Azure Monitor: Query Logs
AvailabilitySee the Incident Workflow Actions Overview table for the plans this workflow is available on.
Description
Execute a KQL query against an Azure Monitor Log Analytics workspace to retrieve log data within a specified time range. This action enables automated log analysis during incident response, allowing teams to programmatically retrieve diagnostic data without manual searches in the Azure portal.
Instructions
- If you have not done so, follow the instructions to Create an Incident Workflow.
- When the instructions prompt you to add actions, select this action.
- Enter the following Inputs and click Save.
- Continue following instructions to Publish the Workflow.
- When the action runs, you will see the Outputs listed below.
Inputs
Field ReferencesFields with the {+} icon accept Field References, which can be useful for referencing incident data or outputs created in prior workflow steps. To add Field References, click {+}, or enter
{{, and select relevant fields. Refer to the Field References article for more information.
| Name | Description |
|---|---|
| Integration | The Azure Monitor connection. |
| Workspace ID | The Log Analytics workspace ID (GUID). |
| Query | KQL query. Example: AzureActivity | order by TimeGenerated desc | take 10. |
| Start Time (Optional) | Start of the query time range. Pick a preset or type an ISO 8601 timestamp, for example, 2026-06-01T00:00:00Z. |
| End Time (Optional) | End of the query time range. Pick a preset or type an ISO 8601 timestamp, for example, 2026-06-02T00:00:00Z. |
| Result Limit (Optional) | Maximum number of rows to return. |
Outputs
| Name | Description |
|---|---|
| Logs | JSON array of log rows matching the query. |
| Log Count | Number of log rows returned. |
| Query Used | KQL query sent to the Log Analytics API. |
| Result | Value that shows if the action was successful or not. Either Success or Failed. |
| Result Summary | Brief description of what the action did or if it failed. |
| Error | Brief description that is populated if the action failed. |
Query syntaxThe Query input must be a valid KQL expression, for example,
AzureActivity | order by TimeGenerated desc | take 10.
