April 1, 2025

How to Effectively Use Logs in Azure Application Insights – A Technical Architect’s Perspective

When managing complex applications—whether microservices, headless architectures, or monolithic platforms like Sitecore—log visibility is critical. Application Insights offers powerful telemetry capabilities, but for many teams, it’s underutilized when it comes to structured log analysis.

As an architect, I view logging not just as a debugging tool but as a system observability layer—one that enables proactive monitoring, better support, and faster root cause analysis.

This article focuses exclusively on how to work with logs inside Application Insights, using Kusto Query Language (KQL) to extract meaningful insights.


Why Logs Matter Beyond Debugging

Logs are more than just strings printed to the console. They are:

  • A historical record of system behavior

  • A way to trace failures across distributed systems

  • A source of truth during incident response

  • A key input into alerts and monitoring dashboards

In Application Insights, these logs are captured across various tables: traces, exceptions, requests, and more.


Getting Started with Logs in Application Insights

To begin:

  1. Open your Azure Portal

  2. Navigate to your Application Insights resource

  3. Click on "Logs" under the Monitoring section

  4. Use the KQL editor to write and run log queries


Common for Log Exploration



tracesApplication logs (Info, Debug, Errors)
exceptionsUnhandled and handled exceptions
requestsIncoming HTTP requests with status codes
dependenciesOutbound HTTP/database/service calls

In most projects, the traces and exceptions tables provide the richest context for identifying what went wrong and where.


Querying Logs by Text

Searching for specific errors or log messages is often the first step in incident triage.

traces
| where message contains "form submission error" | order by timestamp desc

To refine further, filter by time or severity:

traces
| where timestamp > ago(1h) | where severityLevel == 3 // 0: Verbose, 1: Info, 2: Warning, 3: Error

For deeper investigations:

exceptions
| where outerMessage contains "NullReferenceException" | order by timestamp desc

Tracing 500 Errors in Web Apps or APIs

If your application is returning 500-level HTTP errors, use the requests table:

requests
| where resultCode startswith "5" | project timestamp, name, url, resultCode, success, duration | order by timestamp desc

To map these requests with the actual exception:

requests
| where resultCode startswith "5" | join kind=leftouter ( exceptions | project operation_Id, exceptionMessage = outerMessage ) on operation_Id | project timestamp, name, url, resultCode, exceptionMessage

This correlation is crucial in microservice or headless scenarios where log trails span multiple components.


Architecting Log Strategies: What I Recommend

As a technical architect, here’s what I emphasize in every team I work with:

  • Structured Logging: Avoid generic messages. Log what matters—context, identifiers, error objects.

  • Use operation_Id consistently: It helps correlate logs across services and telemetry types.

  • Balance verbosity with signal: Too many logs dilute insights. Tune log levels smartly.

  • Ingest logs from custom apps or services: Use TelemetryClient.TrackTrace() in custom logic.

  • Train your developers on KQL basics: Empower the team to investigate before escalating.


Final Thoughts

Logs in Application Insights are not just for the dev team. When used effectively, they become a shared asset across architecture, engineering, DevOps, and support.

As systems become more distributed and asynchronous, your ability to trace, correlate, and analyze logs in context becomes a superpower.

If you're not leveraging this yet—start today.

No comments:

Post a Comment