Azure Monitor Query

Azure Monitor Query

By: Prasanna Kumar Attili

Publish Date: June 21, 2023

Gaining actionable insights for businesses today means sieving through vast operational data. This is where the Azure Monitor Query Client Library for .NET SDK comes into play. As companies increasingly rely on Azure Log Analytics to centralize and analyze log data, the ability to efficiently query and extract meaningful information becomes essential. In our recent Azure Dashboard Web Portal project, we leveraged the power of the Azure Monitor Query Client Library to get the most out of Azure Monitor’s Logs and Metrics data sources. This blog will explore how this powerful client library empowers businesses to effortlessly retrieve and analyze log data, providing valuable insights into system performance, security, and operational efficiency.

The Azure Monitor Query library for .NET provides the following two classes:

  • LogsQueryClient – The client class provides methods to query logs from Azure Monitor Logs.
  • MetricsQueryClient – Client class which methods to query metrics from Azure Monitor Metrics.


Lets’s discuss how we write and execute log queries to fetch log results using LogsQueryClient class.


To fully leverage the capabilities of the Azure Monitor Query Client Library for .NET SDK, certain prerequisites must be met. An active Azure subscription is required to access the Azure Monitor services. Creating a Log Analytics Workspace environment ID is essential, which will serve as the centralized hub for storing and analyzing log data. While familiarity with the Kusto Query Language (KQL) is optional, having a basic understanding of its syntax and structure will significantly enhance your ability to write effective log queries within the Log Analytics Workspace. Lastly, ensure that the Azure Monitor Query Client Library package is installed, laying the foundation for seamless integration and utilizing its powerful features.


Install the Azure Monitor Query Client Library package using NuGet Package Manager Console in Visual Studio for our MVC Core Web Project:


Log Analytics Workspace:

The Log Analytics Workspace is a tool provided by Microsoft in the Azure platform used to execute the KQL queries to get Logs from Log analytics data sources.

The following code snippet depicts the Workspace ID which we are using in our MVC Core Web Application:


Kusto Query Language:

Kusto Query Language (KQL) is a tool provided by Microsoft in the Azure platform that is used to explore data from log analytics workspace sources, and the query structure is like SQL statements.

KQL query is a read-only request made of the following query statements separated by a; this query is used to return the log results:

  1. Table Expression Query
  2. Let statement
  3. Set Statement

The following screenshot depicts typical KQL query syntax using a let statement with where condition expression using project operator to display a set of customized columns data:


The screenshot below depicts the typical architecture of the Web Portal application integrated with Azure Monitor Query API to fetch the results from Azure Log Analytics logs data and display the results in the Dashboard and Search Results page based on provided search criteria.


Let’s explore the following critical scenario through which we demonstrate how the KQL queries can be built to execute and get the log results from Azure Log Analytics Workspace source using the following two approaches:

  1. Run the query using the Log Analytics query window in Azure Portal
  2. MVC Core Web Application code in Visual Studio

Run the query using the Log Analytics query window in Azure Portal


The following KQL query was written using the query editor window and executed in Azure Portal’s Azure Log Analytics Workspace environment to get the results from the source of the logs using search criteria provided with search parameters.



Clicking on the Run button will execute the query and return the log results.


MVC Core Web Application code in Visual Studio

Step 1: Configure Workspace ID

The following code snippet depicts reading workspace ID from Environment variables maintained in Azure Portal configurations.


Step 2: Authenticate Client

The following code snippet depicts creating an instance of LogsQueryClient class in which the DefaultAzureCredential class instance will be passed as an argument for authenticating the client.


The DefaultAzureCredential class provide a default TokenCredential authentication flow for applications deployed in the Azure portal.

Step 3: Build KQL Query

KQL query is built using the following combination of statements, filters, operators and functions.

  • let statement
  • where condition expression having search criteria query parameters
  • project operator to customize a set of columns to display
  • join operator using the kind keyword to combine the rows of two or more tables, creating a new result table matching with specified columns or search criteria.
  • Summarize operator generates an output table aggregating the input table content.
  • TimeGenerated operator with ago function used to subtract the given timespan from the current UTC


The following code snippet depicts the TimeGenerated operator with the ago function keyword to filter the results within the specified Time Range.


The following Time Range or Timespan values can be used as parameters for the ago function.


The following code snippet depicts the function building KQL syntax query returned as a string.




Step 3: Call QueryWorkspaceAsync

The following code snippet depicts calling the QueryWorkspaceAsync method from the LogsQueryClient instance client, and the response will be returned in the LogsQueryResult response model.


The QueryWorkspaceAsync method accepts these parameters:

  • Workspace ID
  • KQL query (built as string)
  • QueryTimeRange provided the timespan


The response object’s Table result will be assigned to the LogsTable variable and bind the same to the custom list object model.

Real-time Scenario:

The screenshot represents a real-time scenario in the Azure Dashboard Portal application where logs data will be pulled from Azure Log Analytics workspace logs source matching with provided search criteria, and the results will be displayed in the UI Grid.



By delving into the steps in constructing queries to retrieve log results from Azure Log Analytics Workspace using the Azure Monitor Query client library for .NET, we have uncovered a powerful tool for enhancing data analysis capabilities. With the ability to authenticate users and execute KQL queries from within a .NET Web application, businesses can seamlessly access, and process logs data, enabling informed decision-making and improved operational efficiency. Integrating this functionality into our MVC Core Web Application has proven vital, providing us with actionable insights and streamlining our data analysis processes.

This, however, necessitates further exploration of the Microsoft Azure Monitor Query client library for .NET API documentation. This comprehensive resource serves as a valuable guide, offering detailed documentation, extensive examples, and tutorials to help you fully leverage the capabilities of the Microsoft Azure Monitor Query. By diving deeper into the documentation, you can discover the features and refine your library usage to meet your business needs.

Empowered with the Microsoft Azure Monitor Query client library for .NET, businesses can harness the power of their log data, gain critical insights, and drive impactful decisions. Whether optimizing system performance, strengthening security measures, or enhancing operational efficiency, this tool provides a solid foundation for extracting valuable information from Azure Log Analytics Workspace.

Related Posts.