less sensitive to outliers and better reflect typical user experience:
requests
| where timestamp > ago(1h)
| summarize
p95 = percentile(duration, 95),
p99 = percentile(duration, 99)
by name
This tells you that 95% of users experience response times at or below the P95 value—a more meaningful SLA metric than average duration.
5. Identifying and Solving the 5 Most Common Application Errors
5.1 Most Frequent Exceptions
Errors are inevitable, but not all errors are equal. Some exceptions occur rarely and have minimal impact, while others affect thousands of users daily. The first step in error management is understanding which exceptions occur most frequently.
Query to find the top 5 exception types:
exceptions
| summarize count() by type
| top 5 by count_
This simple query reveals your application’s most common failure modes. Let’s examine five exceptions you’re likely to encounter in .NET applications, along with their root causes and solutions.
1. System.NullReferenceException
Cause: Attempting to access a member of a null object. This classic .NET error often results from:
Unvalidated input parameters
Database queries returning null when a record isn’t found
Improperly initialized object graphs
Race conditions in asynchronous code
Solution:
Implement null checks: Use null-conditional operators (
?.) and null-coalescing operators (??)Enable nullable reference types: In C# 8.0+, enable nullable reference types to catch null issues at compile time
Validate inputs: Check parameters at API boundaries using guard clauses or validation attributes
Log context: When exceptions occur, log relevant context (user ID, request parameters) to aid debugging
// Before
var result = customer.Address.PostalCode; // Throws if customer or Address is null
// After
var result = customer?.Address?.PostalCode ?? “Unknown”;
2. HttpRequestException
Cause: Failed HTTP calls to external APIs or services. Common scenarios include:
Network timeouts or connectivity issues
4xx or 5xx responses from downstream services
DNS resolution failures
SSL/TLS certificate problems
Solution:
Implement retry policies: Use libraries like Polly to automatically retry transient failures
Add circuit breakers: Prevent cascading failures by stopping requests to failing services
Implement fallback mechanisms: Provide degraded functionality when dependencies are unavailable
Monitor dependency health: Track success rates and latency for external services
// Using Polly for retry logic
var retryPolicy = Policy
.Handle<HttpRequestException>()
.WaitAndRetryAsync(3, retryAttempt =>
TimeSpan.FromSeconds(Math.Pow(2, retryAttempt)));
await retryPolicy.ExecuteAsync(() => httpClient.GetAsync(apiUrl));
3. TimeoutException
Cause: Operations exceeding configured timeout thresholds, typically from:
Long-running database queries (missing indexes, large result sets, table scans)
Slow external API calls
Resource contention (thread pool exhaustion, connection pool starvation)
Deadlocks or blocking in concurrent code
Solution:
Optimize database queries: Add indexes, limit result sets, use pagination
Implement caching: Cache frequently accessed, slowly changing data
Review dependency performance: Use the dependency analysis from Section 4.2
Increase timeouts judiciously: Only after confirming that operations legitimately require more time
Add async/await: Ensure I/O-bound operations don’t block threads
4. SqlException
Cause: Database-level errors, including:
Connection failures (network issues, credentials, firewall rules)
Query syntax errors
Constraint violations (foreign key, unique constraint, check constraint)
Deadlocks
Resource limits (max connections, storage quota exceeded)
Solution:
Parameterize queries: Use parameterized queries or ORM frameworks to prevent SQL injection and syntax errors
Monitor connection pools: Ensure your connection pool is properly configured
Add retry logic for transient errors: Use
SqlConnection.RetryLogicor Polly for transient failuresInvestigate deadlocks: Use SQL Server’s deadlock graph to understand locking patterns
Monitor database resource limits: Check CPU, memory, and storage usage in Azure SQL Database
5. TaskCanceledException
Cause: Async operations canceled before completion, typically from:
HttpClient timeout exceeded
User-initiated cancellation (e.g., closing a browser tab)
Application shutdown during in-flight requests
CancellationToken triggered by application logic
Solution:
Review timeout settings: Ensure HttpClient timeout values align with expected operation duration
Handle cancellation gracefully: Catch
TaskCanceledExceptionandOperationCanceledExceptionseparately from other exceptionsReduce load per request: Break large operations into smaller chunks
Optimize long-running operations: Consider background jobs for expensive work rather than blocking HTTP requests
try
{
await httpClient.GetAsync(url, cancellationToken);
}
catch (TaskCanceledException ex) when (ex.InnerException is TimeoutException)
{
// HttpClient timeout
logger.LogWarning(”Request timed out: {Url}”, url);
}
catch (TaskCanceledException)
{
// User cancellation or shutdown
logger.LogInformation(”Request canceled: {Url}”, url);
}
5.2 Correlate Errors with Impact
Knowing your most frequent exceptions is useful, but understanding which endpoints generate those errors is critical. Some exceptions may occur frequently but only on low-traffic, non-critical endpoints, while others may plague your most important user flows.
Query to correlate exceptions with endpoints:
exceptions
| join kind=inner (requests) on operation_Id
| summarize
exception_count = count(),
affected_requests = dcount(operation_Id)
by name, type
| order by exception_count desc
What this reveals:
name– The endpoint where exceptions occurredtype– The exception typeexception_count– Total number of exceptionsaffected_requests– Number of unique requests impacted
Action prioritization:
Focus on exceptions that:
Affect high-traffic endpoints – Errors on your most-used APIs impact the most users
Occur consistently – Sporadic errors may be user-specific; consistent errors indicate systemic issues
Impact critical flows – Errors during checkout, payment, or authentication warrant immediate attention
By combining frequency data with business impact, you can make informed decisions about which errors to address first.
6. Advanced Tips for Optimizing Application Insights Queries
6.1 Filter Early, Summarize Late
Query performance matters, especially when analyzing large volumes of telemetry data. One of the most important optimization techniques is to filter early in your query pipeline, reducing the dataset before performing expensive operations like joins or aggregations.
Inefficient query:
requests
| summarize count() by name, resultCode
| where name contains “api/orders”
This query aggregates all requests before filtering, forcing the engine to process far more data than necessary.
Optimized query:
requests
| where name contains “api/orders”
| summarize count() by name, resultCode
By moving the where clause before summarize, you filter the dataset first, dramatically reducing the computation required for aggregation.
General principle: Structure your queries in this order:
Filter (
where) – Reduce the dataset as early as possibleExtend – Add calculated columns if needed
Summarize – Aggregate the filtered data
Project – Select final output columns
6.2 Use let Statements for Reusable Queries
As your queries grow in complexity, you’ll often need to reference the same filtered dataset multiple times. The let statement allows you to define reusable query fragments, improving readability and reducing duplication.
Example:
let SlowRequests = requests
| where duration > 1000
| where timestamp > ago(1h);
SlowRequests
| summarize count() by name
Benefits:
Readability: Named query fragments make complex queries easier to understand
Reusability: Reference the same dataset multiple times without repeating logic
Maintainability: Change the filter criteria in one place rather than multiple locations
Advanced use case – parameterized thresholds:
let DurationThreshold = 1000;
let TimeWindow = 1h;
requests
| where duration > DurationThreshold
| where timestamp > ago(TimeWindow)
| summarize count() by name
This pattern makes it easy to adjust thresholds when testing different scenarios.
6.3 Combine Metrics for Root-Cause Analysis
The most powerful insights emerge when you correlate multiple telemetry streams. Rather than analyzing requests, dependencies, and exceptions in isolation, combine them to build a complete picture of system behavior.
Example: Find slow requests with associated database calls and exceptions:
let SlowRequests = requests
| where timestamp > ago(1h)
| where duration > 2000
| project operation_Id, request_name = name, request_duration = duration;
let RelatedDependencies = dependencies
| where timestamp > ago(1h)
| project operation_Id, dep_target = target, dep_duration = duration;
let RelatedExceptions = exceptions
| where timestamp > ago(1h)
| project operation_Id, exception_type = type;
SlowRequests
| join kind=leftouter RelatedDependencies on operation_Id
| join kind=leftouter RelatedExceptions on operation_Id
| summarize
request_count = count(),
avg_request_duration = avg(request_duration),
avg_dep_duration = avg(dep_duration),
exception_count = countif(isnotnull(exception_type))
by request_name, dep_target, exception_type
This comprehensive query reveals:
Which slow requests are correlated with slow dependencies
Whether exceptions occur during these slow requests
Average durations for both requests and their dependencies
Use cases:
Performance investigations: Trace slow user-facing requests back to underlying database or API calls
Error analysis: Understand whether errors cause slow requests or vice versa
Capacity planning: Identify which dependencies contribute most to overall latency
7. Conclusion: Turning Insights into Action
Mastering Kusto Query Language is not an end in itself—it’s a means to an end. The ultimate goal is to transform raw telemetry data into actionable insights that improve your application’s reliability, performance, and user experience.
Key takeaways:
KQL mastery = faster detection – The ability to quickly write targeted queries means you can diagnose production issues in minutes, not hours. When an alert fires at 2:00 AM, knowing whether the problem is a database bottleneck, a third-party API failure, or a memory leak can be the difference between a 5-minute fix and a 2-hour outage.
Data-driven decisions beat guesswork – Without telemetry and the ability to query it, you’re left making assumptions about system behavior. KQL lets you test hypotheses, validate assumptions, and make evidence-based decisions about optimization priorities.
Proactive monitoring beats reactive firefighting – The techniques in this guide enable you to shift from reactive incident response to proactive performance management. By establishing baselines, tracking trends, and setting alerts on meaningful thresholds, you can catch problems before they impact users.
Continuous improvement:
Monitoring is not a one-time activity but an ongoing practice. As your application evolves, so too should your monitoring strategy:
Review query results regularly – Weekly reviews of slow requests and top exceptions help you stay ahead of emerging issues
Refine your baselines – As you optimize performance, update your thresholds and SLAs to reflect new capabilities
Share knowledge – Document your most useful queries and share them with your team; standardizing on common queries improves consistency
Next steps:
Now that you’ve learned the fundamentals of KQL for Application Insights, consider these actions to level up your observability practice:
Automate alerts for slow requests and error spikes
Create alert rules in Azure Monitor to notify you when request duration exceeds thresholds or exception rates spike
Use action groups to integrate alerts with PagerDuty, Slack, or Microsoft Teams
Create custom dashboards using Log Analytics
Pin your most important queries to Azure dashboards for at-a-glance monitoring
Build role-specific dashboards (engineering, operations, management) highlighting relevant metrics
Implement SLIs and SLOs
Define Service Level Indicators (e.g., P95 latency, error rate) using KQL queries
Set Service Level Objectives (e.g., “95% of requests complete in < 500ms”) and track compliance
Explore advanced KQL features
Time-series analysis with
make-seriesand anomaly detectionMachine learning integration for predictive analytics
Custom functions for domain-specific calculations
Remember: the most sophisticated monitoring setup is worthless if insights don’t translate into action. Use KQL to find problems, but more importantly, use it to prove that your fixes work. Before-and-after comparisons using the same queries validate that performance optimizations deliver real results.
8. References and Further Reading
Azure Data Explorer: Best Practices for Query Performance
Application Insights Pricing and Data Volume Management
Building Effective SLIs and SLOs for Modern Applications
Have questions or insights about using KQL in production? Share your experiences in the comments below. What queries have saved you during critical incidents? If you are interested in more content like this one, consider get in Averin Community on Discord by click here
The Deming quote at the end really resonatd with me; it perfectly frames the imperative for KQL.