Queries for the AZKVAuditLogs table
Are there any failures?
Count of failed keyvault requests by status code.
AZKVAuditLogs
| where HttpStatusCode >= 300 and not(OperationName == "Authentication" and HttpStatusCode == 401)
| summarize count() by RequestUri, ResultSignature, _ResourceId
Are there any slow requests?
List of keyvault requests taking longer than 1 second.
let threshold=1000;
AZKVAuditLogs
| where DurationMs > threshold
| summarize count() by OperationName, _ResourceId
How active has this KeyVault been?
Line chart showing trend of KeyVault requests volume, per operation over time.
AZKVAuditLogs
| summarize count() by bin(TimeGenerated, 1h), OperationName // Aggregate by hour
| render timechart
How fast is this KeyVault serving requests?
Line chart showing trend of request duration over time using different aggregations.
AZKVAuditLogs
| summarize avg(DurationMs) by RequestUri, bin(TimeGenerated, 1h) // requestUri_s contains the URI of the request
| render timechart
What changes occurred last month?
Lists all update and patch requests from the last 30 days.
AZKVAuditLogs
| where TimeGenerated > ago(30d)
| where OperationName == "VaultPut" or OperationName == "VaultPatch"
| sort by TimeGenerated desc
Who is calling this KeyVault?
List of callers identified by their IP address with their request count.
AZKVAuditLogs
| summarize count() by CallerIpAddress
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for