Thursday, March 5, 2026

Azure AKS - Diag Logs - KQL 




AzureDiagnostics
| where Category == "kube-audit"
| summarize requests = count() by bin(TimeGenerated, 5m), userAgent_s
| order by requests desc


AzureDiagnostics
| where Category == "kube-audit"
| summarize requests = count() by userAgent_s
| order by requests desc

AzureDiagnostics
| where Category == "kube-audit"
| take 5

AzureDiagnostics
| where Category == "kube-audit"
| summarize count() by verb_s
| order by count_ desc


AzureDiagnostics
| where Category == "kube-audit"
| extend logData = parse_json(log_s)
| summarize count() by tostring(logData.objectRef.resource)
| order by count_ desc


AzureDiagnostics
| where Category == "kube-audit"
| extend logData = parse_json(log_s)
| where isempty(tostring(logData.objectRef.resource))
| summarize count() by tostring(logData.requestURI)
| order by count_ desc


AzureDiagnostics
| where Category == "kube-audit"
| extend logData = parse_json(log_s)
| where tostring(logData.requestURI) == "/readyz"
| summarize count() by tostring(logData.userAgent)
| order by count_ desc

at

Azure AKS - Diag Logs - KQL

AzureDiagnostics | where Category == "kube-audit" | summarize requests = count() by bin(TimeGenerated, 5m), userAgent_s | orde...