Monitoring & Azure Monitor
Collect metrics and logs, query with KQL, and alert with Azure Monitor.
Theory
Azure Monitor is the umbrella for observability. It collects two data types:
- Metrics — numeric time-series (CPU, memory), near real-time, in Metrics Explorer
- Logs — structured events sent to a Log Analytics workspace, queried with KQL (Kusto Query Language)
On top, Alerts fire on metric thresholds or log queries and trigger action groups (email, webhook, runbook). Application Insights adds app-level telemetry (requests, dependencies, traces). Workbooks and dashboards visualize it all.
Real-World Example
// KQL: top 10 slow requests in the last hour
requests
| where timestamp > ago(1h)
| where duration > 1000
| project timestamp, name, duration, resultCode
| order by duration desc
| take 10Alert: "CPU > 80% for 5 minutes on vm-web"
→ Action group: email on-call + trigger an automation runbookHands-On Exercise
- Distinguish a scenario best served by metrics vs by logs.
- Write a plain-English alert rule for high memory usage.
- Sketch a KQL query that counts errors per service over a day.
- Explain what an action group does when an alert fires.
Cheat Sheet▾
| Component | Purpose |
|---|---|
| Metrics | Numeric time-series, fast |
| Log Analytics | Stores logs, queried with KQL |
| KQL | Kusto query language |
| Alerts | Fire on metric/log conditions |
| Action groups | Notify/automate on alert |
| Application Insights | App telemetry + traces |
Common Interview Questions▾
What's the difference between metrics and logs in Azure Monitor?
Metrics are lightweight numeric time-series ideal for fast alerting; logs are rich structured events stored in Log Analytics and queried with KQL for deep analysis.
What is an action group?
A reusable set of notifications and actions (email, SMS, webhook, runbook, Logic App) that an alert triggers when its condition is met.
Official Documentation
📝 My notes on this topic
Auto-saves as you type