Most KQL running in production is subtly wrong. Wrong operators, unscoped subqueries, and alert rules that silently miss events due to ingestion latency. Here’s how to write queries you can actually defend.
Access logs, firewall logs, backend health, and metrics each tell a partial truth about what Application Gateway is doing. Here’s how they mislead you in isolation, and the KQL that fixes that.
Your team enabled logging everywhere, a responsible move. Then the Azure bill arrived. This post traces exactly why Log Analytics costs spiral without warning, what the AzureDiagnostics table is quietly doing to your budget, and how resource-specific tables plus DCR transformations give you back control.
