azure-kusto

作者: microsoft

在Azure Data Explorer中執行KQL查詢並分析資料,以進行日誌分析、遙測和時間序列洞察。針對海量資料集執行KQL查詢,具備亞秒級效能,包括篩選、彙總、時間序列分析和跨表聯結。在查詢前探索並了解叢集資源、資料庫和資料表結構,以掌握資料模型。支援五種核心查詢模式:基本檢索、彙總分析、時間序列分析、基於聯結的查詢等。

npx skills add https://github.com/microsoft/azure-skills --skill azure-kusto
下載 ZIPGitHub
1.2k

Azure Data Explorer (Kusto) Query & Analytics

Execute KQL queries and manage Azure Data Explorer resources for fast, scalable big data analytics on log, telemetry, and time series data.

Skill Activation Triggers

Use this skill immediately when the user asks to:

  • "Query my Kusto database for [data pattern]"
  • "Show me events in the last hour from Azure Data Explorer"
  • "Analyze logs in my ADX cluster"
  • "Run a KQL query on [database]"
  • "What tables are in my Kusto database?"
  • "Show me the schema for [table]"
  • "List my Azure Data Explorer clusters"
  • "Aggregate telemetry data by [dimension]"
  • "Create a time series chart from my logs"

Key Indicators:

  • Mentions "Kusto", "Azure Data Explorer", "ADX", or "KQL"
  • Log analytics or telemetry analysis requests
  • Time series data exploration
  • IoT data analysis queries
  • SIEM or security analytics tasks
  • Requests for data aggregation on large datasets
  • Performance monitoring or APM queries

Overview

This skill enables querying and managing Azure Data Explorer (Kusto), a fast and highly scalable data exploration service optimized for log and telemetry data. Azure Data Explorer provides sub-second query performance on billions of records using the Kusto Query Language (KQL).

Key capabilities:

  • Query Execution: Run KQL queries against massive datasets
  • Schema Exploration: Discover tables, columns, and data types
  • Resource Management: List clusters and databases
  • Analytics: Aggregations, time series, anomaly detection, machine learning

Core Workflow

  1. Discover Resources: List available clusters and databases in subscription
  2. Explore Schema: Retrieve table structures to understand data model
  3. Query Data: Execute KQL queries for analysis, filtering, aggregation
  4. Analyze Results: Process query output for insights and reporting

Query Patterns

Pattern 1: Basic Data Retrieval

Fetch recent records from a table with simple filtering.

Example KQL:

Events
| where Timestamp > ago(1h)
| take 100

Use for: Quick data inspection, recent event retrieval

Pattern 2: Aggregation Analysis

Summarize data by dimensions for insights and reporting.

Example KQL:

Events
| summarize count() by EventType, bin(Timestamp, 1h)
| order by count_ desc

Use for: Event counting, distribution analysis, top-N queries

Pattern 3: Time Series Analytics

Analyze data over time windows for trends and patterns.

Example KQL:

Telemetry
| where Timestamp > ago(24h)
| summarize avg(ResponseTime), percentiles(ResponseTime, 50, 95, 99) by bin(Timestamp, 5m)
| render timechart

Use for: Performance monitoring, trend analysis, anomaly detection

Pattern 4: Join and Correlation

Combine multiple tables for cross-dataset analysis.

Example KQL:

Events
| where EventType == "Error"
| join kind=inner (
    Logs
    | where Severity == "Critical"
) on CorrelationId
| project Timestamp, EventType, LogMessage, Severity

Use for: Root cause analysis, correlated event tracking

Pattern 5: Schema Discovery

Explore table structure before querying.

Tools: kusto_table_schema_get

Use for: Understanding data model, query planning

Key Data Fields

When executing queries, common field patterns:

  • Timestamp: Time of event (datetime) - use ago(), between(), bin() for time filtering
  • EventType/Category: Classification field for grouping
  • CorrelationId/SessionId: For tracing related events
  • Severity/Level: For filtering by importance
  • Dimensions: Custom properties for grouping and filtering

Result Format

Query results include:

  • Columns: Field names and data types
  • Rows: Data records matching query
  • Statistics: Row count, execution time, resource utilization
  • Visualization: Chart rendering hints (timechart, barchart, etc.)

KQL Best Practices

🟢 Performance Optimized:

  • Filter early: Use where before joins and aggregations
  • Limit result size: Use take or limit to reduce data transfer
  • Time filters: Always filter by time range for time series data
  • Indexed columns: Filter on indexed columns first

🔵 Query Patterns:

  • Use summarize for aggregations instead of count() alone
  • Use bin() for time bucketing in time series
  • Use project to select only needed columns
  • Use extend to add calculated fields

🟡 Common Functions:

  • ago(timespan): Relative time (ago(1h), ago(7d))
  • between(start .. end): Range filtering
  • startswith(), contains(), matches regex: String filtering
  • parse, extract: Extract values from strings
  • percentiles(), avg(), sum(), max(), min(): Aggregations

Best Practices

  • Always include time range filters to optimize query performance
  • Use take or limit for exploratory queries to avoid large result sets
  • Leverage summarize for aggregations instead of client-side processing
  • Store frequently-used queries as functions in the database
  • Use materialized views for repeated aggregations
  • Monitor query performance and resource consumption
  • Apply data retention policies to manage storage costs
  • Use streaming ingestion for real-time analytics (< 1 second latency)
  • Integrate with Azure Monitor for operational insights

MCP Tools Used

ToolPurpose
kusto_cluster_listList all Azure Data Explorer clusters in a subscription
kusto_database_listList all databases in a specific Kusto cluster
kusto_queryExecute KQL queries against a Kusto database
kusto_table_schema_getRetrieve schema information for a specific table

Required Parameters:

  • subscription: Azure subscription ID or display name
  • cluster: Kusto cluster name (e.g., "mycluster")
  • database: Database name
  • query: KQL query string (for query operations)
  • table: Table name (for schema operations)

Optional Parameters:

  • resource-group: Resource group name (for listing operations)
  • tenant: Azure AD tenant ID

Fallback Strategy: Azure CLI Commands

If Azure MCP Kusto tools fail, timeout, or are unavailable, use Azure CLI commands as fallback.

CLI Command Reference

OperationAzure CLI Command
List clustersaz kusto cluster list --resource-group <rg-name>
List databasesaz kusto database list --cluster-name <cluster> --resource-group <rg-name>
Show clusteraz kusto cluster show --name <cluster> --resource-group <rg-name>
Show databaseaz kusto database show --cluster-name <cluster> --database-name <db> --resource-group <rg-name>

KQL Query via Azure CLI

For queries, use the Kusto REST API or direct cluster URL:

az rest --method post \
  --url "https://<cluster>.<region>.kusto.windows.net/v1/rest/query" \
  --body "{ \"db\": \"<database>\", \"csl\": \"<kql-query>\" }"

When to Fallback

Switch to Azure CLI when:

  • MCP tool returns timeout error (queries > 60 seconds)
  • MCP tool returns "service unavailable" or connection errors
  • Authentication failures with MCP tools
  • Empty response when database is known to have data

Common Issues

  • Access Denied: Verify database permissions (Viewer role minimum for queries)
  • Query Timeout: Optimize query with time filters, reduce result set, or increase timeout
  • Syntax Error: Validate KQL syntax - common issues: missing pipes, incorrect operators
  • Empty Results: Check time range filters (may be too restrictive), verify table name
  • Cluster Not Found: Check cluster name format (exclude ".kusto.windows.net" suffix)
  • High CPU Usage: Query too broad - add filters, reduce time range, limit aggregations
  • Ingestion Lag: Streaming data may have 1-30 second delay depending on ingestion method

Use Cases

  • Log Analytics: Application logs, system logs, audit logs
  • IoT Analytics: Sensor data, device telemetry, real-time monitoring
  • Security Analytics: SIEM data, threat detection, security event correlation
  • APM: Application performance metrics, user behavior, error tracking
  • Business Intelligence: Clickstream analysis, user analytics, operational KPIs

來自 microsoft 的更多技能

oss-growth
microsoft
開源增長駭客角色
official
microsoft-foundry
microsoft
端到端部署、評估與管理 Foundry 代理:Docker 建置、ACR 推送、託管/提示代理建立、容器啟動、批次評估、持續評估、提示最佳化工作流程、agent.yaml、從追蹤資料集整理。用途:將代理部署至 Foundry、託管代理、建立代理、調用代理、評估代理、執行批次評估、持續評估、持續監控、持續評估狀態、最佳化提示、改善提示、提示最佳化器、最佳化代理指令、改善代理...
officialdevelopmentdevops
azure-ai
microsoft
用於 Azure AI:搜尋、語音、OpenAI、文件智慧。協助搜尋、向量/混合搜尋、語音轉文字、文字轉語音、轉錄、OCR。適用情境:AI 搜尋、查詢搜尋、向量搜尋、混合搜尋、語意搜尋、語音轉文字、文字轉語音、轉錄、OCR、將文字轉換為語音。
officialdevelopmentapi
azure-deploy
microsoft
對已準備好的應用程式執行 Azure 部署,這些應用程式需具備現有的 .azure/deployment-plan.md 與基礎架構檔案。當使用者要求建立新應用程式時,請勿使用此技能——應改用 azure-prepare。此技能會執行 azd up、azd deploy、terraform apply 及 az deployment 命令,並內建錯誤復原機制。需具備來自 azure-prepare 的 .azure/deployment-plan.md,以及來自 azure-validate 的驗證狀態。適用時機:「執行 azd up」、「執行 azd deploy」、「執行部署」……
officialdevopsaws
azure-storage
microsoft
Azure Storage Services 包括 Blob 儲存體、檔案共用、佇列儲存體、表格儲存體和 Data Lake。回答關於儲存存取層(熱、冷、凍結、封存)、各層使用時機及層級比較的問題。提供物件儲存、SMB 檔案共用、非同步訊息、NoSQL 鍵值及大數據分析。包含生命週期管理。用於:blob 儲存體、檔案共用、佇列儲存體、表格儲存體、data lake、上傳檔案、下載 blob、儲存帳戶、存取層...
officialdevelopmentdatabase
azure-diagnostics
microsoft
在 Azure 上使用 AppLens、Azure Monitor、資源健康狀態和安全分類來偵錯 Azure 生產問題。適用時機:偵錯生產問題、疑難排解應用程式服務、應用程式服務高 CPU、應用程式服務部署失敗、疑難排解容器應用程式、疑難排解函數、疑難排解 AKS、kubectl 無法連線、kube-system/CoreDNS 失敗、Pod 擱置、CrashLoop、節點未就緒、升級失敗、分析記錄、KQL、深入解析、映像提取失敗、冷啟動問題、健康狀態探查失敗...
officialdevopsdevelopment
azure-prepare
microsoft
準備 Azure 應用程式以進行部署(基礎架構 Bicep/Terraform、azure.yaml、Dockerfile)。用於建立/現代化或建立+部署;不適用於跨雲端遷移(請使用 azure-cloud-migrate)。請勿用於:copilot-sdk 應用程式(請使用 azure-hosted-copilot-sdk)。適用時機:「建立應用程式」、「建置 Web 應用程式」、「建立 API」、「建立無伺服器 HTTP API」、「建立前端」、「建立後端」、「建置服務」、「現代化應用程式」、「更新應用程式」、「新增驗證」、「新增快取」、「託管於 Azure」、「建立並...」
officialdevelopmentdevops
azure-validate
microsoft
部署前驗證 Azure 就緒狀態。對設定、基礎架構(Bicep 或 Terraform)、RBAC 角色指派、受控身分權限及先決條件進行深度檢查,再進行部署。適用時機:驗證我的應用程式、檢查部署就緒狀態、執行預檢檢查、驗證設定、確認是否可部署、驗證 azure.yaml、驗證 Bicep、部署前測試、疑難排解部署錯誤、驗證 Azure Functions、驗證函式應用程式、驗證無伺服器...
officialdevopstesting