To archive some of the queries I created and/or found on the internet and proved to be of value, I will drop them here:
Blocked requests
AzureDiagnostics | where TimeGenerated > ago(1h) | where Category == “ApplicationGatewayFirewallLog” | where action_s == “Blocked” | order by TimeGenerated
Count of the incoming requests on the Application Gateway.
AzureDiagnostics | where ResourceType == “APPLICATIONGATEWAYS” and OperationName == “ApplicationGatewayAccess” | summarize AggregatedValue = count() by bin(TimeGenerated, 1h) | render timechart
Count of requests to which Application Gateway responded with an error.
AzureDiagnostics | where ResourceType == “APPLICATIONGATEWAYS” and OperationName == “ApplicationGatewayAccess” and httpStatus_d > 399 | summarize AggregatedValue = count() by bin(TimeGenerated, 1h) | render timechart
Number of errors by user agent.
AzureDiagnostics | where ResourceType == “APPLICATIONGATEWAYS” and OperationName == “ApplicationGatewayAccess” and httpStatus_d > 399 | summarize AggregatedValue = count() by userAgent_s | sort by AggregatedValue desc
Number of errors by URI.
AzureDiagnostics | where ResourceType == “APPLICATIONGATEWAYS” and OperationName == “ApplicationGatewayAccess” and httpStatus_d > 399 | summarize AggregatedValue = count() by requestUri_s | sort by AggregatedValue desc
Count of requests per client IP.
AzureDiagnostics | where ResourceType == “APPLICATIONGATEWAYS” and OperationName == “ApplicationGatewayAccess” | summarize AggregatedValue = count() by clientIP_s | top 10 by AggregatedValue
Count of request per HTTP version.
AzureDiagnostics | where ResourceType == “APPLICATIONGATEWAYS” and OperationName == “ApplicationGatewayAccess” | summarize AggregatedValue = count() by httpVersion_s | top 10 by AggregatedValue
Check 504 status codes
AzureDiagnostics | where ResourceType == “APPLICATIONGATEWAYS” | where Category == “ApplicationGatewayAccessLog” | where httpStatus_s == “504” | order by timeStamp_t desc
25 latest WAF firewall log entries
AzureDiagnostics | where TimeGenerated > ago(30d) | where Category == “ApplicationGatewayFirewallLog” | project TimeGenerated, requestUri_s, Message, details_message_s, details_file_s, ruleSetType_s | order by TimeGenerated desc | take 25
Check detected log file entries WAF
AzureDiagnostics | where ResourceProvider == “MICROSOFT.NETWORK” and Category == “ApplicationGatewayFirewallLog” | where action_s == “Detected” | summarize count() by ruleId_s, Message, details_message_s
What is blocked by AGW
AzureDiagnostics | where Category == “ApplicationGatewayFirewallLog” | where action_s == “Blocked” | summarize any(details_data_s) by details_file_s, details_message_s, details_data_s, bin(TimeGenerated, 10m)
What is blocked by AGW - with bar chart
AzureDiagnostics | where Category == “ApplicationGatewayFirewallLog” | where action_s == “Blocked” | summarize count(details_message_s) by details_message_s, bin(TimeGenerated, 5m) | render barchart
Average Throughput per second (MB)
AzureDiagnostics | where ResourceProvider == “MICROSOFT.NETWORK” and Category == “ApplicationGatewayPerformanceLog” | summarize avg(throughput_d) by Resource, bin(TimeGenerated, 1m) | extend ThroughputMb = (avg_throughput_d/1000)/1000 | project Resource, TimeGenerated, ThroughputMb | render timechart
Unhealthy backend VM count
AzureDiagnostics | where ResourceProvider == “MICROSOFT.NETWORK” and Category == “ApplicationGatewayPerformanceLog” | summarize max(unHealthyHostCount_d) by Resource, bin(TimeGenerated, 1m) | render timechart
Healthy backend VM Count
AzureDiagnostics | where ResourceProvider == “MICROSOFT.NETWORK” and Category == “ApplicationGatewayPerformanceLog” | summarize max(healthyHostCount_d) by Resource, bin(TimeGenerated, 1m) | render timechart
Failed Requests by API
AzureDiagnostics | where ResourceProvider == “MICROSOFT.NETWORK” and Category == “ApplicationGatewayAccessLog” | where httpStatus_d >= 400 | summarize count() by requestUri_s, bin(TimeGenerated, 1m) | render timechart
Average Latency (ms) by Application Gateway
AzureDiagnostics | where ResourceProvider == “MICROSOFT.NETWORK” and Category == “ApplicationGatewayPerformanceLog” | summarize avg(latency_d) by Resource, bin(TimeGenerated, 1m) | render timechart
Requests per minute by API
AzureDiagnostics | where ResourceProvider == “MICROSOFT.NETWORK” and Category == “ApplicationGatewayAccessLog” | summarize count() by requestUri_s, bin(TimeGenerated, 1m) | render timechart
Requests per minute
AzureDiagnostics | where ResourceProvider == “MICROSOFT.NETWORK” and Category == “ApplicationGatewayAccessLog” | where requestUri_s == “/” | summarize count() by requestUri_s, bin(TimeGenerated, 1m) | render timechart
Error count past hour by Application Gateway
AzureDiagnostics | where ResourceProvider == “MICROSOFT.NETWORK” and Category == “ApplicationGatewayAccessLog” | where httpStatus_d >= 400 | summarize count() by httpStatus_d, Resource | project httpStatus_d, Resource, count_
Average Requests per minute
AzureDiagnostics | where ResourceProvider == “MICROSOFT.NETWORK” and Category == “ApplicationGatewayPerformanceLog” | summarize avg(requestCount_d) by Resource, bin(TimeGenerated, 1m) | render timechart
Average failed requests per minute
AzureDiagnostics | where ResourceProvider == “MICROSOFT.NETWORK” and Category == “ApplicationGatewayPerformanceLog” | summarize avg(failedRequestCount_d) by Resource, bin(TimeGenerated, 1m) | render timechart
HTTP Error count per hour by API
AzureDiagnostics | where ResourceProvider == “MICROSOFT.NETWORK” and Category == “ApplicationGatewayAccessLog” | where httpStatus_d >= 400 | summarize count(httpStatus_d) by httpStatus_d,requestUri_s, bin(TimeGenerated, 1h) | order by count_httpStatus_d desc | project httpStatus_d, requestUri_s, TimeGenerated, count_httpStatus_d
Successful request count
AzureDiagnostics | where ResourceProvider == “MICROSOFT.NETWORK” and Category == AzureDiagnostics | where ResourceProvider == “MICROSOFT.NETWORK” and Category == “ApplicationGatewayAccessLog” | where httpStatus_d < 400 | summarize count() by httpStatus_d, Resource | project httpStatus_d, Resource, count_
Failed requests by backend VM
AzureDiagnostics | where ResourceProvider == “MICROSOFT.NETWORK” and Category == “ApplicationGatewayAccessLog” | where httpStatus_d >= 400 | parse requestQuery_s with * “SERVER-ROUTED=” serverRouted “&” * | extend httpStatus = tostring(httpStatus_d) | summarize count() by serverRouted, bin(TimeGenerated, 5m) | render timechart
Successful requests by backend VM
AzureDiagnostics | where ResourceProvider == “MICROSOFT.NETWORK” and Category == “ApplicationGatewayAccessLog” | where httpStatus_d < 400 | parse requestQuery_s with * “SERVER-ROUTED=” serverRouted “&” * | extend httpStatus = tostring(httpStatus_d) | summarize count() by serverRouted, bin(TimeGenerated, 5m) | render timechart
HTTP 502 Errors by backend VM
AzureDiagnostics | where ResourceProvider == “MICROSOFT.NETWORK” and Category == “ApplicationGatewayAccessLog” | where httpStatus_d == 502 | parse requestQuery_s with * “SERVER-ROUTED=” serverRouted “&” * | extend httpStatus = tostring(httpStatus_d) | summarize count() by serverRouted, bin(TimeGenerated, 5m) | render timechart
Monitored Application Gateway List
AzureDiagnostics | where ResourceProvider == “MICROSOFT.NETWORK” and Category == “ApplicationGatewayAccessLog” | distinct Resource, ResourceGroup