Log Analytics Queries for Azure API Management
Learn how to use Azure Monitor Logs and Kusto Query Language (KQL) to query diagnostic logs from Azure API Management. This enables you to gain insights into your API's performance, traffic, and errors.
Prerequisites
Before you can query logs, ensure you have configured diagnostic settings for your API Management instance to send logs to a Log Analytics workspace. Refer to the diagnostic settings documentation for detailed steps.
Common Log Analytics Tables
Azure API Management diagnostic logs are typically stored in the following tables within your Log Analytics workspace:
AppGwAccessLog: Access logs from Azure Application Gateway (if used for ingress).AppGwFirewallLog: Firewall logs from Azure Application Gateway.AzureDiagnostics: General Azure platform diagnostics, including API Management audit logs and request logs (depending on configuration).Request: Detailed request logs for API Management operations.AuditEvent: Audit logs for configuration changes and management operations.
Useful KQL Queries
All API Requests in the Last 24 Hours
KQL
AzureDiagnostics
| where TimeGenerated > ago(24h)
| where ResourceProvider == "MICROSOFT.APIMANAGEMENT"
| where Category == "ApiRequests"
| project TimeGenerated, OperationName, CallerIpAddress, ApiId, RequestMethod, Url, ResponseCode, DurationMs
| order by TimeGenerated desc
Top 10 Slowest API Calls (Response Time > 1000ms)
KQL
AzureDiagnostics
| where TimeGenerated > ago(24h)
| where ResourceProvider == "MICROSOFT.APIMANAGEMENT"
| where Category == "ApiRequests"
| where DurationMs > 1000
| summarize count() by ApiId, OperationName
| order by count_ desc
| take 10
Count of 4xx and 5xx Errors by API
KQL
AzureDiagnostics
| where TimeGenerated > ago(24h)
| where ResourceProvider == "MICROSOFT.APIMANAGEMENT"
| where Category == "ApiRequests"
| where ResponseCode startswith "4" or ResponseCode startswith "5"
| summarize errorCount = count() by ApiId, OperationName, ResponseCode
| order by ResponseCode asc, errorCount desc
Audit Logs for Policy Changes
KQL
AzureDiagnostics
| where TimeGenerated > ago(7d)
| where ResourceProvider == "MICROSOFT.APIMANAGEMENT"
| where Category == "AuditEvent"
| where OperationName == "SetPolicy" or OperationName == "CreatePolicy" or OperationName == "DeletePolicy"
| project TimeGenerated, OperationName, CallerIpAddress, CallerObjectType, CallerObjectId, ResourceName
| order by TimeGenerated desc
Requests to a Specific API Operation
KQL
AzureDiagnostics
| where TimeGenerated > ago(1h)
| where ResourceProvider == "MICROSOFT.APIMANAGEMENT"
| where Category == "ApiRequests"
| where ApiId == "/subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/YOUR_RESOURCE_GROUP/providers/Microsoft.ApiManagement/service/YOUR_APIM_SERVICE_NAME/apis/YOUR_API_NAME"
| where OperationName == "YourOperationName"
| project TimeGenerated, RequestMethod, Url, ResponseCode, DurationMs
Replace YOUR_SUBSCRIPTION_ID, YOUR_RESOURCE_GROUP, YOUR_APIM_SERVICE_NAME, and YOUR_API_NAME with your actual values.
Key Metrics for Monitoring
When analyzing logs, consider these metrics:
- Response Code: Identify successful requests (2xx, 3xx) versus errors (4xx, 5xx).
- DurationMs: Track the latency of API calls to identify performance bottlenecks.
- ApiId and OperationName: Filter and group data by specific APIs and operations.
- CallerIpAddress: Monitor traffic sources and potentially identify unusual activity.
- CacheHit: Understand the effectiveness of your API caching strategies.
- GatewaySentBytes / GatewayReceivedBytes: Monitor data transfer volume.
Tips for Effective Querying
- Start with a broad time range and then narrow it down.
- Use the
whereoperator to filter data efficiently. - Leverage
summarizeto aggregate data and gain insights. - Utilize
projectto select only the relevant columns, improving readability and performance. - Experiment with different KQL functions like
count(),avg(),max(), andpercentiles().