Introduction
Azure Monitor is Microsoft Azure's unified platform for collecting, analyzing, and acting on monitoring data. In 2026, with the rise of hybrid workloads and AI, mastering Azure Monitor is essential for DevOps architects: it centralizes metrics, logs, and traces via Log Analytics (KQL), Metrics Explorer, and intelligent alerts. This expert tutorial guides you step by step to deploy an advanced workspace, run complex queries, set up predictive alerts, and integrate via SDK. Every step includes working code, avoiding classic pitfalls like hidden costs or inefficient queries. By the end, you'll bookmark this guide for your large-scale production environments. (142 words)
Prerequisites
- Active Azure subscription with Owner or Contributor rights
- Azure CLI 2.65+ installed (
az --version) - Python 3.12+ with
pip install azure-monitor-query azure-identity - VS Code with Azure Tools extension
- Advanced knowledge of KQL and ARM templates
Create a Log Analytics Workspace via CLI
#!/bin/bash
RESOURCE_GROUP="rg-monitor-expert"
WORKSPACE_NAME="law-expert-2026-$(date +%s)"
LOCATION="westeurope"
az group create --name $RESOURCE_GROUP --location $LOCATION
az monitor log-analytics workspace create \
--resource-group $RESOURCE_GROUP \
--workspace-name $WORKSPACE_NAME \
--location $LOCATION \
--sku PerGB2018 \
--retention-time 90
az monitor log-analytics workspace show --resource-group $RESOURCE_GROUP --workspace-name $WORKSPACE_NAME --query id -o tsvThis script creates a resource group and a Log Analytics workspace with the cost-effective PerGB2018 SKU and 90-day retention. Use tsv to extract the ID directly. Pitfall: Check regional quotas with az monitor log-analytics workspace list before running to avoid failures.
Understanding the Workspace and Diagnostic Settings
The Log Analytics Workspace ingests logs and metrics via Diagnostic Settings. Think of it as the central 'data lake' where all Azure data streams converge (VMs, AKS, App Services). Configure them to route data to the workspace without duplicates.
Enable Diagnostic Settings on a VM
#!/bin/bash
RESOURCE_GROUP="rg-monitor-expert"
VM_NAME="vm-expert-monitor"
WORKSPACE_ID=$(az monitor log-analytics workspace list --resource-group $RESOURCE_GROUP --query "[0].id" -o tsv)
# Créer une VM simple pour démo
az vm create --resource-group $RESOURCE_GROUP --name $VM_NAME --image UbuntuLTS --admin-username azureuser --admin-password Password123! --size Standard_B1s --location westeurope
az monitor diagnostic-settings create \
--name "diag-vm-expert" \
--resource $VM_NAME/virtualMachines \
--resource-group $RESOURCE_GROUP \
--workspace $WORKSPACE_ID \
--logs '[{category: "VMInsights", enabled: true}, {category: "Heartbeat", enabled: true}]' \
--metrics '[{category: "AllMetrics", enabled: true}]'Enables VMInsights/Heartbeat logs and all metrics to the workspace. The test VM is created in B1s size to minimize costs. Pitfall: Log categories are case-sensitive; list them via az monitor diagnostic-settings subscription list.
Advanced KQL Query for Log Analysis
Heartbeat
| where TimeGenerated > ago(1h)
| summarize AvgLatency = avg(HeartbeatLatencyMsD) by Computer, bin(TimeGenerated, 5m)
| extend Status = case(AvgLatency > 100, "High", AvgLatency > 50, "Medium", "Low")
| render timechart
// Join avec métriques CPU pour corrélation
Heartbeat
| join kind=inner (
Perf
| where ObjectName == "Processor" and CounterName == "% Processor Time"
| summarize AvgCPU = avg(CounterValue) by Computer, bin(TimeGenerated, 5m)
) on Computer
| where AvgCPU > 80
| project TimeGenerated, Computer, AvgCPU, AvgLatency = AvgLatencyMsD
| render barchartExpert query: aggregates Heartbeat latencies over 5 minutes, scores them, and joins with Perf CPU data to correlate incidents. render visualizes in a dashboard. Pitfall: ago(1h) limits scope for performance; index custom fields for queries under 1 second.
Deploy Alerts with ARM Template
Azure Monitor alerts react in real time via metric/log rules. At an expert level, use ARM for Infrastructure as Code: dynamic conditions and Logic Apps actions.
ARM Template for High CPU Alert
{
"$schema": "https://schema.management.azure.com/schemas/2019-03-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": { "type": "string" },
"alertName": { "type": "string", "defaultValue": "CPU-High-Alert-Expert" }
},
"resources": [{
"type": "Microsoft.Insights/scheduledQueryRules",
"apiVersion": "2023-06-01",
"name": "[parameters('alertName')]",
"location": "global",
"properties": {
"description": "Alerte CPU >80% sur VMs",
"source": {
"query": "Perf | where ObjectName == \"Processor\" and CounterName == \"% Processor Time\" and Average >= 80 | summarize AggregatedValue = count() by bin(TimeGenerated, 5m)",
"dataSourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]"
},
"schedule": { "frequency": "PT1M", "timeWindowSize": "PT5M" },
"action": {
"odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.MicrosoftAppInsightsNexusDataContracts.Resources.Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.AlertActionGroup",
"actionGroupId": "/subscriptions/{sub-id}/resourceGroups/{rg}/providers/microsoft.insights/actionGroups/my-ag"
},
"severity": "Sev3",
"enabled": true
}
}]
}ARM template deploys a KQL alert rule for CPU >80%, evaluated every minute over 5 minutes. Replace {sub-id}/{rg}. Pitfall: odata.type must be exact for action groups; test the query in Log Analytics first.
Query Logs via Python SDK
from azure.monitor.query import LogsQueryClient
from azure.identity import DefaultAzureCredential
import pandas as pd
credential = DefaultAzureCredential()
client = LogsQueryClient(credential)
workspace_id = "YOUR_WORKSPACE_ID" # Remplacez par az output
query = """
Perf
| where TimeGenerated > ago(1h)
| where ObjectName == "Processor" and CounterName == "% Processor Time"
| summarize AvgCPU = avg(CounterValue) by Computer
| order by AvgCPU desc
"""
timespan = "PT1H"
response = client.query_workspace(workspace_id, query, timespan=timespan)
results = []
for result_table in response.tables:
df = pd.DataFrame(result_table.rows, columns=[col.name for col in result_table.columns])
print(df.head())
results.append(df)
print(f"Query exécutée avec {len(results)} tables.")Uses Azure SDK to run KQL queries and Pandas for analysis. Authenticates via MSI or CLI. Pitfall: timespan must be strict ISO8601; handle PENDING states with polling for long-running queries.
Workbook JSON for Custom Dashboard
{
"version": "Notebook/1.0",
"items": [{
"type": 9,
"content": {
"version": "KqlItem/1.0",
"query": "Heartbeat | summarize count() by Computer | render barchart",
"dataSources": [{ "type": "Logs", "resourceIds": ["YOUR_WORKSPACE_ID"] }]
},
"name": "uniquename"
}, {
"type": 9,
"content": {
"version": "KqlItem/1.0",
"query": "Perf | where CounterName == '% Processor Time' | render timechart",
"dataSources": [{ "type": "Logs", "resourceIds": ["YOUR_WORKSPACE_ID"] }]
},
"name": "cpu-chart"
}],
"serializedInfo": { "id": "expert-workbook-2026" }
}JSON importable into Workbooks for an interactive dashboard. Add via Portal > Workbooks > Edit > Advanced > JSON. Pitfall: resourceIds must be absolute; validate schema via API preview.
Best Practices
- Optimize costs: Use Commitment Tiers for >5PB/month and Data Purge for dynamic retention.
- Secure: Minimal RBAC (Monitoring Reader) + Private Link for workspace.
- Scale queries: Partition on TimeGenerated, Materialized Views for frequent joins.
- Integrate: Chaos Engineering with Alerts + Logic Apps for auto-remediation.
- Advanced ML: Anomaly Detection on metrics with What-If analysis.
Common Errors to Avoid
- Explosive ingestion: Forgetting to filter noisy logs (e.g., DEBUG) → 10x bills; use Transformations.
- Slow queries:
search *instead oftable | where→ timeouts; profile with Query Insights. - False positive alerts: Static thresholds without baselining; switch to Dynamic Thresholds.
- SDK auth failures: Non-managed credential; force
DefaultAzureCredential(exclude_environment=True).
Next Steps
Deepen your skills with our Azure DevOps training courses. Official docs: Azure Monitor. Example GitHub repo: azure-monitor-samples. Integrate with Grafana via the Azure Monitor datasource plugin.