How Azure Kusto fits into a Paperclip company.

Azure Kusto drops into any Paperclip agent that handles this kind of work. Assign it to a specialist inside a pre-configured PaperclipOrg company and the skill becomes available on every heartbeat — no prompt engineering, no tool wiring.

SaaS FactoryPaired

Pre-configured AI company — 18 agents, 18 skills, one-time purchase.

$27$59

Explore pack

Source file

SKILL.md231 linesmarkdown

Expand

1---2name: azure-kusto3description: "Query and analyze data in Azure Data Explorer (Kusto/ADX) using KQL for log analytics, telemetry, and time series analysis. WHEN: KQL queries, Kusto database queries, Azure Data Explorer, ADX clusters, log analytics, time series data, IoT telemetry, anomaly detection."4license: MIT5metadata:6  author: Microsoft7  version: "1.0.1"8---9 10# Azure Data Explorer (Kusto) Query & Analytics11 12Execute KQL queries and manage Azure Data Explorer resources for fast, scalable big data analytics on log, telemetry, and time series data.13 14## Skill Activation Triggers15 16**Use this skill immediately when the user asks to:**17- "Query my Kusto database for [data pattern]"18- "Show me events in the last hour from Azure Data Explorer"19- "Analyze logs in my ADX cluster"20- "Run a KQL query on [database]"21- "What tables are in my Kusto database?"22- "Show me the schema for [table]"23- "List my Azure Data Explorer clusters"24- "Aggregate telemetry data by [dimension]"25- "Create a time series chart from my logs"26 27**Key Indicators:**28- Mentions "Kusto", "Azure Data Explorer", "ADX", or "KQL"29- Log analytics or telemetry analysis requests30- Time series data exploration31- IoT data analysis queries32- SIEM or security analytics tasks33- Requests for data aggregation on large datasets34- Performance monitoring or APM queries35 36## Overview37 38This skill enables querying and managing Azure Data Explorer (Kusto), a fast and highly scalable data exploration service optimized for log and telemetry data. Azure Data Explorer provides sub-second query performance on billions of records using the Kusto Query Language (KQL).39 40Key capabilities:41- **Query Execution**: Run KQL queries against massive datasets42- **Schema Exploration**: Discover tables, columns, and data types43- **Resource Management**: List clusters and databases44- **Analytics**: Aggregations, time series, anomaly detection, machine learning45 46## Core Workflow47 481. **Discover Resources**: List available clusters and databases in subscription492. **Explore Schema**: Retrieve table structures to understand data model503. **Query Data**: Execute KQL queries for analysis, filtering, aggregation514. **Analyze Results**: Process query output for insights and reporting52 53## Query Patterns54 55### Pattern 1: Basic Data Retrieval56Fetch recent records from a table with simple filtering.57 58**Example KQL**:59```kql60Events61| where Timestamp > ago(1h)62| take 10063```64 65**Use for**: Quick data inspection, recent event retrieval66 67### Pattern 2: Aggregation Analysis68Summarize data by dimensions for insights and reporting.69 70**Example KQL**:71```kql72Events73| summarize count() by EventType, bin(Timestamp, 1h)74| order by count_ desc75```76 77**Use for**: Event counting, distribution analysis, top-N queries78 79### Pattern 3: Time Series Analytics80Analyze data over time windows for trends and patterns.81 82**Example KQL**:83```kql84Telemetry85| where Timestamp > ago(24h)86| summarize avg(ResponseTime), percentiles(ResponseTime, 50, 95, 99) by bin(Timestamp, 5m)87| render timechart88```89 90**Use for**: Performance monitoring, trend analysis, anomaly detection91 92### Pattern 4: Join and Correlation93Combine multiple tables for cross-dataset analysis.94 95**Example KQL**:96```kql97Events98| where EventType == "Error"99| join kind=inner (100    Logs101    | where Severity == "Critical"102) on CorrelationId103| project Timestamp, EventType, LogMessage, Severity104```105 106**Use for**: Root cause analysis, correlated event tracking107 108### Pattern 5: Schema Discovery109Explore table structure before querying.110 111**Tools**: `kusto_table_schema_get`112 113**Use for**: Understanding data model, query planning114 115## Key Data Fields116 117When executing queries, common field patterns:118- **Timestamp**: Time of event (datetime) - use `ago()`, `between()`, `bin()` for time filtering119- **EventType/Category**: Classification field for grouping120- **CorrelationId/SessionId**: For tracing related events121- **Severity/Level**: For filtering by importance122- **Dimensions**: Custom properties for grouping and filtering123 124## Result Format125 126Query results include:127- **Columns**: Field names and data types128- **Rows**: Data records matching query129- **Statistics**: Row count, execution time, resource utilization130- **Visualization**: Chart rendering hints (timechart, barchart, etc.)131 132## KQL Best Practices133 134**🟢 Performance Optimized:**135- Filter early: Use `where` before joins and aggregations136- Limit result size: Use `take` or `limit` to reduce data transfer137- Time filters: Always filter by time range for time series data138- Indexed columns: Filter on indexed columns first139 140**🔵 Query Patterns:**141- Use `summarize` for aggregations instead of `count()` alone142- Use `bin()` for time bucketing in time series143- Use `project` to select only needed columns144- Use `extend` to add calculated fields145 146**🟡 Common Functions:**147- `ago(timespan)`: Relative time (ago(1h), ago(7d))148- `between(start .. end)`: Range filtering149- `startswith()`, `contains()`, `matches regex`: String filtering150- `parse`, `extract`: Extract values from strings151- `percentiles()`, `avg()`, `sum()`, `max()`, `min()`: Aggregations152 153## Best Practices154 155- Always include time range filters to optimize query performance156- Use `take` or `limit` for exploratory queries to avoid large result sets157- Leverage `summarize` for aggregations instead of client-side processing158- Store frequently-used queries as functions in the database159- Use materialized views for repeated aggregations160- Monitor query performance and resource consumption161- Apply data retention policies to manage storage costs162- Use streaming ingestion for real-time analytics (< 1 second latency)163- Integrate with Azure Monitor for operational insights164 165## MCP Tools Used166 167| Tool | Purpose |168|------|---------|169| `kusto_cluster_list` | List all Azure Data Explorer clusters in a subscription |170| `kusto_database_list` | List all databases in a specific Kusto cluster |171| `kusto_query` | Execute KQL queries against a Kusto database |172| `kusto_table_schema_get` | Retrieve schema information for a specific table |173 174**Required Parameters**:175- `subscription`: Azure subscription ID or display name176- `cluster`: Kusto cluster name (e.g., "mycluster")177- `database`: Database name178- `query`: KQL query string (for query operations)179- `table`: Table name (for schema operations)180 181**Optional Parameters**:182- `resource-group`: Resource group name (for listing operations)183- `tenant`: Azure AD tenant ID184 185## Fallback Strategy: Azure CLI Commands186 187If Azure MCP Kusto tools fail, timeout, or are unavailable, use Azure CLI commands as fallback.188 189### CLI Command Reference190 191| Operation | Azure CLI Command |192|-----------|-------------------|193| List clusters | `az kusto cluster list --resource-group <rg-name>` |194| List databases | `az kusto database list --cluster-name <cluster> --resource-group <rg-name>` |195| Show cluster | `az kusto cluster show --name <cluster> --resource-group <rg-name>` |196| Show database | `az kusto database show --cluster-name <cluster> --database-name <db> --resource-group <rg-name>` |197 198### KQL Query via Azure CLI199 200For queries, use the Kusto REST API or direct cluster URL:201```bash202az rest --method post \203  --url "https://<cluster>.<region>.kusto.windows.net/v1/rest/query" \204  --body "{ \"db\": \"<database>\", \"csl\": \"<kql-query>\" }"205```206 207### When to Fallback208 209Switch to Azure CLI when:210- MCP tool returns timeout error (queries > 60 seconds)211- MCP tool returns "service unavailable" or connection errors212- Authentication failures with MCP tools213- Empty response when database is known to have data214 215## Common Issues216 217- **Access Denied**: Verify database permissions (Viewer role minimum for queries)218- **Query Timeout**: Optimize query with time filters, reduce result set, or increase timeout219- **Syntax Error**: Validate KQL syntax - common issues: missing pipes, incorrect operators220- **Empty Results**: Check time range filters (may be too restrictive), verify table name221- **Cluster Not Found**: Check cluster name format (exclude ".kusto.windows.net" suffix)222- **High CPU Usage**: Query too broad - add filters, reduce time range, limit aggregations223- **Ingestion Lag**: Streaming data may have 1-30 second delay depending on ingestion method224 225## Use Cases226 227- **Log Analytics**: Application logs, system logs, audit logs228- **IoT Analytics**: Sensor data, device telemetry, real-time monitoring229- **Security Analytics**: SIEM data, threat detection, security event correlation230- **APM**: Application performance metrics, user behavior, error tracking231- **Business Intelligence**: Clickstream analysis, user analytics, operational KPIs

Related skills

Analyze Test Run

Install Analyze Test Run skill for Claude Code from microsoft/github-copilot-for-azure.

Appinsights Instrumentation

Microsoft's official guidance for adding Azure Application Insights telemetry to web applications. Covers SDK setup patterns for ASP.NET Core, Node.js, and Pyth

Appinsights Instrumentation

The appinsights-instrumentation skill provides developers with guidance, reference materials, and best practices for instrumenting webapps with Azure Applicatio