Query data in Azure Monitor using Azure Data Explorer
The Azure Data Explorer supports cross-service queries between Azure Data Explorer, Application Insights resource (AI), and Log Analytics workspace (LA). You can query your Log Analytics workspace or Application Insights resource using Azure Data Explorer query tools and in a cross-service query. The article shows you how to create a cross-service query and add the Log Analytics workspace or Application Insights resource to the Azure Data Explorer web UI.
The Azure Data Explorer cross-service queries flow:
Add a Log Analytics workspace/Application Insights resource to Azure Data Explorer client tools
Add a Log Analytics workspace or Application Insights resource to Azure Data Explorer client tools to enable cross-service queries for your clusters.
Verify your Azure Data Explorer native cluster (such as help cluster) appears on the left menu before you connect to your Log Analytics workspace or Application Insights resource.
In the Azure Data Explorer UI, select + Add then Connection.
In the Add Connection window, add the URL and display name of the Log Analytics (LA) workspace or Application Insights (AI) resource.
- For Log Analytics (LA) workspace:
https://ade.loganalytics.io/subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/microsoft.operationalinsights/workspaces/<workspace-name>
- For Application Insights (AI) resource:
https://ade.applicationinsights.io/subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/microsoft.insights/components/<ai-app-name>
Note
Specify
https://ade.applicationinsights.io/subscriptions/<subscription-id>
to see all databases in the subscription. This syntax also works for Log Analytics workspace clusters.- For Log Analytics (LA) workspace:
Select Add.
Note
- There are different endpoints for the following:
- Azure Government -
adx.monitor.azure.us/
- Microsoft Azure operated by 21Vianet -
adx.monitor.azure.cn/
- If you add a connection to more than one Log Analytics workspace/Application insights resource, give each a different name. Otherwise they'll all have the same name in the left pane.
After the connection is established, your Log Analytics workspace or Application Insights resource will appear in the left pane with your native Azure Data Explorer cluster.
Note
Queries you run from Azure Data Explorer on data in Azure Monitor are subject to cross-resource query limits.
Run queries
You can run the queries using client tools that support Kusto queries, such as: Kusto Explorer, Azure Data Explorer web UI, Jupyter Kqlmagic, Flow, PowerQuery, PowerShell, Lens, REST API.
Note
Cross-service querying is used for data retrieval only. For more information, see Function supportability.
Tip
- The database should have the same name as the resource specified in the cross-service query. Names are case sensitive.
- In cross-service queries, make sure that Application Insights resource and Log Analytics workspace names are correct.
- If names contain special characters, they are replaced by URL encoding in the cross-service query.
- If names include characters that don't meet KQL identifier name rules, they are replaced by the dash - character.
Direct query on your Log Analytics workspace or Application Insights resources from Azure Data Explorer client tools
You can run queries on your Log Analytics workspace or Application Insights resources from Azure Data Explorer client tools.
Verify that your workspace is selected in the left pane.
Run the following query:
Perf | take 10 // Demonstrate cross-service query on the Log Analytics workspace
Cross query of your Log Analytics workspace or Application Insights resource and the Azure Data Explorer native cluster
When you run cross cluster service queries, verify that your Azure Data Explorer native cluster is selected in the left pane. The following examples demonstrate combining Azure Data Explorer cluster tables (using union
) with a Log Analytics workspace.
Run the following queries:
union StormEvents, cluster('https://ade.loganalytics.io/subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/microsoft.operationalinsights/workspaces/<workspace-name>').database('<workspace-name>').Perf
| take 10
let CL1 = 'https://ade.loganalytics.io/subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/microsoft.operationalinsights/workspaces/<workspace-name>';
union <ADX table>, cluster(CL1).database(<workspace-name>).<table name>
Tip
Using the join
operator, instead of union, may require a hint
to run it on an Azure Data Explorer native cluster.
Join data from an Azure Data Explorer cluster in one tenant with an Azure Monitor resource in another
Cross-tenant queries between the services aren't supported. You're signed in to a single tenant for running the query spanning both resources.
If the Azure Data Explorer resource is in tenant-name-a and Log Analytics workspace is in tenant-name-b, use one of the following two methods:
Azure Data Explorer allows you to add roles for principals in different tenants. Add your user ID in tenant-name-b as an authorized user on the Azure Data Explorer cluster. Validate the 'TrustedExternalTenant' property on the Azure Data Explorer cluster contained in tenant-name-b. Run the cross-query fully in tenant-name-b.
Use Lighthouse to project the Azure Monitor resource into tenant-name-a.
Connect to Azure Data Explorer clusters from different tenants
Kusto Explorer automatically signs you into the tenant to which the user account originally belongs. To access resources in other tenants with the same user account, the tenantId
has to be explicitly specified in the connection string:
Data Source=https://ade.applicationinsights.io/subscriptions/SubscriptionId/resourcegroups/ResourceGroupName;Initial Catalog=NetDefaultDB;AAD Federated Security=True;Authority ID=<TenantId>
Function supportability
The Azure Data Explorer cross-service queries support functions for both Application Insights resource and Log Analytics workspace. This capability enables cross-cluster queries to reference an Azure Monitor tabular function directly. The following commands are supported with the cross-service query:
.show functions
.show function
[FunctionName].show database
[DatabaseName]schema as json
Limitations
Cross-service queries support only
.show functions
. This capability enables cross-cluster queries to reference an Azure Monitor, Azure Data Explorer, or Azure Resource Graph tabular function directly. The following commands are supported with the cross-service query:.show functions
.show function
[FunctionName].show database
[DatabaseName]schema as json
Private Link (private endpoints) and IP restrictions don't support cross-service queries.
Additional syntax examples
The following syntax options are available when calling the Application Insights resource or Log Analytics workspaces:
Syntax Description | Application Insights resource | Log Analytics workspace |
---|---|---|
Database within a cluster that contains only the defined resource in this subscription (recommended for cross cluster queries) | cluster('https://adx.monitor.azure.com/subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/microsoft.insights/components/<ai-app-name>').database('<ai-app-name>') |
cluster('https://adx.monitor.azure.com/subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/microsoft.operationalinsights/workspaces/<workspace-name>').database('<workspace-name> ') |
Cluster that contains all apps/workspaces in this subscription | cluster('https://adx.monitor.azure.com/subscriptions/<subscription-id>') |
cluster('https://adx.monitor.azure.com/subscriptions/<subscription-id> ') |
Cluster that contains all apps/workspaces in the subscription and are members of this resource group | cluster('https://adx.monitor.azure.com/subscriptions/<subscription-id>/resourcegroups/<resource-group-name> ') |
cluster('https://adx.monitor.azure.com/subscriptions/<subscription-id>/resourcegroups/<resource-group-name>') |
Cluster that contains only the defined resource in this subscription | cluster('https://adx.monitor.azure.com/subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/microsoft.insights/components/<ai-app-name> ') |
cluster('https://adx.monitor.azure.com/subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/microsoft.operationalinsights/workspaces/<workspace-name>') |
For Endpoints in the UsGov | cluster('https://adx.monitor.azure.us/subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/microsoft.operationalinsights/workspaces/<workspace-name>') |
|
For Endpoints in the China 21Vianet | cluster('https://adx.monitor.azure.cn/subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/microsoft.operationalinsights/workspaces/<workspace-name>') |