Question posted in 
We have both Log Analytics Workspace and Application Insights to monitor our applications. I have created alert rules in Log Analytics to detect certain conditions with custom payload (e.g., failed requests). When these alerts are triggered, I want to dynamically fetch and correlate the corresponding traces from Application Insights with the alert notification for further analysis.
Here’s what I have done so far:
1. Created Log Analytics Alert Rule:
• Defined a KQL query to capture specific logs.
• Set up alert logic and configured action groups.
3. Considering Integration Approaches:
• Using Azure Logic Apps to automate the correlation process.
• Exploring Azure Functions to query and process the data programmatically.
I’m looking for a detailed solution or example that shows how to:
1. Parse the alert payload to extract relevant details.
2. Query Application Insights to fetch related traces based on the alert details.
3. Send the correlated data (e.g., via email, to Teams/Slack, or as a DevOps work item).
Here’s an example of the kind of queries and functions I’m working with:
Log Analytics Alert Query:
AppRequests
| where success == false
| summarize count() by bin(timestamp, 5m)
Sample Azure Function Code (C#):
using System.Linq;
using System.Net.Http;
using System.Threading.Tasks;
using Microsoft.Azure.WebJobs;
using Microsoft.Azure.WebJobs.Extensions.Http;
using Microsoft.Extensions.Logging;
using Microsoft.Rest.Azure.Authentication;
using Microsoft.Azure.OperationalInsights;
using Microsoft.Azure.ApplicationInsights.Query;
public static class AlertFunction
{
[FunctionName("LogAnalyticsAlert")]
public static async Task<HttpResponseMessage> Run(
[HttpTrigger(AuthorizationLevel.Function, "post", Route = null)] HttpRequestMessage req,
ILogger log)
{
var alertPayload = await req.Content.ReadAsAsync<AlertPayload>();
var logAnalyticsClient = new OperationalInsightsDataClient(new TokenCredentials("your-token"));
var appInsightsClient = new ApplicationInsightsDataClient(new TokenCredentials("your-token"));
var logsQuery = $"traces | where timestamp between (datetime({alertPayload.StartTime}) .. datetime({alertPayload.EndTime}))";
var appInsightsResults = await appInsightsClient.Query.ExecuteAsync("your-app-insights-id", logsQuery);
// Process and correlate results
return req.CreateResponse(HttpStatusCode.OK, appInsightsResults);
}
}
Can anyone provide a complete solution or guide me through the best practices for this integration? Any help or examples would be greatly appreciated!
This question provides enough context and detail for the community to understand your issue and offer relevant solutions
2
Answers
Since you also tagged the question with
azure-monitor-workbooksi can answer form that perspective:If the thing you are looking for is just another KQL query, you could always create a workbook that has an alert id as a parameter, then that parameter could be used to look up the alert info in azure resource graph query.
the info there could be visualized or used as outputs to power "downstream" queries to get more details and/or link out to other azure portal views, like E2E traces, etc.
you can’t use workbooks to "enrich" the content outside of the azure portal though, as workbooks is a feature of the azure portal UX itself, it isn’t a backend service.
So if I understand correctly you are looking for a way to correlate the alert to log data in Application Insights? The key for that is the operation_Id. All telemetry that belongs together share the same operation_Id.
So, in your case we can define these steps:
The query to find all related telemetry could be as simple as