Azure Data Explorer (Kusto) Query & Analytics

Execute KQL queries and manage Azure Data Explorer resources for fast, scalable big data analytics on log, telemetry, and time series data.

Skill Activation Triggers

Use this skill immediately when the user asks to:

• "Query my Kusto database for [data pattern]"
• "Show me events in the last hour from Azure Data Explorer"
• "Analyze logs in my ADX cluster"
• "Run a KQL query on [database]"
• "What tables are in my Kusto database?"
• "Show me the schema for [table]"
• "List my Azure Data Explorer clusters"
• "Aggregate telemetry data by [dimension]"
• "Create a time series chart from my logs"

Key Indicators:

• Mentions "Kusto", "Azure Data Explorer", "ADX", or "KQL"
• Log analytics or telemetry analysis requests
• Time series data exploration
• IoT data analysis queries
• SIEM or security analytics tasks
• Requests for data aggregation on large datasets
• Performance monitoring or APM queries

Overview

This skill enables querying and managing Azure Data Explorer (Kusto), a fast and highly scalable data exploration service optimized for log and telemetry data. Azure Data Explorer provides sub-second query performance on billions of records using the Kusto Query Language (KQL).

Key capabilities:

• Query Execution: Run KQL queries against massive datasets
• Schema Exploration: Discover tables, columns, and data types
• Resource Management: List clusters and databases
• Analytics: Aggregations, time series, anomaly detection, machine learning

Core Workflow

1. Discover Resources: List available clusters and databases in subscription
2. Explore Schema: Retrieve table structures to understand data model
3. Query Data: Execute KQL queries for analysis, filtering, aggregation
4. Analyze Results: Process query output for insights and reporting

Query Patterns

Pattern 1: Basic Data Retrieval

Fetch recent records from a table with simple filtering.

Example KQL:

Events
| where Timestamp > ago(1h)
| take 100

Use for: Quick data inspection, recent event retrieval

Pattern 2: Aggregation Analysis

Summarize data by dimensions for insights and reporting.

Example KQL:

Events
| summarize count() by EventType, bin(Timestamp, 1h)
| order by count_ desc

Use for: Event counting, distribution analysis, top-N queries

Pattern 3: Time Series Analytics

Analyze data over time windows for trends and patterns.

Example KQL:

Telemetry
| where Timestamp > ago(24h)
| summarize avg(ResponseTime), percentiles(ResponseTime, 50, 95, 99) by bin(Timestamp, 5m)
| render timechart

Use for: Performance monitoring, trend analysis, anomaly detection

Pattern 4: Join and Correlation

Combine multiple tables for cross-dataset analysis.

Example KQL:

Events
| where EventType == "Error"
| join kind=inner (
    Logs
    | where Severity == "Critical"
) on CorrelationId
| project Timestamp, EventType, LogMessage, Severity

Use for: Root cause analysis, correlated event tracking

Pattern 5: Schema Discovery

Explore table structure before querying.

Tools: kusto_table_schema_get

Use for: Understanding data model, query planning

Key Data Fields

When executing queries, common field patterns:

• Timestamp: Time of event (datetime) - use ago(), between(), bin() for time filtering
• EventType/Category: Classification field for grouping
• CorrelationId/SessionId: For tracing related events
• Severity/Level: For filtering by importance
• Dimensions: Custom properties for grouping and filtering

Result Format

Query results include:

• Columns: Field names and data types
• Rows: Data records matching query
• Statistics: Row count, execution time, resource utilization
• Visualization: Chart rendering hints (timechart, barchart, etc.)

KQL Best Practices

🟢 Performance Optimized:

…